Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-02: #locky email phishing campaign "Fax transmission"
- Email sample:
- -----------------------------------------------------------------------------------------------------------
- From: iFax Service <emailsend@peace.ie>
- To: [REDACTED]
- Subject: Fax transmission: F-2508442352-1618776589-201611183312-5315.zip
- Date: Wed, 02 Nov 2016 18:33:12 -0200
- Please find attached to this email a facsimile transmission we have just received on your behalf
- (Do not reply to this email as any reply will not be read by a real person)
- Attachment: F-2508442352-1618776589-201611183312-5315.zip
- -----------------------------------------------------------------------------------------------------------
- - the sender varies between emails, the sender name is (iFax|NetFax|Fax|IVR) Service, email emailsend@<random domain>
- - subject is "Fax transmission: F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip"
- - attached file "Fax transmission: F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip" contains file "<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.js", a JScript downloader
- Download sites (the URLs contain suffix ?<random>=<random> which does not influence the download):
- http://028happy.com/kjg56f7
- http://1140746.net/kjg56f7
- http://abercrombiesales.com/kjg56f7
- http://accenti.mx/kjg56f7
- http://acrilion.ru/kjg56f7
- http://ahmetaksan.com/kjg56f7
- http://alphabureau.ma/kjg56f7
- http://antivirus.co.th/kjg56f7
- http://apidesign.ca/kjg56f7
- http://asastaff.com/kjg56f7
- http://auwm.ru/kjg56f7
- http://babuandanji.jp/kjg56f7
- http://babyparka.ca/kjg56f7
- http://bazkomp.pl/kjg56f7
- http://bemmart.net/kjg56f7
- http://bepxep.com/kjg56f7
- http://bilisimarsivi.com/kjg56f7
- http://blakslee.com/kjg56f7
- http://boraba.net/kjg56f7
- http://brokerclub.lt/kjg56f7
- http://budeanu.ro/kjg56f7
- http://buh-uchet71.ru/kjg56f7
- http://byensbilleje.dk/kjg56f7
- http://canals.cn/kjg56f7
- http://capitalintroductionservices.com/kjg56f7
- http://chaturk.com/kjg56f7
- http://chuandishe.com/kjg56f7
- http://cip.edu.pk/kjg56f7
- http://cluster09server.com/kjg56f7
- http://concern-block.ru/kjg56f7
- http://daivupaint.com/kjg56f7
- http://damai0769.com/kjg56f7
- http://dela-cruz.eu/kjg56f7
- http://delfin-lait.ru/kjg56f7
- http://dienmaykhanhhuy.com/kjg56f7
- http://dinglihn.com/kjg56f7
- http://ding.sk/kjg56f7
- http://discuzshop.com/kjg56f7
- http://dongwooclean.com/kjg56f7
- http://donrigsby.com/kjg56f7
- http://draiveris.lt/kjg56f7
- http://drede.ro/kjg56f7
- http://dudenman.net/kjg56f7
- http://dunyam.ru/kjg56f7
- http://earthboundpermaculture.org/kjg56f7
- http://edrian.com/kjg56f7
- http://efson.707.cz/kjg56f7
- http://eplotery.pl/kjg56f7
- http://ev-entertainment.nl/kjg56f7
- http://fcarmida.ru/kjg56f7
- http://fedsav.com/kjg56f7
- http://guardrupia.com/kjg56f7
- http://inzt.net/kjg56f7
- http://lashouli.com/kjg56f7
- http://morgkelly.net/kjg56f7
- Malware:
- - encoded on download, SHA256 c394698c92d5782dd0bc6d88aec2585c79155c69275f0c56aac8f65fcdf2680e, MD5 9857b8950dea8b1cda4cb7a4bc869b3f
- - decoded SHA256 3e41f4340763dae1f988dd431174e172f981d789b61255f7189dbb8192082a11, MD5 8b08b261669f309933e48d3685ab155f
- - executed by "rundll32.exe <dll_name>,runrun"
- C2:
- POST http://194.28.87.26/message.php
- POST http://51.255.107.20/message.php
- POST http://93.170.123.119/message.php
- POST http://evhblsxym.org/message.php
- POST http://kwdmkgfcnpnusr.su/message.php
- POST http://kyppmprgjbatejs.biz/message.php
- POST http://otsatxd.info/message.php
- POST http://gynwalkangl.work/message.php
- POST http://thrpjairul.pl/message.php
- POST http://moqhmfrdmacog.pw/message.php
- POST http://juykbsopyu.pw/message.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement