Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-09 #locky email phishing campaign "Message from KMBT_C220"
- Email sample:
- -----------------------------------------------------------------------------------------------------------
- From: <scanner@[REDACTED]>
- To: [REDACTED]
- Subject: Message from KMBT_C220
- Date: Wed, 09 Nov 2016 17:25:46 +0300
- Attachment: SKMBT_C09360689251274.zip
- -----------------------------------------------------------------------------------------------------------
- - sender is scanner@<recipient's domain>
- - subject is "Message from KMBT_C220"
- - email body is empty
- - attached file SKMBT_C<14 digits>.zip" contains file "<2 digits><2-7 letters><8 digits>.wsf", a JScript downloader
- Download sites (actual URLs contains suffix ?<random>=<random> which does not influence the download):
- http://alamanconsulting.at/0ftce4
- http://ayurvedic.by/0ftce4
- http://ekaterinburg.kacatka.ru/0ftce4
- http://hoangtranwater.com/0ftce4
- http://hoteldseason.com/0ftce4
- http://hotelvinayakpalace.in/0ftce4
- http://hotloto.com/0ftce4
- http://hqseconsulting.com/0ftce4
- http://hupsoft.com/0ftce4
- http://idontknow.eu/0ftce4
- http://idplus.sg/0ftce4
- http://ifreenet.it/0ftce4
- http://ijai.fr/0ftce4
- http://iloveyf.com/0ftce4
- http://indospyshop.com/0ftce4
- http://innsat.pl/0ftce4
- http://inzt.net/0ftce4
- http://iriscommunications.com.pk/0ftce4
- http://istanbulsoft.com.tr/0ftce4
- http://ivakil.com/0ftce4
- http://jaysilverdp.com/0ftce4
- http://jcuenca.es/0ftce4
- http://jer.be/0ftce4
- http://jingaiwang.com/0ftce4
- http://joralan.es/0ftce4
- http://jxhyhz.com/0ftce4
- http://kembarastation.com/0ftce4
- http://kenankaynak.com/0ftce4
- http://ketoantamviet.edu.vn/0ftce4
- http://konan.nl/0ftce4
- http://kopeyskdom.ru/0ftce4
- http://krasnodar-sp.ru/0ftce4
- http://k-scope.ca/0ftce4
- http://kyrre.cn/0ftce4
- http://labtekindie.com/0ftce4
- http://lacosanostra.co/0ftce4
- http://lander.pl/0ftce4
- http://laurenward.me/0ftce4
- http://leftakis.gr/0ftce4
- http://level3.tv/0ftce4
- http://lifez.nl/0ftce4
- http://lindafluge.no/0ftce4
- http://lingerievalentine.ueuo.com/0ftce4
- http://linkset.ro/0ftce4
- http://lujin.ro/0ftce4
- http://luke-woods.com/0ftce4
- http://luostone.com/0ftce4
- http://martos.pt/0ftce4
- http://matbaa.be/0ftce4
- http://mch.kz/0ftce4
- http://mckm11.cba.pl/0ftce4
- http://meditativyoga.net/0ftce4
- http://micashu.org/0ftce4
- http://michellemccarron.com/0ftce4
- http://microscopiavirtual.cl/0ftce4
- http://milagrotarim.com/0ftce4
- http://mineralsteel.cl/0ftce4
- http://mogadk.ru/0ftce4
- http://mospi.ru/0ftce4
- http://moydom.by/0ftce4
- http://mschroll.de/0ftce4
- http://mtsas.freehost.pl/0ftce4
- http://muamusic.com/0ftce4
- http://muellerhans.ch/0ftce4
- http://musicphilicwinds.org/0ftce4
- http://muziekupdate.nl/0ftce4
- http://mvpdental.com/0ftce4
- http://mypcdaddy.com/0ftce4
- http://naarndonau.at/0ftce4
- http://naka-dent.mobi/0ftce4
- http://oontsheol.net/0ftce4
- http://shukatsu-live.com/0ftce4
- http://sport-grace.by/0ftce4
- http://tikkatawgi.com/0ftce4
- http://vologda.maxuma.ru/0ftce4
- http://www.0898tz.com/0ftce4
- http://www.limpotools.com/0ftce4
- Malware:
- - encoded on download, SHA256 65ef65ddc2353876069b81d20950205e605cfb2a60d9df2ecff527306e753fc6, MD5 470a2d4f82942f35ef29466e38f7633a
- - decoded SHA256 e02200c62f018e40a5215987ea1f37e522260a5c58314ed6838ea521d60a60ab, MD5 bad38a067ec66c9ddba06fc081243c4e
- - executed by "rundll32.exe %TEMP%\<dll_name>,testtest"
- C2:
- POST http://109.248.59.103/message.php
- POST http://158.69.223.5/message.php
- POST http://85.143.212.23/message.php
- POST http://bcpemeybhv.pw/message.php
- POST http://dfqfacbwnrkx.ru/message.php
- POST http://hjbfbueoibruha.info/message.php
- POST http://hotqdrhiswxkqy.xyz/message.php
- POST http://kjkoqidpcisg.info/message.php
- POST http://knalnwddhkcw.pl/message.php
- POST http://mwctebbudxirqu.xyz/message.php
- POST http://myytgcxitxirooeax.org/message.php
- POST http://owgrdlddchyovfnbw.info/message.php
- POST http://qpfuamhyagd.org/message.php
- POST http://rdmxajcmomrm.pw/message.php
- POST http://rekiprqgjhvguy.ru/message.php
- POST http://sjhxrqfmh.biz/message.php
- POST http://tjivptrtlcx.su/message.php
- POST http://uajjuxiaa.info/message.php
- POST http://xaplfcvqw.pl/message.php
- POST http://ypvrfmuj.work/message.php
Add Comment
Please, Sign In to add comment