API tools faq
paste
Advertisement
Racco42

Locky "Confirmation"

Racco42
Sep 1st, 2016
1,859
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.01 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-01 #locky email phishing campaign "Confirmation"
  2.  
  3. Email sample (sender domain is faked to be from recipient's email domain):
  4. -----------------------------------------------------------------------------------------------------
  5. From: "Pat" <Pat115@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Confirmation
  8.  
  9. Hi Sir,
  10.  
  11. Attached is the confirmation details.
  12.  
  13. Thank you!
  14.  
  15. {
  16.  
  17. Sent from Yahoo Mail for iPhone
  18. -----------------------------------------------------------------------------------------------------
  19. The email contains attachment "IMG_[number].zip", however due to error in message composition MS Outlook will not show the attachment (but Thunderbird will). The zip contain "<randomchars>.wsf" which contains JScript downloader
  20.  
  21. Download sites (the actual URLs contain suffix ?<random>=<random>, but it does not influence the download):
  22. http://158.195.68.10/87hcrn33g
  23. http://branchjp.web.fc2.com/87hcrn33g
  24. http://chal4.co.uk/87hcrn33g
  25. http://dashman.web.fc2.com/87hcrn33g
  26. http://dcqoutlet.es/87hcrn33g
  27. http://forum.sandalcraft.cba.pl/87hcrn33g
  28. http://hotcarshhhs6632.com/js/87hcrn33g
  29. http://hotelimperium.go.ro/87hcrn33g
  30. http://imperium.nazory.cz/87hcrn33g
  31. http://kawasima0506.web.fc2.com/87hcrn33g
  32. http://kissfm.rdsor.ro/87hcrn33g
  33. http://ksiega.solidworks.cba.pl/87hcrn33g
  34. http://nevrincea.50webs.com/87hcrn33g
  35. http://olivier.coroenne.perso.sfr.fr/87hcrn33g
  36. http://reklamnibannery.wz.cz/87hcrn33g
  37. http://rhanwid.com/87hcrn33g
  38. http://sac360.web.fc2.com/87hcrn33g
  39. http://school3.50webs.com/87hcrn33g
  40. http://srxrun.nobody.jp/87hcrn33g
  41. http://szkolagrojec.republika.pl/87hcrn33g
  42. http://wccf.huuryuu.com/87hcrn33g
  43. http://www.agridiving.net/87hcrn33g
  44. http://www.cmg-ingegneria.it/87hcrn33g
  45. http://www.coseincredibili.it/87hcrn33g
  46. http://www.courtesyweb.it/87hcrn33g
  47. http://www.dallaglio-nordin.com/87hcrn33g
  48. http://www.galaturs.com.ua/87hcrn33g
  49. http://www.gebrvanorsouw.nl/87hcrn33g
  50. http://www.gunaldy.com/87hcrn33g
  51. http://www.idiomestarradellas.com/87hcrn33g
  52. http://www.infoteria.cba.pl/87hcrn33g
  53. http://www.motortecnica.org/87hcrn33g
  54. http://www.termoalbiate.com/87hcrn33g
  55. http://www.valerypro.com/87hcrn33g
  56. http://zui9reica.web.fc2.com/87hcrn33g
  57.  
  58. Malware:
  59. - encoded on download, SHA256 55369f51ed86168f801a26435df4cc355ae9ec3d8f42b9d06ad6ccf146d303fd, filesize 199680 bytes
  60. - decoded SHA256 e98a7d97ce6814c08563b57043980d356c1885ba2f9ae9cd33e0a8a41d616fd3
  61.  
  62. https://www.reverse.it/sample/62e33128e85f6cc95600630bcb9e51eb90e0a77ace4977c54a3d6ca04dc83f46?environmentId=100
  63. https://www.reverse.it/sample/312c036dd0ee970177b3246fc936dd2be3e4e692c114cd865a238f4a91db4920?environmentId=100
  64. https://www.reverse.it/sample/53100c48a222fca7246edf9ad2ccb2d22d40c9f33464aea640e1c580730b69c9?environmentId=100
  65. https://www.reverse.it/sample/774c3b2a07bb993c238ef7ea16c7b9947f7a0e41e68c5dfeef1b2dceacfe911e?environmentId=100
  66. https://www.reverse.it/sample/f7b55ae25de1712006cb0c3976585f308f2d5ba15d3615c5a8387bc188a67b7f?environmentId=100
  67.  
  68. C2:
  69. 212.109.192.235:80/data/info.php
  70. (xattllfuayehhmpnx.pw) 91.223.180.66:80/data/info.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!