Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-14: #locky email phishing campaign "DOC, FAX, PHOTO, SCAN_xxxx"
- Email sample:
- ---------------------------------------------------------------------------------------------------------------------
- From: "Cynthia" <Cynthia6@[REDACTED]>
- To: [REDACTED]
- Subject: ORD_3619
- Date: Wed, 14 Dec 2016 18:26:14 -0500
- Attachment: ORD_3619.zip -> ORD_1712.jse
- ---------------------------------------------------------------------------------------------------------------------
- - sender address varies between emails, but is spoofed to be from recipient's own domain
- - subject is "<DOC|DOCUMENT|FAX|IMG|LABEL|ORD|PHOTO|PIC|SCAN|SHEET>_<4 digits>"
- - email body is empty
- - attached file "<DOC|DOCUMENT|FAX|IMG|LABEL|ORD|PHOTO|PIC|SCAN|SHEET>_<4 digits>.zip" (same as subject) contains file "<DOC|DOCUMENT|FAX|IMG|LABEL|ORD|PHOTO|PIC|SCAN|SHEET>_<4 digits>.jse" (not same as subject), a JScript downloader (JScript is not encrypted as extension suggests, but plain .js)
- Download sites (actual URLs contains suffix ?<random>=<random> which does not influence download):
- http://172.246.84.150/zxc678
- http://2kindustri.se/zxc678
- http://ada-avto.ru/zxc678
- http://autozirkus.com/zxc678
- http://backup.dressageclinic.com/zxc678
- http://benjamin.nhvvs.fr/zxc678
- http://blackswan.com.ng/zxc678
- http://brigma.com/zxc678
- http://demo.evgesha.ru/zxc678
- http://dev.bychancefarm.com/zxc678
- http://ekbundit.com/zxc678
- http://eplotery.pl/zxc678
- http://followmyleadatl.com/zxc678
- http://fotoserver4.cyper.at/zxc678
- http://gratissexchat.org/zxc678
- http://jybedb.com/zxc678
- http://killdoors.myjino.ru/zxc678
- http://lamsangda.com/zxc678
- http://margu.cn/zxc678
- http://maxibutor.hu/zxc678
- http://mechanikkapusta.pl/zxc678
- http://midnightgroove.co.uk/zxc678
- http://mirror-ufa.ru/zxc678
- http://ninkala.com/zxc678
- http://ozzcleanenergy.com/zxc678
- http://puzzrollrings.com/zxc678
- http://quanuvcut.com/zxc678
- http://terrabit.ro/zxc678
- http://test.invideohit.ru/zxc678
- http://test.maciejdudek.com.pl/zxc678
- http://toastmedia.co.uk/zxc678
- http://transunvip.com/zxc678
- http://unitedetec.com/zxc678
- http://wordpress.kikihairandbeauty.co.uk/zxc678
- http://ws.osenilo.com/zxc678
- http://www.al-hasany.com/zxc678
- http://www.convertus.com/zxc678
- http://www.draaksteken.nl/zxc678
- http://www.dreamlifez.com/zxc678
- http://www.iaprog.nl/zxc678
- http://www.majorleaguesecurity.com/zxc678
- http://www.qubamosque.org/zxc678
- http://www.rencontreparis.org/zxc678
- http://www.sajuname131.com/zxc678
- http://www.skolickasovicka.cz/zxc678
- http://www.telesmart.co.nz/zxc678
- http://www.vidcampaign.com/zxc678
- http://xn--80ajjchqepikd1b.xn--80asehdb/zxc678
- http://yzwle.com/zxc678
- UPDATE:
- http://dating.instantlab.ru/zxc678
- http://demo.satisnet.org/zxc678
- http://gui92.vn/zxc678
- http://inzt.net/zxc678
- http://m.besthairsaloncolumbia.com/zxc678
- http://mmdk.eu/zxc678
- http://neu.hansmuennich.de.baugebiet-stadlhof.de/zxc678
- http://nlyuniforma.com/zxc678
- http://seslibuz.com/zxc678
- http://stjudetravelandtours.com/zxc678
- http://suivresanature.net/zxc678
- http://test.smallbusinessdiy.com/zxc678
- http://www.vanitylab.it/zxc678
- UPDATE:
- http://dcipostdoc.com/zxc678
- http://dfl210.ru/zxc678
- http://felipebueno.com/zxc678
- http://friendlygeek.org/zxc678
- http://friends.yuki-mura.net/zxc678
- http://helping4.com/zxc678
- http://kayleemoline.com/zxc678
- http://vjumamel.com/zxc678
- http://www.pespis.hu/zxc678
- http://www.urbani.com.au/zxc678
- http://yun.charmlong.com/zxc678
- Malware:
- - encoded on download, SHA256 befac17a3c972784ec322a916473c65c297f93ddf51bb6694312d3ff6cd7c662, MD5 d8300e3827de5c898ddcecb2db9b15b8
- - decoded SHA256 1b3389eed27e3d53d786fa1c3bbb5b814dbec7d27d3e7b2e6ab38ba0144d5784, MD5 2e2e7f821ae1c0ff0517e873c6fef7dd
- - executed by "rundll32.exe %TEMP%\<dll_name>,sendmsg"
- - samples: https://www.virustotal.com/file/1b3389eed27e3d53d786fa1c3bbb5b814dbec7d27d3e7b2e6ab38ba0144d5784/analysis/1481759361/
- C2:
- POST http://176.121.14.95/checkupdate
- POST http://193.70.86.51/checkupdate
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement