Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-13: #locky email phishing campaign "Bill for papers 2016-12-13"
- Sample email:
- ------------------------------------------------------------------------------------------------------------------------------
- From: woodrow.milliken@gmail.com
- To: [REDACTED]
- Subject: Bill for papers 13-12-2016
- Date: Tue, 13 Dec 2016 05:42:43 +0530
- Attachment: Bill.zip ->
- ------------------------------------------------------------------------------------------------------------------------------
- - sender varies between emails, but always from @gmail.com
- - subject is "Bill for papers 12-12-2016"
- - email body is empty
- - attached file "Bill.zip" contains file "<3 digits>-<4 uppercase letter><4 digits>.wsf", a JScript downloader
- Download sites (the actual URLs have suffix ?<random>=<random> which does not influnce the download):
- http://24x7telugu.com/jht76gh
- http://agile-scrum-training.com/jht76gh
- http://alhamdinternational.co.in/jht76gh
- http://artofovernight.com/jht76gh
- http://axzio.com/jht76gh
- http://badvaruhus.se/jht76gh
- http://banknifty.com/jht76gh
- http://bindaasdelhi.org/jht76gh
- http://bmbuildingpteltd.com/jht76gh
- http://bonzerwebsolutions.com/jht76gh
- http://bptpm.sragenkab.go.id/jht76gh
- http://bpt.sragenkab.go.id/jht76gh
- http://cambostudio.com/jht76gh
- http://cardimax.com.ph/jht76gh
- http://cargo1.lin14.siteonlinetest.com/jht76gh
- http://cemiselbiseleri.com/jht76gh
- http://csrj-ah.rau.ro/jht76gh
- http://development.susteen.nl/jht76gh
- http://dlugosz-it.pl/jht76gh
- http://dndwebtech.com/jht76gh
- http://dreamruntech.com/jht76gh
- http://dryilmazyildirim.com/jht76gh
- http://dssstaging.net/jht76gh
- http://eurofranq.com/jht76gh
- http://giafastfood.ro/jht76gh
- http://goldseparator.com/jht76gh
- http://gruponyn.com/jht76gh
- http://gtaxusa.com/jht76gh
- http://hansdavisgroup.com/jht76gh
- http://hoopwizard.com/jht76gh
- http://imlearningsystems.com/jht76gh
- http://infomazza.com/jht76gh
- http://innoservtest.in/jht76gh
- http://intrekmedya.com/jht76gh
- http://italics.in/jht76gh
- http://jackpotfutures.com/jht76gh
- http://koiatm.com/jht76gh
- http://mangliks.com/jht76gh
- http://mygreenlivingideas.com/jht76gh
- http://narifashion.com/jht76gh
- http://nationaltaxoffice.com/jht76gh
- http://olivierimmobiliare.com/jht76gh
- http://prototypingjob.com/jht76gh
- http://pubbligrafica360.it/jht76gh
- http://rajfoto.com/jht76gh
- http://ravaniagro.com/jht76gh
- http://ravaniinfra.com/jht76gh
- http://sampletemplates.net/jht76gh
- http://seasy.in/jht76gh
- http://shreemahalaxmiagro.com/jht76gh
- http://sparezz.com/jht76gh
- http://statelesspeopleinbangladesh.net/jht76gh
- http://suffitechh.com/jht76gh
- http://sukienhoanggia.com/jht76gh
- http://taipei-lottery.com/jht76gh
- http://tasveeranarts.in/jht76gh
- http://themeonhai.com/jht76gh
- http://thingsandsuch.co.uk/jht76gh
- http://twoj-sennik.pl/jht76gh
- http://ubertama.com/jht76gh
- http://www.3g4e.ir/jht76gh
- http://www.3shadz.com/jht76gh
- http://www.camko-motor.com/jht76gh
- http://www.epmedia.it/jht76gh
- http://www.kamakhyaits.com/jht76gh
- http://www.mastropoloartgallery.com/jht76gh
- http://www.merinnaa.com/jht76gh
- http://www.risto10.it/jht76gh
- Malware:
- - encoded on download SHA256 40db24cd899efd4381dbe76eb82a10b29a7b5acff901da9ce9a1b3284d3830be, MD5 e98ae17129de777e560d9bb5a49d77e3
- - decoded SHA256 5c8d053e3339d09bf277a98c73feac0eb34dd604ae8459f3f24cd7c1a56f414a, MD5 8bc549a9e9d720c6e25a03eac360479f
- - executed by "rundll32.exe %TEMP%\<dll_name>,set_str""
- - sample https://www.virustotal.com/file/5c8d053e3339d09bf277a98c73feac0eb34dd604ae8459f3f24cd7c1a56f414a/analysis/1481587931/
- C2:
- POST http://109.234.34.212/checkupdate
- POST http://176.121.14.95/checkupdate
- POST http://185.75.46.13/checkupdate
Add Comment
Please, Sign In to add comment