Advertisement
Racco42

2016-11-22 Locky "Document from office"

Nov 23rd, 2016
1,564
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.55 KB | None | 0 0
  1. 2016-11-22 #locky email phishing campaign "Document/Photo/Scan from office"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------
  5. From: VICTORIA <victoria.69@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Photo from office
  8. Date: Tue, 22 Nov 2016 17:38:46 -0500
  9.  
  10. Attachment: IMG-89714846-WA0967.zip -> 67110888-VC1236.vbs
  11. -----------------------------------------------------------------------------------------------------
  12. - sender address varies between emails, but sender domain is faked to be same as recipeint's
  13. - subject is "<Photo|Scan|Document> from office"
  14. - email body is empty
  15. - attached file "IMG-<8 digits>-WA<4 digits>.zip" contains file "<8 digits>-<2 upcase letters><4 digits>.vbs", a VBScript downloader
  16.  
  17. Download sites:
  18. http://cufarulculenjerii.ro/988gd4
  19. http://mospi.ru/988gd4
  20. http://mvp-sp11.ru/988gd4
  21. http://mywoc.ca/988gd4
  22. http://narutoshippuuden.org/988gd4
  23. http://netfun.be/988gd4
  24. http://newday-inc.com/988gd4
  25. http://newlifecamp.bravepages.com/988gd4
  26. http://nhadatok.com/988gd4
  27. http://nicolesuter.ch/988gd4
  28. http://njhtpj.com/988gd4
  29. http://n-k-dekorationen.de/988gd4
  30. http://nkedu1.go.th/988gd4
  31. http://nnsafety.com/988gd4
  32. http://nnsnv.ru/988gd4
  33. http://nosk.ir/988gd4
  34. http://notariadiez.cl/988gd4
  35. http://notvital.ch/988gd4
  36. http://npitstart.cba.pl/988gd4
  37. http://ns1.linkaufseite.org/988gd4
  38. http://nsrcconsulting.com/988gd4
  39. http://numea.nl/988gd4
  40. http://nunutjoe.com/988gd4
  41. http://nuoque.com/988gd4
  42. http://nxguolu.net/988gd4
  43. http://ocioclick.es/988gd4
  44. http://odnoklassniki.borec.cz/988gd4
  45. http://odzs.cz/988gd4
  46. http://olgiatalife.it/988gd4
  47. http://omskhunter.com/988gd4
  48. http://one2group.nl/988gd4
  49. http://onlinenoveltydocs.co.uk/988gd4
  50. http://ooo-strm.ru/988gd4
  51. http://orhangazitur.com/988gd4
  52. http://ortho-cs.com/988gd4
  53. http://oscarsensini.com/988gd4
  54. http://oxbridgemedica.net/988gd4
  55. http://pablotheet.com/988gd4
  56. http://pakage.com.au/988gd4
  57. http://palsiraj.org/988gd4
  58. http://pannon-retro.com/988gd4
  59. http://paradigmenergycorp.com/988gd4
  60. http://parts4.nl/988gd4
  61. http://pasanglhamu.org/988gd4
  62. http://pbank.es/988gd4
  63. http://pbna.eu/988gd4
  64. http://pespis.hu/988gd4
  65. http://pest-ex.com.au/988gd4
  66. http://peterboroughdrivingschool.ca/988gd4
  67. http://pgd-lesce.si/988gd4
  68. http://phonecell.us/988gd4
  69. http://photofj.net/988gd4
  70. http://photos-ddehem.com/988gd4
  71. http://phucsang.com/988gd4
  72. http://pierre-adam.de/988gd4
  73. http://pinna.be/988gd4
  74. http://planktoncomputer.com/988gd4
  75. http://poker-vids.com/988gd4
  76. http://policyforlife.com/988gd4
  77. http://popmail.jp/988gd4
  78. http://pratecnet.org/988gd4
  79. http://proau.info/988gd4
  80. http://promotesystem.be/988gd4
  81. http://proplasma.ru/988gd4
  82. http://prosirona.com/988gd4
  83. http://proxifarm.com/988gd4
  84. http://psc.ro/988gd4
  85. http://psoriatrax.com/988gd4
  86. http://psycholog-online.org/988gd4
  87. http://pta-babel.net/988gd4
  88. http://puknij.net/988gd4
  89. http://pureman.net/988gd4
  90. http://qlikmove.com/988gd4
  91. http://quethugioitinh.com/988gd4
  92. http://rao24gio.com/988gd4
  93. http://raovat4u.com/988gd4
  94. http://rapidnet.ir/988gd4
  95. http://rastol.eu/988gd4
  96. http://rcabaj.com.pl/988gd4
  97. http://remstirmash42.ru/988gd4
  98. http://rhinohosts.com/988gd4
  99. http://rijschool-storm.nl/988gd4
  100. http://rinascitaitaliana.it/988gd4
  101. http://roberttrocina.com/988gd4
  102. http://rollkons.lv/988gd4
  103. http://romanstars.com/988gd4
  104. http://viralgunne.net/988gd4
  105.  
  106. Malware
  107. - encoded on download, SHA256 0ccfd58e70a14b02fa2831bc2ebddea4bb253387ebdccacba088f9beffb24a98, MD5 a848b6d934744a8228e861d3ca6f6e5f
  108. - decoded SHA256 dd8a36f81d80c210461ad5d15aa1b995768d85613e6530c259a6b862f84e10fc, MD5 ca0776cd79abe39a66cfb44bed7bdbf1
  109. - decoded dll has extension .552, not .dll
  110. - executed by "rundll32.exe %TEMP%<filename>.552,make_id"
  111. - samples
  112. https://www.hybrid-analysis.com/sample/dfa76543894126b0db0b2e62afd20e9445636c809988c307cb15d64c163c136b?environmentId=100
  113. https://www.hybrid-analysis.com/sample/8a0180a774e689e19d929f98a00a1239d2628e76684cbb50980e9178f86b4771?environmentId=100
  114. https://www.hybrid-analysis.com/sample/dab304a098259377f7fa8547968565f90f3eaaedc7d6472104bfc6639f507ee1?environmentId=100
  115. https://www.hybrid-analysis.com/sample/2a5a66703ba10a5c51e1f58c176d771817c2e5b75cc229693bfcd4ec8065b0e3?environmentId=100
  116. https://www.hybrid-analysis.com/sample/77e456ae4b0d445e554fed1307851d2b6763133e6c06cf6fdaa276c0c524179f?environmentId=100
  117.  
  118. C2:
  119. POST http://95.46.114.205:80/information.cgi
  120. POST http://94.242.55.81:80/information.cgi
  121. POST http://80.87.202.49:80/information.cgi
  122.  
  123. dhmpxbtaby.pl
  124. dpmtlqndkq.pl
  125. ikbjdclqadoai.xyz
  126. wifjrnhmhcnplta.click
  127. kerfsbsrsdiqlobox.click
  128. aarmkgw.ru
  129. ghaapfjehrjuuwex.pl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement