SHARE
TWEET

2016-12-16 Locky "Attached document"

Racco42 Dec 16th, 2016 (edited) 253 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-16: #locky email phishing campaign "Attached document"
  2.  
  3. Sample email:
  4. ------------------------------------------------------------------------------------------------------------------------------
  5. From: copier@[REDACTED]
  6. To:  [REDACTED]
  7. Subject: Attached document
  8. Date: Fri, 16 Dec 2016 02:14:20 -0700
  9.  
  10. Attachment: 9310_0038.docm
  11. ------------------------------------------------------------------------------------------------------------------------------
  12. - sender address is copier@<recipient's domain>
  13. - subject is "Attached document"
  14. - email body is empty
  15. - attached file "<4 digits>_<3-4 digits>.docm" is Microsoft Word file with autoopening macro which downloads malware
  16.  
  17. Download sites:
  18. http://028cdxyk.com/hjg766
  19. http://aacom.pl/hjg766
  20. http://aaryn.net/hjg766
  21. http://akida.com/hjg766
  22. http://alock.co/hjg766
  23. http://amaniinitiative.org/hjg766
  24. http://archibaldmicrobrasserie.ca/hjg766
  25. http://auto-zakaz.com.ua/hjg766
  26. http://banhang123.com/hjg766
  27. http://billionsfamily.com/hjg766
  28. http://brookstonemanuals.com/hjg766
  29. http://calderon.com.mx/hjg766
  30. http://dealspari.com/hjg766
  31. http://demo.ahost5.ru/hjg766
  32. http://demo.pornuha4you.com/hjg766
  33. http://dicksmacker.com/hjg766
  34. http://dryerventexpress.com/hjg766
  35. http://ebreckinteriors.com/hjg766
  36. http://fiddlefire.net/hjg766
  37. http://gallery.mohammadtarighi.ir/hjg766
  38. http://hho68.com/hjg766
  39. http://houssiere.daniel.formations-web.alsace/hjg766
  40. http://ilasd.org/hjg766
  41. http://infinitecorp.ca/hjg766
  42. http://infosys.co.kr/hjg766
  43. http://inzt.net/hjg766
  44. http://ivibohoc.url.ph/hjg766
  45. http://kayamuh.sarf.com.tr/hjg766
  46. http://kirulya.com/hjg766
  47. http://kurou.bokunenjin.com/hjg766
  48. http://ledticket.com/hjg766
  49. http://lucapotenziani.com/hjg766
  50. http://mainlinecarriers.co.tz/hjg766
  51. http://masonlodgestpeter.org/hjg766
  52. http://mbdvacations.com/hjg766
  53. http://medianisprint.com/hjg766
  54. http://mgascca.com/hjg766
  55. http://movewithgrace.ca/hjg766
  56. http://mprotectcorp.com/hjg766
  57. http://msveletiny.cz/hjg766
  58. http://nonblockservice08.info/hjg766
  59. http://nortra-cables.com/hjg766
  60. http://obccllc.com/hjg766
  61. http://old.strommarnas.se/hjg766
  62. http://pcflame.com.au/hjg766
  63. http://perspektive-fuer-kinder.de/hjg766
  64. http://profitmonster.com/hjg766
  65. http://promgazenergo34.ru/hjg766
  66. http://pta-babel.net/hjg766
  67. http://qe7.ca/hjg766
  68. http://rdsc-seminar.com/hjg766
  69. http://s393640255.onlinehome.us/hjg766
  70. http://s435378127.online-home.ca/hjg766
  71. http://s437702314.onlinehome.us/hjg766
  72. http://shomesofa.com/hjg766
  73. http://smcga.ca/hjg766
  74. http://stoneofliberty.com/hjg766
  75. http://store.elixe.net/hjg766
  76. http://taladm.ru/hjg766
  77. http://test1.zrise.top/hjg766
  78. http://theexcelconsultant.com/hjg766
  79. http://thomas-christ.de/hjg766
  80. http://topstoneisland.com/hjg766
  81. http://tunca.bel.tr/hjg766
  82. http://www.dazzle-events.be/hjg766
  83. http://www.englishworld.it/hjg766
  84. http://www.enhansit.com/hjg766
  85. http://www.lauraleedonnelly.com/hjg766
  86. http://www.mywoc.ca/hjg766
  87. http://www.sapol.it/hjg766
  88. http://www.servipisos.com.ar/hjg766
  89. http://www.sitivisibili.it/hjg766
  90. http://www.thepasobueno.com/hjg766
  91. http://www.tourist-car.ru/hjg766
  92. http://yellowstudio.pl/hjg766
  93.  
  94. UPDATE:
  95. http://allan.multimediedesignerskive.dk/hjg766
  96. http://bikebrowse.com/hjg766
  97. http://ustadhanif.com/hjg766
  98.  
  99.  
  100. Malware
  101. - encoded on download, SHA256 23fadcae84181af9773c3c4535a1fb2fc1d02ab1418c22750f100953ba324c2f, MD5 36cc79869bf6fb048a2c3bc274f36690
  102. - decoded SHA256 2c4ea27abe8f6199dbbc3f5de2b3bd181ffbfb2481ef307351b7fc4d8b5fdb99, MD5 7a3b10f987d635242370e0e2ef051a9b
  103. - executed by "rundll32.exe %TEMP%\<filename>.aww,GetMessage"
  104. - sample https://www.reverse.it/sample/02cec4ff4c794c358bdd25f15c38df2d52b659eba40c476bb15b42a4fab62eb0?environmentId=100
  105.  
  106. C2:
  107. POST http://37.235.50.29/checkupdate
  108. POST http://176.121.14.95/checkupdate
  109. POST http://86.110.117.155/checkupdate
  110. POST http://83.220.172.182/checkupdate
RAW Paste Data
Top