SHARE
TWEET

2016-12-15 Locky "Order Receipt"

Racco42 Dec 15th, 2016 125 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-15: #locky email phishing campaign "Order Receipt"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------------------------------------
  5. From: "Anna Hurst" <Hurst.Anna@jonasburkhalter.com>
  6. To: [REDACTED]
  7. Subject: Order Receipt
  8. Date: Thu, 15 Dec 2016 10:54:57 -0200
  9.  
  10. Dear [REDACTED],
  11. Thank you for making your order in our store!
  12. The payment receipt and crucial payment information are in the attached document.
  13.  
  14. -
  15. King Regards,
  16. Anna Hurst
  17. Sales Manager
  18.  
  19. Attachment: scan2967832.zip -> ~_NV6HY_~.js
  20. ----------------------------------------------------------------------------------------------------------------------
  21. - sender varies between emails
  22. - subject is "Order Receipt"
  23. - attached file "scan<7 digits>.zip" contains file "~_<5-7 uppercase chars and digits>_~.js", a JScript downloader
  24.  
  25. Download sites:
  26. http://047688888.com/yfmmqd0
  27. http://2h4u.com/5rkumb2
  28. http://72mic.cn/q98yonpipk
  29. http://aficar.es/dyap1
  30. http://alexsoft.cn/lqxbccgvg
  31. http://alfa-auto.pl/ltopxz
  32. http://alteo-alumina.com/yqqw0sp3p3
  33. http://ama119.jp/uxnvj
  34. http://anhang-billsville.ca/d3j5l
  35. http://arslan.pro/auuy3to00
  36. http://asonoyamaboushi.com/q6n5nml
  37. http://atakankasap.com/m2hmcizn
  38. http://atwork.cn/t4kavmogc
  39. http://bbdoutdoor.com/igfzq1sgg6
  40. http://beinthesky.net/ad4ud12
  41. http://bettydesign.cz/rfwmd
  42. http://beumerkleinmetaal.nl/vzmg6rg
  43. http://bigtreerecord.com/qvwjc
  44. http://bigtrust.co.kr/0jpbwaf
  45. http://biogoodland.com/ryrfcs
  46. http://book.50webs.com/pkxwqfrg
  47. http://candylee.com/f25syokvoc
  48. http://chandelles-golf.com/sltl0nms
  49. http://chuaiyue.com/xsttl
  50. http://chuantu.net/ftb42ysmkh
  51. http://communicore.biz/6evwetxcz
  52. http://copiadorassharp.es/fzdxewt
  53. http://coruspadel.es/n7kz5km
  54. http://cuoder.org/to6nnme
  55. http://dinamusfg.com/82hwv
  56. http://dxhhbj.com/xgnhqsdq4
  57. http://dykeselec.com/yjjvg
  58. http://eflengu.ru/jmu1ix0
  59. http://ekovizyonpeyzaj.com/aiw3cfjw
  60. http://fanda-wesst.com/dvnelp1xx
  61. http://fm1111.fr/4sl2rtd
  62. http://foxhilltoyfoxterriers.com/ictrno0kyl
  63. http://gallerisymbol.dk/dqaquyxl0
  64. http://goodgate.tv/7m2vrub
  65. http://greybruceinsurance.com/fn0z26pne
  66. http://gtilite.jp/xphqbv
  67. http://guardian-angels-diva.de/0cepvia
  68. http://hitechsolinc.com/jhcby
  69. http://hotelglobo.eu/jjsmb
  70. http://interoffice-lb.com/3agmjt1
  71. http://kathollowell.com/6obllz
  72. http://laferwear.com/2xry1qp
  73. http://legaladvice.50webs.com/sti23
  74. http://mews-labo.com/vwxn1femb3
  75. http://mtrk.ru/3rlflm8
  76. http://pablopaz.com/6twklhtuu
  77. http://sublimeshop.co.uk/4umz2
  78. http://teen.deep-ice.com/nzw9cp6ooj
  79. http://untitled.50webs.com/ncsuspx4
  80. http://untitled.50webs.com/v06afm
  81. http://waat.co.uk/68uitnl
  82. http://www.angeljob.com/sgdijtu
  83. http://www.bds-1.com/gfftte3uv
  84. http://www.elevation.com.cn/xno8wx
  85. http://zophotos.com/0fmnqv
  86.  
  87. Shared from "Amount Payable"
  88. http://0668.com/k5bhgn
  89. http://250sb.com./jynvmx
  90. http://addwords.com.tr/aah6qmhv
  91. http://anti-dust.ru/7k6cp
  92. http://asdream.pl/gbbs1c
  93. http://atio.li/exjik
  94. http://bappeda.dharmasrayakab.go.id/dlhalychp
  95. http://braindouble.com/uycx51ix
  96. http://buhoutserts.ru/ufdazc6vv
  97. http://casino-okinawa.com/ejguf
  98. http://catherineduret.ch/5qpqi5ezp
  99. http://chinaxw.org/xw1ju7y6zc
  100. http://chungcuvinhomemydinh.com/6dvjasf
  101. http://crolic88.myjino.ru/1ddig
  102. http://demo.shispare.com/bvsjq
  103. http://environment.ae/0od5hn
  104. http://forbrent.com/h9kqgq
  105. http://fyd123.cn/kib6h2d9ga
  106. http://groupeelectrogeneservice.com/eefpeywf9z
  107. http://hedefosgb.com/dpyzsb6u
  108. http://hlonline.kentucky.com/i7z78
  109. http://innercityarts.squaremdesign.com/dyo1w7
  110. http://jianhu365.com/z9puqdj2eu
  111. http://malamut.org/gizb2zq
  112. http://obaloco.com.br/67mfj
  113. http://peopleprofit.in/pyihdg
  114. http://roman64.humlak.cz/7bnisgf
  115. http://rulebraker.ru/zsw4cnf9o
  116. http://scaune.qmagazin.ro/5hktu4h
  117. http://slankmethode.nl/4zzq1am
  118. http://subys.com/mjguriv80
  119. http://szwanrong.com/x5qxzpjsi
  120. http://tecnomundo.uy/a8rnlgzv
  121. http://test1.giaiphaponline.org/0ytdjs1
  122. http://test.sousouyo.com/feaetpnuee
  123. http://theamericanwake.com/xw1ju7y6zc
  124. http://travelinsider.com.au/mwaefb4b
  125. http://trietlong.net/heyus
  126. http://tx318.com/kqe4ca
  127. http://ucbus.net/usdxqqt6
  128. http://u-niwon.com/kmjg6j9ske
  129. http://vaaren.dk/ogcz6ys0d
  130. http://viscarci.com/wyqs6353
  131. http://walkonwheels.net.au/qmd1uu
  132. http://wdcd999.com/lm5z2snyqn
  133. http://web-shuttle.in/eeo9oc
  134. http://windshieldrepairvancouver.ca/qcp8k7
  135. http://wiselysoft.com/qcymgbug7
  136. http://wszystkodokuchni.pl/sl5yko7
  137. http://wudiai.com/mc3hnwd
  138. http://www.espansioneimmobiliare.com/akktnck
  139. http://www.myboatplans.net/6d7ukeco6
  140. http://wx.utaidu.com/1eybujbru
  141. http://xlr8services.com/n970foumf
  142. http://xn--k1affefe.xn--p1ai/8wzzjk24u
  143. http://youspeak.pt/liowrtxs
  144. http://yukngobrol.com/h7sfu
  145. http://zhiyuw.com/qfbdcvrul
  146. http://zwljfc.com/ld1pvjozu
  147. http://zzzort10xtest123.com/nin5k3bwo
  148.  
  149. Malware:
  150. - encoded on download
  151. 4772df13d7371bb457a2f4e6be9509efc3f5f8990b82ecf12026414f49ffe96a  http___047688888.com_yfmmqd0
  152. 60380d4f3e5e392d7af27bc85324d7363dd644dfce4059bff832bb3dff17ff21  http___0668.com_k5bhgn
  153. 2d14f034e7fec59cd12baec77dceb16ac1b410b613e2d63e118b55294cec54dd  http___2h4u.com_5rkumb2
  154. b8178c716f60867e9c0c587450b1712916165c5c84387ed26566816e9d407ea4  http___72mic.cn_q98yonpipk
  155. 8d9b81fc81ae05f7533c8d2cfc98417b07cd192acb6368bb7d61710095da727b  http___aficar.es_dyap1 [6]
  156. f33109d5c8c3f7c21c6e860e59703c05a45f210eb2162e2bc90f3221e530909e  http___alexsoft.cn_lqxbccgvg
  157. 1c9b95d4a41b8dcb8dea64351ed2660d31e8b8036a3ba145618dbfb9f3a5c3d7  http___alfa-auto.pl_ltopxz
  158. b36c2398b11474ccb3c02d0ee0b4e36345aa28c9e7101555fb786a53067f5b89  http___alteo-alumina.com_yqqw0sp3p3
  159. 961c585bf02ccb297110fd43089b875d1aad0b9f7bc6d926eac65a96d64d8c29  http___ama119.jp_uxnvj
  160. 9329388d016ab49841a31fad2507896b0724507d17508a8a8cbf83f05d8e2aa4  http___anhang-billsville.ca_d3j5l
  161. 1333357356f93875d1831193aa25fb1ff4bd6c0f04b9c1b971ef7a30cddf50b6  http___anti-dust.ru_7k6cp
  162. 879582db8c6a2e6dd7b13b66fe6b7f3b6e0fea52be216d0b27624b5abf11e440  http___arslan.pro_auuy3to00
  163. 67460770ef766dcbd17f3b4717cfdf944d64b3a8112a77a468a9b6a3f18c2384  http___asonoyamaboushi.com_q6n5nml
  164. 6c4740742f0ae6884b2d402da68b586b9040a61a1d5fd292cbb64d65f76fd3a3  http___atakankasap.com_m2hmcizn
  165. 69c7c306baa7b60c05af065a11f6edda4bf09bdbabcafa48ba7731e88803d1d3  http___atwork.cn_t4kavmogc
  166. 74e94c4b500b9ad64afed2db0614c4d74c819f70f42d17db7bb44d383427fb02  http___bappeda.dharmasrayakab.go.id_dlhalychp
  167. ac992fc46eb676bd37415ac748b60f3f1f87d8a8d78c371e501cc1b481b60757  http___beinthesky.net_ad4ud12
  168. 9e8ed70794c104f8293ec396812202b5aeac7cebe5255fa2ba934dca0760940e  http___beumerkleinmetaal.nl_vzmg6rg
  169. 2666a43cf09b1d3a4f2964afafa0ee456e8d33514b12798f4a52ff9ffae2550f  http___bigtreerecord.com_qvwjc
  170. 967b9bf1fbed44633ebad8aa8e67601ef36faa259d713bee6aa0f3c6e1e4c84d  http___bigtrust.co.kr_0jpbwaf
  171. 522700379bf4aaa0f663c19e7a16803ec32f47cb34ae2d43adbae4099f6f3c4c  http___biogoodland.com_ryrfcs [1]
  172. 549b212a1aec8a67ad91e27267590b31c39e40edde5a114c6b5c8620cd5adeff  http___book.50webs.com_pkxwqfrg
  173. f4a1f90ba4c2f8c17591293d5cb23487e352292c4fe0670f323d33c64ffa0b43  http___buhoutserts.ru_ufdazc6vv
  174. 4fbef56c1e0c5c0791399dca280cba72b124f5f396bcd042735cfd7d5ab760ad  http___candylee.com_f25syokvoc
  175. 3f72728cd26c02e830990e81e08d81e3a0aaa2fbcbefb34c7ee001a34fc69bbd  http___chandelles-golf.com_sltl0nms
  176. c3c202b707bdb0e98e7a17bfedea618ea3369d4d858c86f7c52aaeceb4999548  http___chuaiyue.com_xsttl
  177. 8699fa0b8a5e7df6690224e079c3da0414d9aace9be4bbf0e6fde86965a05da5  http___chuantu.net_ftb42ysmkh
  178. 5abf81af30ac919aa98d6451ad464bd1889f6923d038bfe0e3c806bd7aa8890c  http___chungcuvinhomemydinh.com_6dvjasf
  179. 182b98a73cb06ef72826aedb2076aa012e63598bda8f97c0c516abbece0c129e  http___communicore.biz_6evwetxcz
  180. 25f30430a81da3d69861e3bd3adaa9e726e456c92b1355650b4cdc79222684b6  http___copiadorassharp.es_fzdxewt
  181. c611fe759b804709c8e31ebd24bdb48b57ab27ba297c91f40e7e6f23fe49116f  http___coruspadel.es_n7kz5km
  182. 0b084d8c88f44515dc885c8a54c7ad45accef98c0aff3a6a43596c929987ea6f  http___cuoder.org_to6nnme
  183. 59b446abbac471363aaa2bbfff5f658907b2bb1de313c2d50fd5f3d470ce0627  http___dinamusfg.com_82hwv
  184. e93d27f9a92780bc96d21ea03cd4ea96c51985b7754c9d6812407a5ecb832bc2  http___dxhhbj.com_xgnhqsdq4
  185. 2920ed11c779c7c14e30763f52b57480eaa5dc4261a75aa6d3db7f8bc84c3fef  http___eflengu.ru_jmu1ix0
  186. 3301046561d4e5cf92480b90c3856e4b4f6c8bd653b797564f45be7ab85dc205  http___ekovizyonpeyzaj.com_aiw3cfjw [5]
  187. 65803aaa66bc6a101729b223c9c6d35561bb2eb04ac109b72253645a330cfba2  http___environment.ae_0od5hn
  188. 1f63bc43223634849c004b8c33b5e09d532f36e7ab8d8a955f8330f39727e4a8  http___fanda-wesst.com_dvnelp1xx [3]
  189. c684dc0498cb89441e25f828f28dbd42026376a2aa2185b5c338c8ed9e87aff6  http___fm1111.fr_4sl2rtd [2]
  190. f88b7dd4a3bc6ffa0acbb484d1f8a9a0487c46d2900a47580f50349cd1e2c588  http___forbrent.com_h9kqgq
  191. aa456d6fc241bcecb7beb78ddfe0ffbbfa95e331ca79f5e71b7283cd8b773e3b  http___foxhilltoyfoxterriers.com_ictrno0kyl
  192. eef9ad652b13df46397bf0ebbf48058d5e3fe5ac05d8a0b1e9a1341133740260  http___fyd123.cn_kib6h2d9ga
  193. 0c2fbb9908997b5c931d5f2e8a95a764349742bb0af128a26f57395c0283cee6  http___gallerisymbol.dk_dqaquyxl0
  194. a5f95411351cd3d12384eefa1815b2fe2b0085ce4fe11a0ea5fbf663cf1b10a5  http___goodgate.tv_7m2vrub
  195. 78d56bee32a95de593b15b2347b2cd79a3cab334c19273bde34d3d707380c225  http___greybruceinsurance.com_fn0z26pne
  196. 24e0ce5b7e72f05e41c122c2743af3baa828ca0542af734607ab6bd11b6e1487  http___groupeelectrogeneservice.com_eefpeywf9z
  197. 4f1e51e2c87a7bd429b4c06af0621092f2603d6f362e5a21517332b955900bb7  http___gtilite.jp_xphqbv
  198. 7d65cea310f4387fd6008e6693ec60a19ea0b8e951a4b226fe9694c76f66e5f2  http___guardian-angels-diva.de_0cepvia
  199. 63dfe370502acd3b78fc48c0ce11bf9d8e35b2fab53f949214a96e734bb34a68  http___hedefosgb.com_dpyzsb6u
  200. 5bb0fcb9377bed708681b4cddebe854fdb688e871f3df054d40478185f9d4d8d  http___hitechsolinc.com_jhcby
  201. f4745c1cf5be1e99c3af11d369281ee5797d9d1a64abb8641e8b14ae79ac5c01  http___hotelglobo.eu_jjsmb
  202. 45a4f3987d25ff1d00fedd3310dc755c555149b9a0595178ccd546002157a23e  http___innercityarts.squaremdesign.com_dyo1w7
  203. 499ab33235526ba848179b940946ea91a240b08cb01fba6e26a97d4ccb478122  http___interoffice-lb.com_3agmjt1
  204. 3cb28af49ca5b165d8e39356788fc8dc4efaa5395fbf1f583e351f34372bc965  http___laferwear.com_2xry1qp
  205. 07e311d257b6eb78c69e643f29b3bc8b1d2f547813f86b884c9c6768bdc8fd0e  http___legaladvice.50webs.com_sti23
  206. cfaa1aee8b07a41975bc9e53bb863f3b058bcde0de9bcc217067673fcc27dbc0  http___malamut.org_gizb2zq
  207. a2cbfc42b2b95719775244c2be397e07cf6b774088d6fc157aae947248dc2a61  http___mews-labo.com_vwxn1femb3
  208. 93cbd4c01f32b9d39757d0f971265b5f2d99ce9ca34b13b5352a8b1b9b8d5485  http___mtrk.ru_3rlflm8
  209. 7260fd1b41a23694c54866b0053c46d4a0412d42c75839117f5b8ddd707217ad  http___obaloco.com.br_67mfj
  210. 3eceed5dccfb6423c4fec6c937a265e09aca0164138342607ef28c37a9daa802  http___pablopaz.com_6twklhtuu
  211. 1552dbbe4dc744872eca7fb0e35b256c18ca576d50c23b38a93f5adfe40e2db0  http___rulebraker.ru_zsw4cnf9o
  212. 38e159af864c3625b86ae8b01119318c193e1fecf94bd5533d735fa85d3e1fec  http___scaune.qmagazin.ro_5hktu4h
  213. f425067875dfa1ef54d3e8519e9a20a7368b31fb5458eef17b74ce41c236b3db  http___slankmethode.nl_4zzq1am
  214. b35070b3000e7b68b6b08e2cf829a33182db4bdc3ab9eaedb832c2c0d99e7974  http___sublimeshop.co.uk_4umz2
  215. 17d7054854256b0793bf6aa6700546a043e972191bba20145946a6902d1c9007  http___subys.com_mjguriv80
  216. 0df5f4a1e05ad5b4289c45bd08ab5645519e10c9ccd82b00e10312fa15258b11  http___szwanrong.com_x5qxzpjsi
  217. e9719d8d73558beefb8d5a706d2c05169cea4e98aecea19df43c8d2f0023f384  http___tecnomundo.uy_a8rnlgzv
  218. 564d7eb5f81db1ad1a6400588e9fa97f2fda48dd3424b1f8e63d7e2d53e4e52b  http___teen.deep-ice.com_nzw9cp6ooj
  219. f96ba5acf26cdb1abd679b7f66d4aec67e2c64dc9d15eea0e822c16385aa7155  http___test.sousouyo.com_feaetpnuee
  220. cfaa1aee8b07a41975bc9e53bb863f3b058bcde0de9bcc217067673fcc27dbc0  http___theamericanwake.com_xw1ju7y6zc
  221. 99b654d39413500f0255c6bd900251462847a8d0bc0eff5ad699efda157607d8  http___travelinsider.com.au_mwaefb4b
  222. 15573792ae1923c24ac9ea35b81d39670ae0d002f74ca12ab59a8025318b0db6  http___ucbus.net_usdxqqt6
  223. e421ff2290f3660bd93bc353852719377cf94a8558779fb3b3307d9855251743  http___u-niwon.com_kmjg6j9ske
  224. 35a14ff855dd9c5e9ec53351eece7b5336d0c61dae1be5f0d92859365f1efd32  http___untitled.50webs.com_ncsuspx4
  225. 209327c0e30052a3e3e3e5f14e4236d8366e45005b55e4e157b9fa5e228e9619  http___untitled.50webs.com_v06afm
  226. fac51ac31cbe2cabc4a1aead779c328ebc6929e286b1e8dfb0928afaca3fee88  http___viscarci.com_wyqs6353
  227. 7f1132a40bf71cbba5c65daaccfe3749a121bad3aa8ea7ea3e7ebd78e03022a0  http___waat.co.uk_68uitnl
  228. 7942fb56210c40a5335a1d27a7b71adfff2faa10cd0e15d3b6b94092f450fc40  http___wdcd999.com_lm5z2snyqn
  229. 9c56960f149aaaa338846b2044bcb33bc410a1c07e4c6fae305b4f530744b5dc  http___web-shuttle.in_eeo9oc
  230. 4b628c53cc41568c3404342ed95b9f2ee0757536ce0cf4ce8bc840829552c22e  http___windshieldrepairvancouver.ca_qcp8k7
  231. 5487e861fc020735a22fa2270413ac0ecd67312d64ab6e3f4fe049247c37c05d  http___wiselysoft.com_qcymgbug7
  232. 0b962425f88cb33bb6f1f749b6c51445f4355e2977dbe09d14e0793c2460eaa7  http___wszystkodokuchni.pl_sl5yko7
  233. 4977658adcd5be63bf67d4467703596a7440419539c781d13ac0c2907e9b4aff  http___wudiai.com_mc3hnwd
  234. 80353f7d11595f162b04902001ca6a873070dfd54770cf6d5cbbe8ae99a63942  http___www.angeljob.com_sgdijtu
  235. 93f6b298c2cdce14a4b617c95f72104d117e5d4b8cf06ebed912061c3f1f4c0a  http___www.bds-1.com_gfftte3uv
  236. 7f693ea607ced73c6cfb322a767beb991067aab8c7675abadb7b98369802d162  http___www.elevation.com.cn_xno8wx
  237. 5efbd6851f53e4dc744b3c2668190604da054cc032cdc9a8c374c6da485d6cd4  http___www.espansioneimmobiliare.com_akktnck
  238. 653cec019e34af43b585f53fd2314c7c1be5665f839a24b83cf9aa77d168c00c  http___wx.utaidu.com_1eybujbru
  239. c079b2076b743b9330f516d6b3ad70d4f6814a75fadc9193eb8831b80f5cd195  http___xlr8services.com_n970foumf
  240. 09f320f6075ef76a0b4872e4c254d0a7232166a45d68d9343c052a44ae895b3e  http___yukngobrol.com_h7sfu
  241. 86c7448570c0de7abdfcaaea5fb629e33ea92243c4e29ff40e6c945d2a866d54  http___zhiyuw.com_qfbdcvrul
  242. c7c4e04c9681c5f32fce264a2e955d91c6d3ae86f974390429c8e6fcab05d8f8  http___zophotos.com_0fmnqv [4]
  243. e421ff2290f3660bd93bc353852719377cf94a8558779fb3b3307d9855251743  http___zzzort10xtest123.com_nin5k3bwo
  244. - decoded
  245. 6e16cdefaac99cfcae7c688c4aefc461f7c6c6757945a7e9a3314c57cd89f7c8 [1]
  246. bf18874a5993dcfa04abd3be4e20bbdb177085d9935d6ff8a572677171e8a2cf [2]
  247. 30274abe2bcdc83443b6170bc31e81c47bae6c7f61fb22afa12db412f8e3875a [3]
  248. 09e0f266a151e149941217bd17bf04abe67081256b6ad2c93525820d69df08f0 [4]
  249. ad4ac6e7bf2779aa5667f8246e61facd09c5aab552167c12cf6a6f32edde01e8 [5]
  250. 69b9db7ffbbc77ebac69f143387a0db12ce68a9e23ce261639239302ec5c5248 [6]
  251. - executed by "rundll32.exe %TEMP%\<filename>.ZK,jQEsJv"
  252. - samples:
  253. https://www.virustotal.com/file/6e16cdefaac99cfcae7c688c4aefc461f7c6c6757945a7e9a3314c57cd89f7c8/analysis/1481811297/ [1]
  254. https://www.virustotal.com/file/bf18874a5993dcfa04abd3be4e20bbdb177085d9935d6ff8a572677171e8a2cf/analysis/1481811305/ [2]
  255. https://www.virustotal.com/file/30274abe2bcdc83443b6170bc31e81c47bae6c7f61fb22afa12db412f8e3875a/analysis/1481811312/ [3]
  256. https://www.virustotal.com/file/09e0f266a151e149941217bd17bf04abe67081256b6ad2c93525820d69df08f0/analysis/1481811319/ [4]
  257. https://www.virustotal.com/file/ad4ac6e7bf2779aa5667f8246e61facd09c5aab552167c12cf6a6f32edde01e8/analysis/1481811356/ [5]
  258. https://www.virustotal.com/file/69b9db7ffbbc77ebac69f143387a0db12ce68a9e23ce261639239302ec5c5248/analysis/1481811377/ [6]
  259.  
  260. C2:
  261. POST http://178.209.51.223/checkupdate
  262. POST http://185.129.148.56/checkupdate
  263. POST http://185.17.120.166/checkupdate
RAW Paste Data
Top