SHARE
TWEET

2016-12-20 Locky "for printing"

Racco42 Dec 20th, 2016 (edited) 247 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-20: #locky email phishing campaign "for printing"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------------
  5. From: TAMMY MALTMAN <tammy.maltman@jmorris.net>
  6. To: [REDACTED]
  7. Date: Tue, 20 Dec 2016 16:15:08 +0530
  8. Subject: for printing
  9.  
  10. Hi,
  11.  
  12. For printing.
  13. Thank you so much.
  14. --
  15.  
  16. *TAMMY MALTMAN CristobalHRD/Admin Officer*
  17. *Moonbake Inc.14 Langka St., Golden Acres Talon 1*
  18. *Las Pi=C3=B1as City, Philippines 1630Tel. No.: 632 8004373, 632 8022645Telefax:
  19. 632 8022645*
  20.  
  21. *Mobile Number: +63932-845-9007Email Address: tammy.maltman@jmorris.net
  22. <tammy.maltman@jmorris.net>*
  23.  
  24. Attachment: Certificate_60447.xls
  25. ------------------------------------------------------------------------------------------------------------------
  26. - sender varies between emails
  27. - subject is "for printing"
  28. - attached file "Certificate_<4-8 digits>.xls" is a Microsft Excel 2007+ file containing macro that will download malware:
  29.  
  30. Download sites:
  31. http://artlab.co.il/hjv56
  32. http://avenueresto.com/hjv56
  33. http://bluelunar.net/hjv56
  34. http://charlenelouw.co.za/hjv56
  35. http://devzendo.org/hjv56
  36. http://eagleslearning.com/hjv56
  37. http://farbybialystok.pl/hjv56
  38. http://forstmog.de/hjv56
  39. http://fsamson.com/hjv56
  40. http://guide4health.info/hjv56
  41. http://hostalmilabi.com/hjv56
  42. http://householdanimals.50webs.com/hjv56
  43. http://imperialroofing.co.uk/hjv56
  44. http://inzt.net/hjv56
  45. http://ipt.se/hjv56
  46. http://jaba-translations.pt/hjv56
  47. http://jansen.com.ua/hjv56
  48. http://jayacoat-industries.com.my/hjv56
  49. http://kakamiao.com/hjv56
  50. http://kmwine.ge/hjv56
  51. http://kodivac.com/hjv56
  52. http://kungfumasterwang.com/hjv56
  53. http://ldagnes.pl/hjv56
  54. http://minilab.ca/hjv56
  55. http://mk-beauty.de/hjv56
  56. http://nanomedilac.com/hjv56
  57. http://nfia-china.com/hjv56
  58. http://no1archeryandsports.ca/hjv56
  59. http://owncloud.weber-rechtenbach.de/hjv56
  60. http://paplanindustries.com/hjv56
  61. http://pozsgaiingatlan.hu/hjv56
  62. http://residencegardenia.it/hjv56
  63. http://shouxinghg.com/hjv56
  64. http://stav-reporter.ru/hjv56
  65. http://tc12345.com/hjv56
  66. http://theservantsoflove.com/hjv56
  67. http://todoalojamiento.es/hjv56
  68. http://www.genesisbilling.net/hjv56
  69. http://www.grupoaex.es/hjv56
  70. http://www.inglesenveranoenjavea.com/hjv56
  71. http://www.junaida.com/hjv56
  72.  
  73. UPDATE:
  74. http://ashpeptide.com/hjv56
  75. http://cracoviamanor.com/hjv56
  76. http://ingemanns-autolakering.dk/hjv56
  77. http://klimatshop.sk/hjv56
  78. http://phayamengrai.chiangrai.doae.go.th/hjv56
  79. http://stuifmeelenstamper.be/hjv56
  80. http://webplatter.com/hjv56
  81. http://www.rencontreparis.org/hjv56
  82. http://www.tenji-guide.com/hjv56
  83.  
  84. UPDATE:
  85. http://adminca.se/hjv56
  86. http://alaliengineering.net/hjv56
  87. http://isriir.com/hjv56
  88. http://jimprudom.com/hjv56
  89. http://noosnegah.com/hjv56
  90. http://revolutionarymom.com/hjv56
  91. http://tanz-trommeln.at/hjv56
  92. http://www.judo-hattingen.de/hjv56
  93. http://yorkshire-pm.com/hjv56
  94.  
  95. UPDATE:
  96. http://carloszubiaga.com/hjv56
  97. http://corlouis.com/hjv56
  98. http://gages-56.com/hjv56
  99. http://kayju.com/hjv56
  100. http://knightsure.co.uk/hjv56
  101. http://macoinservicios.com/hjv56
  102. http://namecardcenter.net/hjv56
  103. http://www.azrodandclassic.com/hjv56
  104. http://www.langeoog-meerleben.de/hjv56
  105.  
  106. Malware:
  107. - encoded on download, SHA256 3e813c9aef93c3ee00c89f99ee3e67314417b3d492c175a0633c0bb61cd03bef, MD5 20bac7aa46a9d2f0f19e54ed36a9b0fd
  108. - decoded SHA256 3f474165756cfb12f459379420447e397e966fc4b665c1ec90d894772926f893, MD5 c46d07a05d498cf4178d3092ee62aa07
  109. - executed by "rundll32.exe %TEMP%\<filename>.vip,vape"
  110. - sample: https://www.virustotal.com/file/3f474165756cfb12f459379420447e397e966fc4b665c1ec90d894772926f893/analysis/1482233488/
  111.  
  112. C2:
  113. POST http://176.121.14.95/checkupdate
  114. POST http://188.127.239.48/checkupdate
  115. POST http://193.201.225.124/checkupdate
  116. POST http://91.203.5.144/checkupdate
  117. POST http://91.223.180.3/checkupdate
RAW Paste Data
Top