SHARE
TWEET

2016-12-05 Locky "Emailing" / no subject

Racco42 Dec 5th, 2016 (edited) 203 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-05 Locky email phishing campaigns "Emailing: _xxxx_xxxx" / "No subject"
  2. http://blog.dynamoo.com/2016/12/malware-spam-emailing-9376924272-no.html
  3.  
  4. Email sample (Emailing: _xxxx_xxxx):
  5. --------------------------------------------------------------------------------------------------------------------
  6. From: "Marina" <Marina.jeffeaux91@klachurch.org>
  7. To: [REDACTED]
  8. Subject: Emailing: _0828817_36073220
  9. Date: Mon, 05 Dec 2016 15:24:01 +0530
  10.  
  11. Your message is ready to be sent with the following file or link
  12. attachments:
  13.  
  14.   _0828817_36073220
  15.  
  16. Note: To protect against computer viruses, e-mail programs may prevent
  17. sending or receiving certain types of file attachments.  Check your e-mail
  18. security settings to determine how attachments are handled.
  19.  
  20. Attachment: _0828817_36073220.xls
  21. --------------------------------------------------------------------------------------------------------------------
  22. - sender address varies between emails
  23. - subject is "Emailing: _<digits>_<digits>"
  24. - attached file "_<digits>_<digits>.xls" (same as subject) is a Microsoft Word file containing a macro that will download malware
  25.  
  26. Email sample (no subject):
  27. --------------------------------------------------------------------------------------------------------------------
  28. From: "Harold frisby" <Harold.frisby4@printprinters.com>
  29. To: [REDACTED]
  30. Subject: No subject
  31. Date: Mon, 05 Dec 2016 02:39:06 -0700
  32.  
  33. Attachment: "20161205023906924885483.xls"
  34. --------------------------------------------------------------------------------------------------------------------
  35. - sender address varies between emails
  36. - message has empty subject or "No Subject"
  37. - email body is empty
  38. - attached file "20161205<digits>.xls" is a Microsoft Word file containing a macro that will download malware
  39.  
  40. Download sites:
  41. http://aetech-solutions.com/87t34f
  42. http://amcc.fr/87t34f
  43. http://andrewsassociates.org/87t34f
  44. http://angiebundy.com/87t34f
  45. http://antelope.co.uk/87t34f
  46. http://bioperson.es/87t34f
  47. http://buhu5.ru/87t34f
  48. http://cafe-bg.com/87t34f
  49. http://communicore.biz/87t34f
  50. http://dachbud.slask.pl/87t34f
  51. http://davetoll.com/87t34f
  52. http://dcareug.com/87t34f
  53. http://djelixir.com/87t34f
  54. http://elevenrooms.se/87t34f
  55. http://fm1111.fr/87t34f
  56. http://griptrix.com/87t34f
  57. http://kamico.net/87t34f
  58. http://kelbud.pl/87t34f
  59. http://kh2.co.uk/87t34f
  60. http://laferwear.com/87t34f
  61. http://masterstudio.org/87t34f
  62. http://milano.koscian.pl/87t34f
  63. http://pablopaz.com/87t34f
  64. http://paradiseinfiji.com/87t34f
  65. http://rongdaistudio.com/87t34f
  66. http://rsaf.cz/87t34f
  67. http://sevenseas.lk/87t34f
  68. http://soulscooter.com/87t34f
  69. http://srivasavi.mksystems.co.in/87t34f
  70. http://ssivendorinformation.com/87t34f
  71. http://stonerinsurance.com/87t34f
  72. http://subys.com/87t34f
  73. http://tppsk.marcinczaja.pl/87t34f
  74. http://tybor.hu/87t34f
  75. http://weegee.fr/87t34f
  76. http://www.riojadental.com/87t34f
  77. http://www.stavros.ca/87t34f
  78. http://zealcon.com/87t34f
  79.  
  80. UPDATED:
  81. http://analypia.com/87t34f
  82. http://braindouble.com/87t34f
  83. http://cstcarpenteria.it/87t34f
  84. http://denva-art.com/87t34f
  85. http://eng.camaix.de/87t34f
  86. http://facerecognition.com.ba/87t34f
  87. http://flax-fiber.com/87t34f
  88. http://goodgate.tv/87t34f
  89. http://jesperdk.com/87t34f
  90. http://kathollowell.com/87t34f
  91. http://ktlelektro.cz/87t34f
  92. http://mikegranditsky.com/87t34f
  93. http://peopleprofit.in/87t34f
  94. http://polgarorvasad.hu/87t34f
  95. http://rondurkin.com/87t34f
  96. http://slantmusic.net/87t34f
  97. http://sparky.com/87t34f
  98. http://test.grafixx.org/87t34f
  99.  
  100. UPDATE2:
  101. http://deminico.com/87t34f
  102. http://sublimeshop.co.uk/87t34f
  103. http://waat.co.uk/87t34f
  104.  
  105.  
  106. Malware:
  107. - encoded on download, SHA256 c622a8e1a12f12134b3df5e145ea6f4e2d9d642fa08d2a59f1cff05b177558d4, MD5 08d478fba01b4ecd9bb0f1787869fcc4
  108. - decoded SHA256 7acbf2edb7b7435e21cda70b6a0b7d3fdaed248b63d27208b3b1ca38a18c4a1d, MD5 dbacb9edc7b168e65b2e28f59218850b
  109. - sample https://malwr.com/analysis/MGI4ZDdlNDZkN2RjNGM3YmI2YjYwOTNhZTc2MTA2NTc/
  110. - encrypted files have .osiris extension
  111.  
  112. C2:
  113. POST http://91.142.90.61/checkupdate
  114. POST http://185.82.217.28/checkupdate
  115. POST http://195.19.192.99/checkupdate
RAW Paste Data
Top