API tools faq
paste
View difference between Paste ID: s44Xwwu0 and UjV4uMu3
SHOW: | | - or go back to the newest paste.
1
2016-08-08 #locky email phishing campaign "988g765f"
2
3
Email sample (sender domain is same as recepients, subject varies; begins with Emailing, Attached, Copy or File):

4
-----------------------------------------------------------------------

5
From: "Dolly" <Dolly23@[REDACTED]>

6
To: [REDACTED]

7
Subject: Copy: Photo(61)

8
9
[NO EMAIL BODY]

10
-----------------------------------------------------------------------

11
Attachment: "Photo(61).zip", containing "PictureXXX.wsf"; a JScript downloader

12
13
Download sites (actual download URL also coontains random suffix e.g. ?PaAuxNPFQdk=bSTvQC):

14
http://alpeteglio.it/988g765f

15
http://armada-kar.nichost.ru/988g765f

16
http://books-bsu-pd.atspace.org/988g765f

17
http://bork-sh.vitebsk.by/988g765f

18
http://expresso-sf.com.br/988g765f

19
http://haha8.web.fc2.com/988g765f

20
http://j-morin.fr/988g765f

21
http://juegos-sb.atspace.com/988g765f

22
http://keramago.web.fc2.com/988g765f

23
http://lunaparkperugia.it/988g765f

24
http://meguriau.koiwazurai.com/988g765f

25
http://nflfootballpool.ca/988g765f

26
http://nikiforov.dax.ru/988g765f

27
http://w47hqoozb.homepage.t-online.de/988g765f

28
http://www.acansorga.it/988g765f

29
http://www.azetapiemonte.it/988g765f

30
http://www.giuni.it/988g765f

31
http://www.gonimar.onored.com/988g765f

32
http://www.lafoce-nonsolovino.it/988g765f

33
http://www.luigi-varsalona.net/988g765f

34
http://www.plancho.de/988g765f

35
http://www.telsiel.com/988g765f

36
http://www.www.www.www.lappeenrannankalevalaisetnaiset.net/988g765f

37
http://yosi.sa-suke.com/988g765f

38
http://zsnbystre.republika.pl/988g765f

39
40
Added:

41
http://allrinku.web.fc2.com/988g765f

42
http://del-sieradz.neostrada.pl/988g765f

43
http://jk1109.cafe24.com/988g765f

44
http://pogotowie.pcserwis.c0.pl/988g765f

45
http://fieldtennis.web.fc2.com/988g765f

46
47
Added:

48
http://optimaalopgewicht.nl/988g765f

49
50
Added:

51
http://meguriau.koiwazurai.com/988g765f

52
http://www.pasquaautonoleggi.it/988g765f

53
54
Malware:

55
Encrypted: ce07b01c56c3a377e9a2cf8bf04d8741a4b10a926bdd536bbe28255627c97c7e

56
Decrypted: a8538c61746c690fe5e91999533d68068db0dc16d6f24dc290e952f808262f4b

57
58
https://www.reverse.it/sample/5ea729545359fe199a1ace2d525488c667b5c096f55838ef9a9eb8132936c4a7?environmentId=100

59
C2s:

60
185.129.148.19:80/php/upload.php

61
91.219.28.66:80/php/upload.php

62
(vkhfytd.xyz) 188.166.150.176:80/php/upload.php
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!