API tools faq
paste
Racco42

2016-09-14 Locky "Delivery confirmation: XXXXXX"

Racco42
Sep 14th, 2016
1,680
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.74 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-14 #locky email phishing campaign "Delivery confirmation: XXXXXX"
  2.  
  3. Email:
  4. -----------------------------------------------------------------------------------------------------------------
  5. From: <ship-confirm@sonrisebuilders.net>
  6. To: [REDACTED]
  7. Subject: Delivery Confirmation: 00947629436
  8. Date: Wed, 14 Sep 2016 17:02:28 +0700
  9.  
  10. PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
  11.  
  12. Attached is a pdf file containing items that have shipped
  13. Please contact us if there are any questions or further assistance we can provide
  14.  
  15. Attachment: "Shipping Notification 00947629436.zip"
  16. -----------------------------------------------------------------------------------------------------------------
  17. - sender is random, but has format ship-confirm@<domain>
  18. - attached file "Shipping Notification <number>.zip" contains file <11 random chars>.js
  19.  
  20. Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
  21. http://amaranthine-deerplacenta.com/hjy93JNBasdas
  22. http://asunaz.com/hjy93JNBasdas
  23. http://baanpalad.com/hjy93JNBasdas
  24. http://cramjuice.com/hjy93JNBasdas
  25. http://dropsheep.com/hjy93JNBasdas
  26. http://dusklounge.com/hjy93JNBasdas
  27. http://elvox.pl/hjy93JNBasdas
  28. http://feechka.ru/hjy93JNBasdas
  29. http://infosors.com/hjy93JNBasdas
  30. http://jonathankimsey.com/hjy93JNBasdas
  31. http://joydetergent.com/hjy93JNBasdas
  32. http://kristinchurch.ca/hjy93JNBasdas
  33. http://mediainnovationtech.com/hjy93JNBasdas
  34. http://msayin.com/hjy93JNBasdas
  35. http://rentmanager.ph/hjy93JNBasdas
  36. http://sexturbo.ru/hjy93JNBasdas
  37. http://thermalthermostat.com/hjy93JNBasdas
  38. http://ygc1688.com/hjy93JNBasdas
  39.  
  40. UPDATE1:
  41. http://1jamprofit.com/hjy93JNBasdas
  42. http://adventurevista.com/hjy93JNBasdas
  43. http://agetsoft.com/hjy93JNBasdas
  44. http://bkidon.ru/hjy93JNBasdas
  45. http://infotenerife.biz/hjy93JNBasdas
  46. http://liyuesheng.com/hjy93JNBasdas
  47. http://mayuliang.com/hjy93JNBasdas
  48. http://miprimercole.org/hjy93JNBasdas
  49. http://old-sinks.com/hjy93JNBasdas
  50. http://onlypost.ru/hjy93JNBasdas
  51. http://roome.co.il/hjy93JNBasdas
  52. http://xaydungtruonghung.com/hjy93JNBasdas
  53.  
  54. Malware:
  55. - encoded on download, SHA256 c7f91c30f9b80542c1f5c62d99623ea6163cfaa08c93ef59e8b3c2d7aa53936c, filesize 259584 bytes
  56. - decoded SHA256 d14cb7ec9e4d68ef38f92b227c1f2af2352504ee8dc582a466911601b77f5267
  57. - executed as "rundll32.exe %TEMP%\ndVHSk1.dll,qwerty"
  58.  
  59. https://www.reverse.it/sample/e54166462327f3a860c017b86719acce1137eac9d00f57718e30c4682efff314?environmentId=100
  60. https://www.reverse.it/sample/c546ab2ca870828eeabb0f21479c3e9677e745c02e970ad93c9028165dd34cb5?environmentId=100
  61. https://www.reverse.it/sample/35f99d9abdd8738bc9c05262837c39f44a33c1911c1e3f76e4fe0788de9edd8d?environmentId=100
  62.  
  63. C2:
  64. - no C2 communication visible, encryption key is robably stored in lockys's config
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!