SHARE
TWEET

2016-12-05 Locky "Please Consider This"

Racco42 Dec 5th, 2016 (edited) 163 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-05 #locky email phishing campaign "Please Consider This"
  2.  
  3. Email sample:
  4. --------------------------------------------------------------------------------------------------------------------
  5. From: "Terry Martin" <Martin.Terry@cacuocdoden.com>
  6. To: [REDACTED]
  7. Subject: Please Consider This
  8. Date: Mon, 05 Dec 2016 17:12:33 +0530
  9.  
  10. Dear [REDACTED],
  11.  
  12. Our accountants have noticed a mistake in the payment bill #DEC-1310239.
  13. The full information regarding the mistake, and further recommendations are in the attached document.
  14.  
  15. Please confirm the amount and let us know if you have any questions.
  16.  
  17. Attachment: bill1310239.zip -> -W16BV8R9A6.js
  18. --------------------------------------------------------------------------------------------------------------------
  19. - sender address varies between emails
  20. - subject is "Please Consider This"
  21. - attached file "bill<7 digits>.zip" contains file "-<7-10 uppercase chars and digits>.js" a JScript downloader
  22.  
  23. Download sites:
  24. http://carrier-spb.ru/kyzmd
  25. http://neufweb.fr/zubnaox
  26. http://nickcatricala.com/zyqgn
  27. http://odmalicka.info/rmq9m8abj
  28. http://optistar.es/5vud8u5i2v
  29. http://ornline.com/tsbnyk
  30. http://orthanna.com/mtkvlp
  31. http://osawa.be/ji6vl8p
  32. http://oyunbee.com/yygcieumw8
  33. http://par-nikiti.com/rmqpeuzd
  34. http://petra-roebig.de/hqv4kz
  35. http://pierer.ch/z35pgbsw
  36. http://piotrprzewozy.pl/fjvktow
  37. http://pivno.com/zcyvylh1
  38. http://playtres.com.ar/rpqbbg3
  39. http://plusideaad.com/wrkd9ye5d
  40. http://porschewijzer.nl/zvbsgr
  41. http://portside.no/uddurk
  42. http://ppapmoozamiz.com/ti3yrigg
  43. http://psycoaching.fr/wtadfi
  44. http://quadrat.cz/uuq9svzcfq
  45. http://raregemsgroup.com/yc2bn4zba
  46. http://reiseagentur-klein.de/1j1njd
  47. http://rejtjel.hu/ya83t3xq
  48. http://rhyzrin.com/zop7ie3nq
  49. http://rollerhero.com/wdopv7q3
  50. http://sigmach.com/6dedsiwwe
  51. http://skillscollege.com.au/l3y1v7g
  52. http://skolickasovicka.cz/8af8dj
  53. http://smarttrain.edu.vn/5iim4uhd
  54. http://sobory.ru/n2k6gepo
  55. http://solubiz.com/mqupga
  56. http://sondenecker.fr/cbjbxnfj
  57. http://sosearch.co.uk/abfxu
  58. http://speelhuis.net/fqn3zxh
  59. http://speelhuis.net/ikmmh
  60. http://ste4you.at/leilmdz
  61. http://studionero.com/4rjs9e1wkq
  62. http://sunrise-painting.ca/ghrbjmf
  63. http://taddboxers.com/ittjnrcts
  64. http://tayangfood.com/q6doax
  65. http://tech2o.fr/jaumggko1
  66. http://tekyong.com/cmqoqqro22
  67. http://tellussys.com/l1bgzaw9o
  68. http://terfer.es/cqdbg
  69. http://test.joaopluis.pt/sfj1lqylpg
  70. http://theosis.ro/le4lh2di
  71. http://thephilanthropist.com/gg5ew3
  72. http://thethanhpc.com/qhnehjydvp
  73. http://thipkuakul.co.th/1dmchru
  74. http://toledo.pro/in6azd2tf6
  75. http://topura.com/8zrvktdqdk
  76. http://travelinsider.com.au/3db5e
  77. http://trendoor.com/lmwop0j
  78. http://tscase.net/c2df527
  79. http://uraltrak.hu/8cbbfw9g
  80. http://usbgiahung.com/bfjllh9r
  81. http://ventrust.ro/5egp5rgwdo
  82. http://vesti73.ru/33uxyw
  83. http://vishwasgroupindia.com/a0ytq
  84.  
  85. Malware:
  86. - encoded on download
  87. b78f13db5abae4c5e424c4446d80a3236a446d665940b5c42132562134407870  http___carrier-spb.ru_kyzmd
  88. 4b1249d56788f11308df704334e1858ff44682f9d45dee15cbe4d2ec031d7d97  http___neufweb.fr_zubnaox
  89. 859b644cef82e3008e1dfc94f96c22e56e9870dd60572d34a4b6f301fbafa86a  http___nickcatricala.com_zyqgn
  90. 479679c6c4cc0756de6a4a9abdcb500a9a12998090cc067537804b253714f5c4  http___orthanna.com_mtkvlp
  91. e150b98608ee480a28b1c3736539463103a9b240c200751537a27cc838fa52a6  http___osawa.be_ji6vl8p
  92. 597c3900d6ff6251ec19f32c1742881b89fd003307ec17e247043ca17cc76d1f  http___oyunbee.com_yygcieumw8
  93. 6c63612fa96aec99729e5a114d18a72c5dea57ba69716b8511a95909634644b6  http___par-nikiti.com_rmqpeuzd
  94. 8d5c267770c7a58e384556bdd77b3afd602c41022b6254765df1bae31677c341  http___petra-roebig.de_hqv4kz
  95. 1863237cee653f214fbbb7c44852b2acdfdc4f89acdd579ac5591ef77d719374  http___pierer.ch_z35pgbsw
  96. 56b5e834f9e5eb4c2fda2ecfd019d137a95f0564851b1b6ce05183311fc4c084  http___piotrprzewozy.pl_fjvktow
  97. d7286ac758fb346781aa2157bbc17c07e1b51fcc6b7afbc4a416cc9759dd3ebd  http___pivno.com_zcyvylh1
  98. 56b4b2398343e65b342a73b2c4597140b56142694ae0b333a94dc1ac4a12ea33  http___playtres.com.ar_rpqbbg3
  99. c1b0658737cbe8e38034e2b44b817f0d0deefbcc1445691c05f6f419a8d5f33f  http___plusideaad.com_wrkd9ye5d
  100. 251d9920865316a5e823aa2a28fd8c6d03dfde710f7b9cfc5db6793517d32204  http___porschewijzer.nl_zvbsgr
  101. f732a5c5a3a481009a770fb9384c5d22c836ccf78ab0c9803afa37c125362924  http___portside.no_uddurk
  102. 6e37223ca4044364b7a0731ea9afac780b52101f83eef840c97286ee4f699e24  http___ppapmoozamiz.com_ti3yrigg
  103. aecd98f59985934226b96a7e33383da9f033777d624c964d2b9c7fb851933112  http___psycoaching.fr_wtadfi
  104. 5f7b9ca01f0fa8ac295748077d44c8e1af024316fe02bc3583c10c30783f2fb5  http___quadrat.cz_uuq9svzcfq
  105. 0197df95357d481cdf2909b428c6a5d518587a331d02c6389223203abb9e12da  http___raregemsgroup.com_yc2bn4zba
  106. c2b89468b54cd43c77a2f77a01d272cfa02d5509dee20c873c33689992061000  http___reiseagentur-klein.de_1j1njd
  107. 240d8133993371b157e7eebf09bd672cdb6ee2e34ee37ec208325ae30523396e  http___rejtjel.hu_ya83t3xq
  108. c6aa3c2caab7038dfd7a25cf36189d7008994496525eb9c5505bddbca3030faf  http___rollerhero.com_wdopv7q3 [1]
  109. f1723e88d456d398253b7c86238cc149d2b795d7d5fe3bec8c18e21eb73142b7  http___sigmach.com_6dedsiwwe
  110. 5e31d2a8b590154ee51ae357eec28f254d0be0d31ba7d9cf856fd71760daf588  http___skillscollege.com.au_l3y1v7g
  111. a7778273168957d0ee5ca64a4a29b75b202ec6d96c2b7364ea05d10479c06ca4  http___skolickasovicka.cz_8af8dj
  112. 928d87bad9ff2b985318f6bef8adcde4b706d868535de965e5a674aa0191c7d3  http___sobory.ru_n2k6gepo
  113. 905eeabf51e8a9765eea8ae95fd37284725c464c25e49239539b3445c7a6cdce  http___solubiz.com_mqupga
  114. 6c67e64350ef44addcc42aa6925ee5bab0a5adecf4763d169fffec74276b0379  http___sondenecker.fr_cbjbxnfj
  115. 896bb4fb1f6393f06852b7eb85b11f69b4f80a884e6cb435f019435dcb09de9d  http___sosearch.co.uk_abfxu
  116. d0f3d88f05b9617709376b3d46bf0cb13f5ec06f8a804f0b6e719f3124d08c92  http___speelhuis.net_fqn3zxh
  117. 0d70d4206be490809fbb69d4880683118ee3c41ae5501b23caa597dcc336db74  http___speelhuis.net_ikmmh [2]
  118. 8665b818dbe74fc5eedcf7948c4c8afaa9db925e4a5711c831f22b6df49610b2  http___ste4you.at_leilmdz
  119. abe795f0c5ec38dd971d03a356286e0ec27662720bcd99b7643ab860f4bcf2ad  http___studionero.com_4rjs9e1wkq
  120. bb2909ee46064a7a05d6069b621b32f0c2e65de3d7483d376c2c900202f0d7a6  http___sunrise-painting.ca_ghrbjmf
  121. 1886fa94515910179d4ae6b4ffc2846ac4e9c93dff41ddf3ed35433ee6acfaa2  http___taddboxers.com_ittjnrcts
  122. cf4324b0ca151acbd41746c34ee472bfde34177019ab2e67901f7a05e2ab0662  http___tayangfood.com_q6doax
  123. 68ae60d1e81c79943839ff468da0a5bce595197a9a8f55c7ee096f06603b7c43  http___tech2o.fr_jaumggko1
  124. 822dd2b0ab32ba952ab53f55c91b20cbcf542ac886472946f133b592ffaa6be0  http___tekyong.com_cmqoqqro22
  125. 1d8e9b99ace1ec9d6d0e6ffdaed661aa06266ba238017547c79a058956c3d0f4  http___tellussys.com_l1bgzaw9o
  126. 3adee5b54e4d4662cb0ab4348f9e8f6cce81525facf5c8bd12fd79b082841c30  http___terfer.es_cqdbg
  127. 10741fceeee8fee2651f64b183377885563799a2559c58b588e987be5cad2cb0  http___test.joaopluis.pt_sfj1lqylpg
  128. 24c014f7ee897b20f55620a20c2db57c3cecb3d1afffb5ab5f96c51adaf007e8  http___theosis.ro_le4lh2di
  129. d66862a81b8a01971e618755a79b9c16c9921cac4ea715f89a7c8ae81886aeb3  http___thephilanthropist.com_gg5ew3
  130. 99926845a764de7dd8f7d4e15da58818c493c521cc727f3b387e43351cc7f3ec  http___thethanhpc.com_qhnehjydvp
  131. d7eebd353eaa2b9fb9ade44aea50e171370cbf6122e5aea5cabae92161d076ef  http___thipkuakul.co.th_1dmchru
  132. b29c42ea4325df21bd97181d3519bdf3ca9cd0db042e115809eaf48e637d728c  http___topura.com_8zrvktdqdk
  133. f158995afe2c5768d327c86f0373a370f94e29db7bce6887df5bb2bda8b461c3  http___travelinsider.com.au_3db5e
  134. e71679613c46aa9cee3aa1d635174b583b819046dccc4b9ab8c107540b94c217  http___trendoor.com_lmwop0j
  135. 3be66c6ee0e089cde8ef467d9e99948a989ce13cadd02f9b3cffba2bc5adb44e  http___tscase.net_c2df527
  136. 1aaed92e3f94ca6b1777d2148ac7bbeca3185757a5da7fed5b598660e36f3fae  http___uraltrak.hu_8cbbfw9g
  137. 4e24084d74e52f1b89d1218423742977b9064d3c21a3bee05bbeca6795dd7337  http___usbgiahung.com_bfjllh9r
  138. ddc724a00d52c5fcff5df925ff512a03d6ff47f80079cdb657c043431fc0d0bc  http___vesti73.ru_33uxyw
  139. 66c7755412f6968446e32d72410e12f457a3adad087f5c505db4704dbdedc638  http___vishwasgroupindia.com_a0ytq
  140. - decoded
  141. 4e486c75e2738524732cb966582668a1862439a3b47f5a60727434ef6fa0ed0a [1]
  142. 473d1e97e53faf04b473e316827c16581a1288a5264b1506fc89bb49ba520769 [2]
  143. - executed by "rundll32.exe %TEMP%\<filename>.zk,iEdNvU2wnVOOwYPcED"
  144.  
  145. C2:
  146. POST http://185.146.168.13/checkupdate
  147. POST http://185.22.173.122/checkupdate
RAW Paste Data
Top