SHARE
TWEET

2016-12-19 Locky "Payslip for the month Dec 2016"

Racco42 Dec 19th, 2016 (edited) 131 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-19: #locky email phishing campaign "Payslip for the month Dec 2016"
  2.  
  3. Sample email:
  4. ------------------------------------------------------------------------------------------------------------------
  5. From: RUTHIE TORDOFF <ruthie.tordoff@damienelsing.com>
  6. To: [REDACTED]
  7. Subject: Payslip for the month Dec 2016.
  8. Date: Mon, 19 Dec 2016 16:43:51 +0500
  9.  
  10. Dear customer,
  11.  
  12. We are sending your payslip for the month Dec 2016 as an attachment with this mail.
  13. Note: This is an auto-generated mail. Please do not reply.
  14.  
  15. Attachment: Payslip_Dec_2016_7705596.doc
  16. ------------------------------------------------------------------------------------------------------------------
  17. - sender varies between emails
  18. - subject is "Payslip for the month Dec 2016."
  19. - attached file "Payslip_Dec_2016_<5-8 digits>.doc" is a Microsoft Word 2007+ file with macro that will download malware
  20.  
  21. Download sites:
  22. http://023pc.cn/8hrnv3
  23. http://abatjour.be/8hrnv3
  24. http://adygkomnac.ru/8hrnv3
  25. http://aguamineralsantacruz.com.br/8hrnv3
  26. http://airportrentacar.ro/8hrnv3
  27. http://alimobiles.com.ua/8hrnv3
  28. http://allard-g.be/8hrnv3
  29. http://almrausch.tv/8hrnv3
  30. http://archindonesia.com/8hrnv3
  31. http://as-kanal-rohrreinigung.de/8hrnv3
  32. http://aspecta-aso.net/8hrnv3
  33. http://audehd.com/8hrnv3
  34. http://audreyetsteve.fr/8hrnv3
  35. http://axmetrix.com/8hrnv3
  36. http://bastacycling.com/8hrnv3
  37. http://baugildealtmark.de/8hrnv3
  38. http://belgarion.eu/8hrnv3
  39. http://berstetaler.de/8hrnv3
  40. http://birdhausdesign.com/8hrnv3
  41. http://blackseo.ir/8hrnv3
  42. http://blendpak.com/8hrnv3
  43. http://bperes.com.br/8hrnv3
  44. http://brainfreezeapp.com/8hrnv3
  45. http://convergencevineyards.com/8hrnv3
  46. http://cycollierville.com/8hrnv3
  47. http://delreywindows.com/8hrnv3
  48. http://democracyandsecurity.org/8hrnv3
  49. http://drwonder.org/8hrnv3
  50. http://e-vime.com/8hrnv3
  51. http://factoryfreeapparel.com/8hrnv3
  52. http://fastfine.ru/8hrnv3
  53. http://franjaroja.emcali.net.co/8hrnv3
  54. http://friendlygeek.org/8hrnv3
  55. http://garosero5.com/8hrnv3
  56. http://globaser3000.com/8hrnv3
  57. http://gluten-free-on.net/8hrnv3
  58. http://gps.50webs.com/8hrnv3
  59. http://grafiquesvaros.com/8hrnv3
  60. http://growing-e-m.com/8hrnv3
  61. http://gyoda.v.wol.ne.jp/8hrnv3
  62. http://halogen.dp.ua/8hrnv3
  63. http://oliverkuo.com.au/8hrnv3
  64. http://pliki-kirbyworld.50webs.com/8hrnv3
  65. http://routerpanyoso.50webs.com/8hrnv3
  66. http://skyers.awardspace.com/8hrnv3
  67. http://www.andmax-rehabilitacja.pl/8hrnv3
  68. http://www.bandhiga.com/8hrnv3
  69. http://www.clinicafisiosan.com/8hrnv3
  70. http://www.cryoniq.com/8hrnv3
  71. http://www.de-klinker.be/8hrnv3
  72. http://www.foyerstg.pro/8hrnv3
  73. http://www.globalchristiantrust.com/8hrnv3
  74. http://www.neumayr-alkoven.com/8hrnv3
  75. http://www.texasredzonereport.com/8hrnv3
  76. http://zimbabweaids.awardspace.com/8hrnv3
  77.  
  78. Malware:
  79. - encoded on download
  80. SHA256 36ec2edae1dfd19f201223dd0b101494c33d092e2884288fecd8615cd86cd993, MD5 539ff4ca8d5a2ef6ab7297c4788c9e7d
  81. SHA256 27f256daf811b85b8cdfe9efa1235bc59ff99ecf2c0f909155fdf3d646ebfdcc, MD5 30ffab27be3ca772b1bf8c97b22b9fdc
  82. - decoded
  83. SHA256 a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3, MD5 e93bbc2feaf005d85affbadc1abb39e9
  84. SHA256 877c57b2b8bd3ebd8d2bbb96bdfd910b6a5bd91e045b12f2ca80786ad2339d07, MD5 b2c125eb7d8186e1a4d52c411b94dd58
  85. - executed by "rundll32.exe %TEMP%\<filename>.ero,money"
  86. - samples
  87. https://www.virustotal.com/file/a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3/analysis/1482159947/
  88. https://www.virustotal.com/file/877c57b2b8bd3ebd8d2bbb96bdfd910b6a5bd91e045b12f2ca80786ad2339d07/analysis/1482188600/
  89.  
  90. C2:
  91. POST http://188.127.239.48/checkupdate
  92. POST http://91.223.180.3/checkupdate
  93. POST http://176.121.14.95/checkupdate
RAW Paste Data
Top