API tools faq
paste
Advertisement
Racco42

2016-09-30 Locky "Emailing - xxxxx.pdf"

Racco42
Sep 30th, 2016
1,592
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.49 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-30 #locky email phishing campaign "Emailing - xxxxxxxxxxxx.pdf"
  2.  
  3. Email:
  4. -------------------------------------------------------------------------------------------------------
  5. From: "marva wayles" <marva.wayles906@dhl.com>
  6. To: [REDACTED]
  7. Subject: Emailing - 250154628979.pdf
  8. Date: Fri, 30 Sep 2016 10:24:24 +0530
  9.  
  10. Hi
  11.  
  12. Jasper has asked me to forward you the finance documents.
  13. (Please see attached)
  14.  
  15. Many Thanks
  16.  
  17. Attachement: 250154628979.zip
  18. -------------------------------------------------------------------------------------------------------
  19. - sender email address is spoofed to look like email is coming from recipient's domain
  20. - subject is "Emailing - <random numbers>.pdf"
  21. - attached file "<12 random numbers>.zip" contains file <12 random numbers>.wsf, a JScript downloader
  22.  
  23. Download sites (the actual URLs contains suffix ?<random>=<random> which does not influence download)
  24. http://alkfh.net/938fhnr3
  25. http://amerikanservisi.com/938fhnr3
  26. http://athomeyogi.com/938fhnr3
  27. http://autokover.ru/938fhnr3
  28. http://b2c-batteries.com/938fhnr3
  29. http://badimalik.com/938fhnr3
  30. http://banquetesycoctelesfsf.com/938fhnr3
  31. http://baomoji.com/938fhnr3
  32. http://bapfresno.org/938fhnr3
  33. http://bestsourcecode.com/938fhnr3
  34. http://bin47110.com/938fhnr3
  35. http://bjbdshw.com/938fhnr3
  36. http://bj-fzwb.com/938fhnr3
  37. http://bjjmmt.com/938fhnr3
  38. http://bncxwood.com/938fhnr3
  39. http://boothbabeswithbrainz.com/938fhnr3
  40. http://cangsu.net/938fhnr3
  41. http://chandigarhcabs.com/938fhnr3
  42. http://chinalindun.com/938fhnr3
  43. http://demo.website.pl/938fhnr3
  44. http://shuspong.com/938fhnr3
  45.  
  46. Malware
  47. - encoded on download, SHA256 a00fe7ccfd2022919969426ba9f5741e94a64f2f62af7e49214ec8780111ac73, filesize 245760 bytes
  48. - decoded SHA256 64032e1d59af7a76c395e5d4c5a09850bb92c17248714cb277600446de773a25
  49. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
  50. - samples
  51. https://www.reverse.it/sample/41c116e6fea9a862b23da93b9716b4c774013f4f0ac55841643bd09d402a9079?environmentId=100
  52. https://www.reverse.it/sample/a018a1dc93a017beb0fb3fdb95d97fadebdc5b2ec58439c5031195fe74691459?environmentId=100
  53. https://www.reverse.it/sample/8348b81913af56608fcec8c2c364de1a8b7f38b41561af26c6d4992526b33d5a?environmentId=100
  54. https://www.reverse.it/sample/7a9270925b8d4fbfde22b334f9c343d9ca475f7209a496bd23edffd4079fb499?environmentId=100
  55. https://www.reverse.it/sample/ddca9a01b0f09f0947b5120e3c8e21b1ab3aa04a2c29de6132d3939abbf0918c?environmentId=100
  56.  
  57. C2:
  58. POST 149.202.52.215:80/apache_handler.php
  59. POST akpmonvka.biz:80/apache_handler.php [185.43.4.143]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!