API tools faq
paste
Advertisement
Racco42

2016-12-14 Locky "DOC, FAX, PHOTO, SCAN_xxxx"

Racco42
Dec 14th, 2016
1,965
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.93 KB | None | 0 0
raw download clone embed print report
  1. 2016-12-14: #locky email phishing campaign "DOC, FAX, PHOTO, SCAN_xxxx"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------------
  5. From: "Cynthia" <Cynthia6@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: ORD_3619
  8. Date: Wed, 14 Dec 2016 18:26:14 -0500
  9.  
  10. Attachment: ORD_3619.zip -> ORD_1712.jse
  11. ---------------------------------------------------------------------------------------------------------------------
  12. - sender address varies between emails, but is spoofed to be from recipient's own domain
  13. - subject is "<DOC|DOCUMENT|FAX|IMG|LABEL|ORD|PHOTO|PIC|SCAN|SHEET>_<4 digits>"
  14. - email body is empty
  15. - attached file "<DOC|DOCUMENT|FAX|IMG|LABEL|ORD|PHOTO|PIC|SCAN|SHEET>_<4 digits>.zip" (same as subject) contains file "<DOC|DOCUMENT|FAX|IMG|LABEL|ORD|PHOTO|PIC|SCAN|SHEET>_<4 digits>.jse" (not same as subject), a JScript downloader (JScript is not encrypted as extension suggests, but plain .js)
  16.  
  17. Download sites (actual URLs contains suffix ?<random>=<random> which does not influence download):
  18. http://172.246.84.150/zxc678
  19. http://2kindustri.se/zxc678
  20. http://ada-avto.ru/zxc678
  21. http://autozirkus.com/zxc678
  22. http://backup.dressageclinic.com/zxc678
  23. http://benjamin.nhvvs.fr/zxc678
  24. http://blackswan.com.ng/zxc678
  25. http://brigma.com/zxc678
  26. http://demo.evgesha.ru/zxc678
  27. http://dev.bychancefarm.com/zxc678
  28. http://ekbundit.com/zxc678
  29. http://eplotery.pl/zxc678
  30. http://followmyleadatl.com/zxc678
  31. http://fotoserver4.cyper.at/zxc678
  32. http://gratissexchat.org/zxc678
  33. http://jybedb.com/zxc678
  34. http://killdoors.myjino.ru/zxc678
  35. http://lamsangda.com/zxc678
  36. http://margu.cn/zxc678
  37. http://maxibutor.hu/zxc678
  38. http://mechanikkapusta.pl/zxc678
  39. http://midnightgroove.co.uk/zxc678
  40. http://mirror-ufa.ru/zxc678
  41. http://ninkala.com/zxc678
  42. http://ozzcleanenergy.com/zxc678
  43. http://puzzrollrings.com/zxc678
  44. http://quanuvcut.com/zxc678
  45. http://terrabit.ro/zxc678
  46. http://test.invideohit.ru/zxc678
  47. http://test.maciejdudek.com.pl/zxc678
  48. http://toastmedia.co.uk/zxc678
  49. http://transunvip.com/zxc678
  50. http://unitedetec.com/zxc678
  51. http://wordpress.kikihairandbeauty.co.uk/zxc678
  52. http://ws.osenilo.com/zxc678
  53. http://www.al-hasany.com/zxc678
  54. http://www.convertus.com/zxc678
  55. http://www.draaksteken.nl/zxc678
  56. http://www.dreamlifez.com/zxc678
  57. http://www.iaprog.nl/zxc678
  58. http://www.majorleaguesecurity.com/zxc678
  59. http://www.qubamosque.org/zxc678
  60. http://www.rencontreparis.org/zxc678
  61. http://www.sajuname131.com/zxc678
  62. http://www.skolickasovicka.cz/zxc678
  63. http://www.telesmart.co.nz/zxc678
  64. http://www.vidcampaign.com/zxc678
  65. http://xn--80ajjchqepikd1b.xn--80asehdb/zxc678
  66. http://yzwle.com/zxc678
  67.  
  68. UPDATE:
  69. http://dating.instantlab.ru/zxc678
  70. http://demo.satisnet.org/zxc678
  71. http://gui92.vn/zxc678
  72. http://inzt.net/zxc678
  73. http://m.besthairsaloncolumbia.com/zxc678
  74. http://mmdk.eu/zxc678
  75. http://neu.hansmuennich.de.baugebiet-stadlhof.de/zxc678
  76. http://nlyuniforma.com/zxc678
  77. http://seslibuz.com/zxc678
  78. http://stjudetravelandtours.com/zxc678
  79. http://suivresanature.net/zxc678
  80. http://test.smallbusinessdiy.com/zxc678
  81. http://www.vanitylab.it/zxc678
  82.  
  83. UPDATE:
  84. http://dcipostdoc.com/zxc678
  85. http://dfl210.ru/zxc678
  86. http://felipebueno.com/zxc678
  87. http://friendlygeek.org/zxc678
  88. http://friends.yuki-mura.net/zxc678
  89. http://helping4.com/zxc678
  90. http://kayleemoline.com/zxc678
  91. http://vjumamel.com/zxc678
  92. http://www.pespis.hu/zxc678
  93. http://www.urbani.com.au/zxc678
  94. http://yun.charmlong.com/zxc678
  95.  
  96. Malware:
  97. - encoded on download, SHA256 befac17a3c972784ec322a916473c65c297f93ddf51bb6694312d3ff6cd7c662, MD5 d8300e3827de5c898ddcecb2db9b15b8
  98. - decoded SHA256 1b3389eed27e3d53d786fa1c3bbb5b814dbec7d27d3e7b2e6ab38ba0144d5784, MD5 2e2e7f821ae1c0ff0517e873c6fef7dd
  99. - executed by "rundll32.exe %TEMP%\<dll_name>,sendmsg"
  100. - samples: https://www.virustotal.com/file/1b3389eed27e3d53d786fa1c3bbb5b814dbec7d27d3e7b2e6ab38ba0144d5784/analysis/1481759361/
  101.  
  102. C2:
  103. POST http://176.121.14.95/checkupdate
  104. POST http://193.70.86.51/checkupdate
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!