API tools faq
paste
Advertisement
Racco42

2016-10-25 Locky "<Files> NNN"

Racco42
Oct 25th, 2016
3,003
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.89 KB | None | 0 0
raw download clone embed print report
  1. 2016-10-25 #locky email phishing campaign "File, Picture, Scan Data NNN"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------
  5. From: JACKLYN L <jacklynl226@gmail.com>
  6. To: [REDACTED]
  7. Date: Tue, 25 Oct 2016 19:25:15 +0530
  8. Subject: IMG 1
  9.  
  10. Attachment: IMG 1.zip
  11. ---------------------------------------------------------------------------------------------------------------
  12. - sender varies between emails, but the domain is always @gmail.com
  13. - email body is empty
  14. - subject is "<Pic|Blank|Picture|Document|Scan Data|IMG|File|Image> <number>"
  15. - attachement name is <same as subject>.zip; contains file <same as subject>.js a JScript downloader
  16.  
  17. Download sites (actual URLs have suffix ?<random>=<random> which does not influence the download):
  18. http://a1channel.com/g76dbf
  19. http://abplhomes.com/g76dbf
  20. http://alyatater.com/g76dbf
  21. http://baedalapp.com/g76dbf
  22. http://bbe-umzuege.de/g76dbf
  23. http://beaumontschool.com/g76dbf
  24. http://bid21.com/g76dbf
  25. http://blastspraypolish.com/g76dbf
  26. http://capinvest.vn/g76dbf
  27. http://counsellingwaikato.co.nz/g76dbf
  28. http://dev.blazedream.in/g76dbf
  29. http://direktori.indonesianindustry.com/g76dbf
  30. http://dwimultimakmur.com/g76dbf
  31. http://dziennikarze.lo-kolaczyce.pl/g76dbf
  32. http://easytravelvault.com/g76dbf
  33. http://elitednadt.com/g76dbf
  34. http://emreker.com/g76dbf
  35. http://faisal-ibrahim.info/g76dbf
  36. http://fpi-canada.com/g76dbf
  37. http://gellyrepin.com/g76dbf
  38. http://georgesautoprestige.com/g76dbf
  39. http://halomax.co.in/g76dbf
  40. http://hdbrts.co.in/g76dbf
  41. http://himytutor.com/g76dbf
  42. http://idolcy.pe/g76dbf
  43. http://jasbouquets.com/g76dbf
  44. http://jeminwedskhushboo.com/g76dbf
  45. http://karyemek.net/g76dbf
  46. http://kendalpos.com/g76dbf
  47. http://lamurindo.com/g76dbf
  48. http://lilxtreme.com/g76dbf
  49. http://lookbeauty.ir/g76dbf
  50. http://mahendradesai.net/g76dbf
  51. http://new.alternativebedrooms.co.uk/g76dbf
  52. http://newdesign.well.pk/g76dbf
  53. http://onestopvouchershop.com.au/g76dbf
  54. http://panaceapeople.com/g76dbf
  55. http://pragathicentralschool.com/g76dbf
  56. http://privatestashstorage.com/g76dbf
  57. http://promo.worldloft.ru/g76dbf
  58. http://rajashekharkubasad.com/g76dbf
  59. http://read4change.com/g76dbf
  60. http://runmyaccounts.ch/g76dbf
  61. http://sampletemplates.co.in/g76dbf
  62. http://samuderaciptaraya.com/g76dbf
  63. http://scorshia.com/g76dbf
  64. http://senopati.co/g76dbf
  65. http://soload.in/g76dbf
  66. http://sport.cash/g76dbf
  67. http://srcc.co.th/g76dbf
  68. http://suaraumkm.com/g76dbf
  69. http://sukhavatibali.com/g76dbf
  70. http://tacunair.com/g76dbf
  71. http://tciislandguide.com/g76dbf
  72. http://tebdan.com/g76dbf
  73. http://tvoje-zahrada.cz/g76dbf
  74. http://uatsa.cl/g76dbf
  75. http://unixenterprises.com/g76dbf
  76. http://veterinary-surgeons.net/g76dbf
  77. http://web.justproductions.co.uk/g76dbf
  78. http://wivebeday.com/g76dbf
  79. http://www.africanvacationtours.com/g76dbf
  80. http://www.fireballindia.com/g76dbf
  81. http://www.holdsworthbros.com/g76dbf
  82. http://www.megasafaris.com/g76dbf
  83. http://www.pb2bb2c.com/g76dbf
  84. http://www.pharmaciela.com/g76dbf
  85. http://www.phoenixtradelinks.com/g76dbf
  86. http://www.pragathicentralschool.com/g76dbf
  87. http://www.sibobe.com/g76dbf
  88. http://www.villakeratea.it/g76dbf
  89.  
  90. Malware
  91. - encoded on download, SHA256 12d3077c923bc12aff8c2f3d04f96db427d841b185fa84a0a151d882cb3f08f8, filesize 278528
  92. - decoded SHA256 5948ceff8012d80f9b2dcef7316aa94d3a171d309c78e6b021b6af6928f16a0d
  93. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
  94. - samples
  95. https://www.reverse.it/sample/8f9e425c31e3227b0a7ddd2cdf0bb79ba503eebce76d972be8d5feedad4cf16a?environmentId=100
  96. https://www.reverse.it/sample/4485e022714503f0c8e88fb6265dd32597c7acdedff614c63243ddc33a2bbf80?environmentId=100
  97. https://www.reverse.it/sample/1d45cbeea0024291526b5f992de3d56f98654cc6e5e3fa13701fa36d4eb47a6b?environmentId=100
  98. https://malwr.com/analysis/ZmRlZjVkNDQ2YWU1NGQ2YTk0MjU1ZTljNWY3MjU5YWE/
  99.  
  100. C2:
  101. 77.123.137.221:80 POST /linuxsucks.php
  102. 91.200.14.124:80 POST /linuxsucks.php
  103. 185.127.27.100:80 POST /linuxsucks.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!