Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-10-25 #locky email phishing campaign "File, Picture, Scan Data NNN"
- Email sample:
- ---------------------------------------------------------------------------------------------------------------
- From: JACKLYN L <jacklynl226@gmail.com>
- To: [REDACTED]
- Date: Tue, 25 Oct 2016 19:25:15 +0530
- Subject: IMG 1
- Attachment: IMG 1.zip
- ---------------------------------------------------------------------------------------------------------------
- - sender varies between emails, but the domain is always @gmail.com
- - email body is empty
- - subject is "<Pic|Blank|Picture|Document|Scan Data|IMG|File|Image> <number>"
- - attachement name is <same as subject>.zip; contains file <same as subject>.js a JScript downloader
- Download sites (actual URLs have suffix ?<random>=<random> which does not influence the download):
- http://a1channel.com/g76dbf
- http://abplhomes.com/g76dbf
- http://alyatater.com/g76dbf
- http://baedalapp.com/g76dbf
- http://bbe-umzuege.de/g76dbf
- http://beaumontschool.com/g76dbf
- http://bid21.com/g76dbf
- http://blastspraypolish.com/g76dbf
- http://capinvest.vn/g76dbf
- http://counsellingwaikato.co.nz/g76dbf
- http://dev.blazedream.in/g76dbf
- http://direktori.indonesianindustry.com/g76dbf
- http://dwimultimakmur.com/g76dbf
- http://dziennikarze.lo-kolaczyce.pl/g76dbf
- http://easytravelvault.com/g76dbf
- http://elitednadt.com/g76dbf
- http://emreker.com/g76dbf
- http://faisal-ibrahim.info/g76dbf
- http://fpi-canada.com/g76dbf
- http://gellyrepin.com/g76dbf
- http://georgesautoprestige.com/g76dbf
- http://halomax.co.in/g76dbf
- http://hdbrts.co.in/g76dbf
- http://himytutor.com/g76dbf
- http://idolcy.pe/g76dbf
- http://jasbouquets.com/g76dbf
- http://jeminwedskhushboo.com/g76dbf
- http://karyemek.net/g76dbf
- http://kendalpos.com/g76dbf
- http://lamurindo.com/g76dbf
- http://lilxtreme.com/g76dbf
- http://lookbeauty.ir/g76dbf
- http://mahendradesai.net/g76dbf
- http://new.alternativebedrooms.co.uk/g76dbf
- http://newdesign.well.pk/g76dbf
- http://onestopvouchershop.com.au/g76dbf
- http://panaceapeople.com/g76dbf
- http://pragathicentralschool.com/g76dbf
- http://privatestashstorage.com/g76dbf
- http://promo.worldloft.ru/g76dbf
- http://rajashekharkubasad.com/g76dbf
- http://read4change.com/g76dbf
- http://runmyaccounts.ch/g76dbf
- http://sampletemplates.co.in/g76dbf
- http://samuderaciptaraya.com/g76dbf
- http://scorshia.com/g76dbf
- http://senopati.co/g76dbf
- http://soload.in/g76dbf
- http://sport.cash/g76dbf
- http://srcc.co.th/g76dbf
- http://suaraumkm.com/g76dbf
- http://sukhavatibali.com/g76dbf
- http://tacunair.com/g76dbf
- http://tciislandguide.com/g76dbf
- http://tebdan.com/g76dbf
- http://tvoje-zahrada.cz/g76dbf
- http://uatsa.cl/g76dbf
- http://unixenterprises.com/g76dbf
- http://veterinary-surgeons.net/g76dbf
- http://web.justproductions.co.uk/g76dbf
- http://wivebeday.com/g76dbf
- http://www.africanvacationtours.com/g76dbf
- http://www.fireballindia.com/g76dbf
- http://www.holdsworthbros.com/g76dbf
- http://www.megasafaris.com/g76dbf
- http://www.pb2bb2c.com/g76dbf
- http://www.pharmaciela.com/g76dbf
- http://www.phoenixtradelinks.com/g76dbf
- http://www.pragathicentralschool.com/g76dbf
- http://www.sibobe.com/g76dbf
- http://www.villakeratea.it/g76dbf
- Malware
- - encoded on download, SHA256 12d3077c923bc12aff8c2f3d04f96db427d841b185fa84a0a151d882cb3f08f8, filesize 278528
- - decoded SHA256 5948ceff8012d80f9b2dcef7316aa94d3a171d309c78e6b021b6af6928f16a0d
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
- - samples
- https://www.reverse.it/sample/8f9e425c31e3227b0a7ddd2cdf0bb79ba503eebce76d972be8d5feedad4cf16a?environmentId=100
- https://www.reverse.it/sample/4485e022714503f0c8e88fb6265dd32597c7acdedff614c63243ddc33a2bbf80?environmentId=100
- https://www.reverse.it/sample/1d45cbeea0024291526b5f992de3d56f98654cc6e5e3fa13701fa36d4eb47a6b?environmentId=100
- https://malwr.com/analysis/ZmRlZjVkNDQ2YWU1NGQ2YTk0MjU1ZTljNWY3MjU5YWE/
- C2:
- 77.123.137.221:80 POST /linuxsucks.php
- 91.200.14.124:80 POST /linuxsucks.php
- 185.127.27.100:80 POST /linuxsucks.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement