Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-22 #locky email phishing campaign "Document/Photo/Scan from office"
- Email sample:
- -----------------------------------------------------------------------------------------------------
- From: VICTORIA <victoria.69@[REDACTED]>
- To: [REDACTED]
- Subject: Photo from office
- Date: Tue, 22 Nov 2016 17:38:46 -0500
- Attachment: IMG-89714846-WA0967.zip -> 67110888-VC1236.vbs
- -----------------------------------------------------------------------------------------------------
- - sender address varies between emails, but sender domain is faked to be same as recipeint's
- - subject is "<Photo|Scan|Document> from office"
- - email body is empty
- - attached file "IMG-<8 digits>-WA<4 digits>.zip" contains file "<8 digits>-<2 upcase letters><4 digits>.vbs", a VBScript downloader
- Download sites:
- http://cufarulculenjerii.ro/988gd4
- http://mospi.ru/988gd4
- http://mvp-sp11.ru/988gd4
- http://mywoc.ca/988gd4
- http://narutoshippuuden.org/988gd4
- http://netfun.be/988gd4
- http://newday-inc.com/988gd4
- http://newlifecamp.bravepages.com/988gd4
- http://nhadatok.com/988gd4
- http://nicolesuter.ch/988gd4
- http://njhtpj.com/988gd4
- http://n-k-dekorationen.de/988gd4
- http://nkedu1.go.th/988gd4
- http://nnsafety.com/988gd4
- http://nnsnv.ru/988gd4
- http://nosk.ir/988gd4
- http://notariadiez.cl/988gd4
- http://notvital.ch/988gd4
- http://npitstart.cba.pl/988gd4
- http://ns1.linkaufseite.org/988gd4
- http://nsrcconsulting.com/988gd4
- http://numea.nl/988gd4
- http://nunutjoe.com/988gd4
- http://nuoque.com/988gd4
- http://nxguolu.net/988gd4
- http://ocioclick.es/988gd4
- http://odnoklassniki.borec.cz/988gd4
- http://odzs.cz/988gd4
- http://olgiatalife.it/988gd4
- http://omskhunter.com/988gd4
- http://one2group.nl/988gd4
- http://onlinenoveltydocs.co.uk/988gd4
- http://ooo-strm.ru/988gd4
- http://orhangazitur.com/988gd4
- http://ortho-cs.com/988gd4
- http://oscarsensini.com/988gd4
- http://oxbridgemedica.net/988gd4
- http://pablotheet.com/988gd4
- http://pakage.com.au/988gd4
- http://palsiraj.org/988gd4
- http://pannon-retro.com/988gd4
- http://paradigmenergycorp.com/988gd4
- http://parts4.nl/988gd4
- http://pasanglhamu.org/988gd4
- http://pbank.es/988gd4
- http://pbna.eu/988gd4
- http://pespis.hu/988gd4
- http://pest-ex.com.au/988gd4
- http://peterboroughdrivingschool.ca/988gd4
- http://pgd-lesce.si/988gd4
- http://phonecell.us/988gd4
- http://photofj.net/988gd4
- http://photos-ddehem.com/988gd4
- http://phucsang.com/988gd4
- http://pierre-adam.de/988gd4
- http://pinna.be/988gd4
- http://planktoncomputer.com/988gd4
- http://poker-vids.com/988gd4
- http://policyforlife.com/988gd4
- http://popmail.jp/988gd4
- http://pratecnet.org/988gd4
- http://proau.info/988gd4
- http://promotesystem.be/988gd4
- http://proplasma.ru/988gd4
- http://prosirona.com/988gd4
- http://proxifarm.com/988gd4
- http://psc.ro/988gd4
- http://psoriatrax.com/988gd4
- http://psycholog-online.org/988gd4
- http://pta-babel.net/988gd4
- http://puknij.net/988gd4
- http://pureman.net/988gd4
- http://qlikmove.com/988gd4
- http://quethugioitinh.com/988gd4
- http://rao24gio.com/988gd4
- http://raovat4u.com/988gd4
- http://rapidnet.ir/988gd4
- http://rastol.eu/988gd4
- http://rcabaj.com.pl/988gd4
- http://remstirmash42.ru/988gd4
- http://rhinohosts.com/988gd4
- http://rijschool-storm.nl/988gd4
- http://rinascitaitaliana.it/988gd4
- http://roberttrocina.com/988gd4
- http://rollkons.lv/988gd4
- http://romanstars.com/988gd4
- http://viralgunne.net/988gd4
- Malware
- - encoded on download, SHA256 0ccfd58e70a14b02fa2831bc2ebddea4bb253387ebdccacba088f9beffb24a98, MD5 a848b6d934744a8228e861d3ca6f6e5f
- - decoded SHA256 dd8a36f81d80c210461ad5d15aa1b995768d85613e6530c259a6b862f84e10fc, MD5 ca0776cd79abe39a66cfb44bed7bdbf1
- - decoded dll has extension .552, not .dll
- - executed by "rundll32.exe %TEMP%<filename>.552,make_id"
- - samples
- https://www.hybrid-analysis.com/sample/dfa76543894126b0db0b2e62afd20e9445636c809988c307cb15d64c163c136b?environmentId=100
- https://www.hybrid-analysis.com/sample/8a0180a774e689e19d929f98a00a1239d2628e76684cbb50980e9178f86b4771?environmentId=100
- https://www.hybrid-analysis.com/sample/dab304a098259377f7fa8547968565f90f3eaaedc7d6472104bfc6639f507ee1?environmentId=100
- https://www.hybrid-analysis.com/sample/2a5a66703ba10a5c51e1f58c176d771817c2e5b75cc229693bfcd4ec8065b0e3?environmentId=100
- https://www.hybrid-analysis.com/sample/77e456ae4b0d445e554fed1307851d2b6763133e6c06cf6fdaa276c0c524179f?environmentId=100
- C2:
- POST http://95.46.114.205:80/information.cgi
- POST http://94.242.55.81:80/information.cgi
- POST http://80.87.202.49:80/information.cgi
- dhmpxbtaby.pl
- dpmtlqndkq.pl
- ikbjdclqadoai.xyz
- wifjrnhmhcnplta.click
- kerfsbsrsdiqlobox.click
- aarmkgw.ru
- ghaapfjehrjuuwex.pl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement