SHARE
TWEET

2016-12-14 Locky "Booking confirmation"

Racco42 Dec 14th, 2016 (edited) 145 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-14: #locky email phishing campaign "Booking Confirmation"
  2.  
  3. Sample email:
  4. -------------------------------------------------------------------------------------------------------------------
  5. From: camille tuenbull <camille.tuenbull@didlake.hr.coxmail.com>
  6. To: [REDACTED]
  7. Date: Wed, 14 Dec 2016 11:56:41 +0200
  8. Subject: Booking Confirmation
  9.  
  10. Booking Confirmation
  11.  
  12. This email and any attachments are confidential. If you have received it in error - notify the sender immediately, delete it from your system, and do not use, copy or disclose the information in any way. Kirklees Council monitors all emails sent or received.
  13.  
  14. Attachment: BookingConfirmation_7305_[REDACTED].docm
  15. -------------------------------------------------------------------------------------------------------------------
  16. - sender varies between emails
  17. - subject is "Booking Confirmation"
  18. - attached file "BookingConfirmation_<2-6 digits>_<recipient's email>.docm" is a Microsoft Word file with malicious macro that will download malware
  19.  
  20. Download sites:
  21. http://028cdxyk.com/nbv364
  22. http://allan.multimediedesignerskive.dk/nbv364
  23. http://amaniinitiative.org/nbv364
  24. http://angermeir.de/nbv364
  25. http://antonbogov.com/nbv364
  26. http://arbeiten.pl/nbv364
  27. http://autozirkus.com/nbv364
  28. http://bikebrowse.com/nbv364
  29. http://dealspari.com/nbv364
  30. http://demo.ahost5.ru/nbv364
  31. http://demo.pornuha4you.com/nbv364
  32. http://dicksmacker.com/nbv364
  33. http://dochalupy.com/nbv364
  34. http://dongiberson.com/nbv364
  35. http://downloadform.net/nbv364
  36. http://dryerventexpress.com/nbv364
  37. http://eastoncorporatefinance.com/nbv364
  38. http://e-pin.gr/nbv364
  39. http://evolutionseries.com/nbv364
  40. http://facerecognition.com.ba/nbv364
  41. http://gandalfoli.com/nbv364
  42. http://hotmusic.vipereskariot.ru/nbv364
  43. http://houssiere.daniel.formations-web.alsace/nbv364
  44. http://infinitecorp.ca/nbv364
  45. http://kayamuh.sarf.com.tr/nbv364
  46. http://ledticket.com/nbv364
  47. http://lntproductions.com/nbv364
  48. http://lucapotenziani.com/nbv364
  49. http://mainlinecarriers.co.tz/nbv364
  50. http://mbdvacations.com/nbv364
  51. http://meatthetruth.ru/nbv364
  52. http://mhmchicago.com/nbv364
  53. http://old.strommarnas.se/nbv364
  54. http://o-migunova.myjino.ru/nbv364
  55. http://ospkrutyn.pl/nbv364
  56. http://pacworld.com/nbv364
  57. http://perspektive-fuer-kinder.de/nbv364
  58. http://s98405.gridserver.com/nbv364
  59. http://safataj.ir/nbv364
  60. http://seven-cards.com/nbv364
  61. http://shortsuey.com/nbv364
  62. http://spikaflora.ru/nbv364
  63. http://store.elixe.net/nbv364
  64. http://theexcelconsultant.com/nbv364
  65. http://tunca.bel.tr/nbv364
  66. http://ustadhanif.com/nbv364
  67. http://watchmeninc.com/nbv364
  68. http://welovetofish.org/nbv364
  69. http://www.englishworld.it/nbv364
  70. http://www.jebbenterprises.com/nbv364
  71. http://www.kottalgenealogy.com/nbv364
  72. http://yaeliloni.com/nbv364
  73. http://zhongguanjiaoshi.com/nbv364
  74.  
  75. UPDATE:
  76. http://movewithgrace.ca/nbv364
  77. http://obccllc.com/nbv364
  78. http://smcga.ca/nbv364
  79.  
  80. Malware
  81. - encoded on download SHA256 a0f61de098c20ea77b8c0aa81724459fe63ac2f21f0b3150a2a5b16e1971ba40, MD5 47ba782233f37579aff9ca0687b36b5c
  82. - decoded SHA256 a9574969901055c2db26e0a9f63cde558d9b9be85f808bf3013888bc65cfd87b, MD5 78f3293d928a1539b7a173124b255b96
  83. - executed by "rundll32.exe %TEMP%\<filename>.rudf,GetMessage"
  84. - samples
  85. https://www.reverse.it/sample/bf80b15f9e889be5b41a0bba33163a823cb4560b36297902e35a22e372b9ff44?environmentId=100
  86. https://www.reverse.it/sample/bc504d0fc9793d24ea860ca069745eeb0a777906a3cb98196bc3ac84507d857a?environmentId=100
  87.  
  88. C2:
  89. POST http://176.121.14.95/checkupdate
  90. POST http://185.117.72.105/checkupdate
RAW Paste Data
Top