Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-14 #locky email phishing campaign "Delivery confirmation: XXXXXX"
- Email:
- -----------------------------------------------------------------------------------------------------------------
- From: <ship-confirm@sonrisebuilders.net>
- To: [REDACTED]
- Subject: Delivery Confirmation: 00947629436
- Date: Wed, 14 Sep 2016 17:02:28 +0700
- PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
- Attached is a pdf file containing items that have shipped
- Please contact us if there are any questions or further assistance we can provide
- Attachment: "Shipping Notification 00947629436.zip"
- -----------------------------------------------------------------------------------------------------------------
- - sender is random, but has format ship-confirm@<domain>
- - attached file "Shipping Notification <number>.zip" contains file <11 random chars>.js
- Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
- http://amaranthine-deerplacenta.com/hjy93JNBasdas
- http://asunaz.com/hjy93JNBasdas
- http://baanpalad.com/hjy93JNBasdas
- http://cramjuice.com/hjy93JNBasdas
- http://dropsheep.com/hjy93JNBasdas
- http://dusklounge.com/hjy93JNBasdas
- http://elvox.pl/hjy93JNBasdas
- http://feechka.ru/hjy93JNBasdas
- http://infosors.com/hjy93JNBasdas
- http://jonathankimsey.com/hjy93JNBasdas
- http://joydetergent.com/hjy93JNBasdas
- http://kristinchurch.ca/hjy93JNBasdas
- http://mediainnovationtech.com/hjy93JNBasdas
- http://msayin.com/hjy93JNBasdas
- http://rentmanager.ph/hjy93JNBasdas
- http://sexturbo.ru/hjy93JNBasdas
- http://thermalthermostat.com/hjy93JNBasdas
- http://ygc1688.com/hjy93JNBasdas
- UPDATE1:
- http://1jamprofit.com/hjy93JNBasdas
- http://adventurevista.com/hjy93JNBasdas
- http://agetsoft.com/hjy93JNBasdas
- http://bkidon.ru/hjy93JNBasdas
- http://infotenerife.biz/hjy93JNBasdas
- http://liyuesheng.com/hjy93JNBasdas
- http://mayuliang.com/hjy93JNBasdas
- http://miprimercole.org/hjy93JNBasdas
- http://old-sinks.com/hjy93JNBasdas
- http://onlypost.ru/hjy93JNBasdas
- http://roome.co.il/hjy93JNBasdas
- http://xaydungtruonghung.com/hjy93JNBasdas
- Malware:
- - encoded on download, SHA256 c7f91c30f9b80542c1f5c62d99623ea6163cfaa08c93ef59e8b3c2d7aa53936c, filesize 259584 bytes
- - decoded SHA256 d14cb7ec9e4d68ef38f92b227c1f2af2352504ee8dc582a466911601b77f5267
- - executed as "rundll32.exe %TEMP%\ndVHSk1.dll,qwerty"
- https://www.reverse.it/sample/e54166462327f3a860c017b86719acce1137eac9d00f57718e30c4682efff314?environmentId=100
- https://www.reverse.it/sample/c546ab2ca870828eeabb0f21479c3e9677e745c02e970ad93c9028165dd34cb5?environmentId=100
- https://www.reverse.it/sample/35f99d9abdd8738bc9c05262837c39f44a33c1911c1e3f76e4fe0788de9edd8d?environmentId=100
- C2:
- - no C2 communication visible, encryption key is robably stored in lockys's config
Add Comment
Please, Sign In to add comment