Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-01 #locky email phishing campaign "Confirmation"
- Email sample (sender domain is faked to be from recipient's email domain):
- -----------------------------------------------------------------------------------------------------
- From: "Pat" <Pat115@[REDACTED]>
- To: [REDACTED]
- Subject: Confirmation
- Hi Sir,
- Attached is the confirmation details.
- Thank you!
- {
- Sent from Yahoo Mail for iPhone
- -----------------------------------------------------------------------------------------------------
- The email contains attachment "IMG_[number].zip", however due to error in message composition MS Outlook will not show the attachment (but Thunderbird will). The zip contain "<randomchars>.wsf" which contains JScript downloader
- Download sites (the actual URLs contain suffix ?<random>=<random>, but it does not influence the download):
- http://158.195.68.10/87hcrn33g
- http://branchjp.web.fc2.com/87hcrn33g
- http://chal4.co.uk/87hcrn33g
- http://dashman.web.fc2.com/87hcrn33g
- http://dcqoutlet.es/87hcrn33g
- http://forum.sandalcraft.cba.pl/87hcrn33g
- http://hotcarshhhs6632.com/js/87hcrn33g
- http://hotelimperium.go.ro/87hcrn33g
- http://imperium.nazory.cz/87hcrn33g
- http://kawasima0506.web.fc2.com/87hcrn33g
- http://kissfm.rdsor.ro/87hcrn33g
- http://ksiega.solidworks.cba.pl/87hcrn33g
- http://nevrincea.50webs.com/87hcrn33g
- http://olivier.coroenne.perso.sfr.fr/87hcrn33g
- http://reklamnibannery.wz.cz/87hcrn33g
- http://rhanwid.com/87hcrn33g
- http://sac360.web.fc2.com/87hcrn33g
- http://school3.50webs.com/87hcrn33g
- http://srxrun.nobody.jp/87hcrn33g
- http://szkolagrojec.republika.pl/87hcrn33g
- http://wccf.huuryuu.com/87hcrn33g
- http://www.agridiving.net/87hcrn33g
- http://www.cmg-ingegneria.it/87hcrn33g
- http://www.coseincredibili.it/87hcrn33g
- http://www.courtesyweb.it/87hcrn33g
- http://www.dallaglio-nordin.com/87hcrn33g
- http://www.galaturs.com.ua/87hcrn33g
- http://www.gebrvanorsouw.nl/87hcrn33g
- http://www.gunaldy.com/87hcrn33g
- http://www.idiomestarradellas.com/87hcrn33g
- http://www.infoteria.cba.pl/87hcrn33g
- http://www.motortecnica.org/87hcrn33g
- http://www.termoalbiate.com/87hcrn33g
- http://www.valerypro.com/87hcrn33g
- http://zui9reica.web.fc2.com/87hcrn33g
- Malware:
- - encoded on download, SHA256 55369f51ed86168f801a26435df4cc355ae9ec3d8f42b9d06ad6ccf146d303fd, filesize 199680 bytes
- - decoded SHA256 e98a7d97ce6814c08563b57043980d356c1885ba2f9ae9cd33e0a8a41d616fd3
- https://www.reverse.it/sample/62e33128e85f6cc95600630bcb9e51eb90e0a77ace4977c54a3d6ca04dc83f46?environmentId=100
- https://www.reverse.it/sample/312c036dd0ee970177b3246fc936dd2be3e4e692c114cd865a238f4a91db4920?environmentId=100
- https://www.reverse.it/sample/53100c48a222fca7246edf9ad2ccb2d22d40c9f33464aea640e1c580730b69c9?environmentId=100
- https://www.reverse.it/sample/774c3b2a07bb993c238ef7ea16c7b9947f7a0e41e68c5dfeef1b2dceacfe911e?environmentId=100
- https://www.reverse.it/sample/f7b55ae25de1712006cb0c3976585f308f2d5ba15d3615c5a8387bc188a67b7f?environmentId=100
- C2:
- 212.109.192.235:80/data/info.php
- (xattllfuayehhmpnx.pw) 91.223.180.66:80/data/info.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement