SHARE
TWEET

2016-11-29 Locky "For Your Consideration"

Racco42 Nov 29th, 2016 (edited) 182 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-11-29 #locky email phishing campaign "For Your Consideration"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------
  5. From: "Lucille Kennedy" <Kennedy.Lucille@datastyle.co.nz>
  6. To: [REDACTED]
  7. Subject: For Your Consideration
  8. Date: Tue, 29 Nov 2016 13:05:27 +0300
  9.  
  10. Greetings! You paid for yesterday's invoice - the total sum was $3190.
  11. Unfortunately, you hadn't included the item #48047-61258 of $658.
  12. Please transfer the remainder as soon as possible.
  13.  
  14. All details are in the attachment. Please check it out to see whether we are right.
  15.  
  16. Attachment: unpaid_[REDACTED].zip
  17. -------------------------------------------------------------------------------------------------------------
  18. - sender varies between emails
  19. - subject is "For Your Consideration"
  20. - attached file "unpaid_<recipient name>.zip" contains file "-snk-<7-10 digits>.js", a JScript downloader
  21.  
  22. Download sites:
  23. http://edemalucia.net/ftzgubcy2
  24. http://edemalucia.net/n30u6s
  25. http://edemalucia.net/tbsluq
  26. http://guhrpaean.net/cwp9lul7v1
  27. http://guhrpaean.net/o44a9kc
  28. http://guhrpaean.net/urgvd
  29. http://haggyowser.com/13dwggewhn
  30. http://haggyowser.com/6pf59mw
  31. http://haggyowser.com/ag62gco
  32. http://haggyowser.com/ubnblzic
  33. http://hotelmm.ro/6gugakdy
  34. http://huduanjichuang.com/8jbsc5vk
  35. http://i12.ir/4kw0e3z
  36. http://iaprog.nl/j6esyhhxjw
  37. http://interdean.hu/2ggp50t
  38. http://interfacerh.ma/lw1bk
  39. http://iphoneservices.com.ua/hqqmhc
  40. http://islandspirits.ca/3xojhjzup
  41. http://jbec.kz/khjf1ri9aq
  42. http://jinqiaonkyy.com/guglxl
  43. http://kalbould.wa.gov.au/n9zz5r8
  44. http://kashimayunohana.jp/ngcmo8kp
  45. http://keshuimei.com/m8n5fe
  46. http://komsutekstil.com/jq3vm7pp8x
  47. http://kozmologic.com/kwb3lbdd9
  48. http://krepiec.pl/gvpzgxj
  49. http://ltinvest.de/95jrjqvbw
  50. http://manage.parafx.com/f0frth
  51. http://may-day.com/hvn43ls
  52. http://mckains.net/brdrcps
  53. http://megalingeriemall.com/boyva3
  54. http://microsupport.net/7uorwndr
  55. http://mirofusion.com/kmrkwc
  56. http://movewithgrace.ca/ht0r18t9zn
  57. http://muongcaupo.net/khdym6am
  58. http://muongcaupo.net/o2c9lrvs
  59. http://muongcaupo.net/pk3nto0ijv
  60. http://muongcaupo.net/z7elrjzmg
  61. http://netshot.co.uk/xxv7wydec
  62. http://ninjah47.home.pl/tmtq9jgt
  63. http://notyou.ru/uq5e06v
  64. http://oakscardclub.com/ykbrfu
  65. http://omrolsztyn.neostrada.pl/xlos1wk5r
  66. http://oncotice.org/pz0ldtz
  67. http://ourfrontline.com/y9g6sdx7e
  68. http://ozka.ro/ryvev
  69. http://palisandr38.ru/s63ws8
  70. http://pathkids.com/teh0qnj8
  71. http://pgringette.ca/siznjnydsw
  72. http://ponticulus.eu/nnzu6upe
  73. http://protescil.net/sq3vaei
  74. http://psdha.ir/ogka1jiz
  75. http://rent-guarantee-insurance.co.uk/zgscbvvtty
  76. http://tytswirl.com/dlszp
  77. http://tytswirl.com/haxels
  78. http://tytswirl.com/rmeib8k
  79.  
  80. UPDATE:
  81. http://edemalucia.net/2jjta
  82. http://guhrpaean.net/zelaxkl
  83. http://hongruilight.com/nifta7xae4
  84. http://ijiyo.com/mnuoto3rn
  85. http://inthiraspa.com/hhzxzb4xc
  86. http://kjdot.com/lyp5c
  87. http://lanchefacil.com/kmhlifr6t
  88. http://lanphuong.vn/9xlcsu5a4k
  89. http://liceuminbak.com/nzbnaotr
  90. http://lomtalay.com/gdoea3
  91. http://markand.ro/hswwwy5
  92. http://mmbeheer.nl/lnln0ckow
  93. http://pdaconference.com/gj551flmu
  94. http://pokerjive.com/qt2w3i
  95. http://portalmadureira.com/ty9zh
  96. http://rosispitaniya.com/ohcqeajka
  97. http://tytswirl.com/u2asa61
  98.  
  99.  
  100. Malware:
  101. - encoded on download
  102. 99774007ee7db987f908a837754adf5c82d5226c4761cb90ba8c2b3815d71233  http___edemalucia.net_ftzgubcy2
  103. 49134f4bd5b1527526a95e5a53b3209b44a6455a0caceaac31c00232e765e9f2  http___edemalucia.net_n30u6s
  104. 364a0d84eb9824d0cf84eef9b71239c40bc54d7c613ea2aff5fc7c887165d034  http___edemalucia.net_tbsluq [1]
  105. 909abbb4da23ee861eb44e946f5d44c8f31f344a6d47f3ea8e8340512f9127ed  http___guhrpaean.net_cwp9lul7v1
  106. bdf680b819c350bc5b3253bfe88ba32fb443e666c3d79bbd858aa70623a4ea4d  http___guhrpaean.net_o44a9kc [6]
  107. a50318483d1f989d2b75ebb55377c7c696a071567cdd872a1952c447a1b88ef0  http___guhrpaean.net_urgvd
  108. 311291bcd22c0d577aeab84fbd11fc0e43f9c895bb51ddec3e1bc86d9c7ea561  http___haggyowser.com_13dwggewhn
  109. 36d0c3290971a44364e7c3a77db32ccfd640f84bb1a4011475121e541c185a44  http___haggyowser.com_6pf59mw
  110. 6d5b287c62699f915a9921bb03ba97a8642d86e7a463a7cb5e11d93c19d6ec83  http___haggyowser.com_ag62gco
  111. 59d64f733852bf2e24dd459bf7fc15fe3e48a4c630d9ce370fb3241e69767322  http___haggyowser.com_ubnblzic
  112. cf0c188527e634f44d04ae219b51a00b99d942b3a238a7a841323ec6d5b4e316  http___hotelmm.ro_6gugakdy
  113. 015ebcb5dd2bf5d4b5e4acb5f8daa90b649b58c2c829b207e2dd09e4245346cb  http___huduanjichuang.com_8jbsc5vk
  114. 3daad868abfb89fe56d5c04b387fbb268959ea251f9d0112f05a9bc9a59d2970  http___i12.ir_4kw0e3z
  115. 4d6f32a1d5d3c805bb06049bce906b80fa35dee13e80c9296ffe9e23657dabeb  http___iaprog.nl_j6esyhhxjw
  116. 7a9d66d311e52fde8eb6efe072ab268a34b08a40944d9f0b59e0d91e9d051fe3  http___interdean.hu_2ggp50t
  117. 8da7a2e181e486ea4c1e4afca21654a0b255483359407adbb6f155974514da57  http___interfacerh.ma_lw1bk
  118. 7f8738ca41d900f2ae49c04da2931a1b8cbe1b415edfce607031d1cc9f125fdb  http___iphoneservices.com.ua_hqqmhc
  119. fa3bfa296377d05ff0db320a8c5744cdd0565a158ee3dadba9c46dc6040bf4ab  http___islandspirits.ca_3xojhjzup
  120. 5dc5826e10e6e60b6b432702dc32407beb88fd9454a2ed3372ea13d3d9be84f0  http___jbec.kz_khjf1ri9aq
  121. e7bafbf9fe83003a9ea0ee57d79359d8d3c16187e553f8c13615cc8793c7e093  http___jinqiaonkyy.com_guglxl
  122. cab28beac6822f6ca694e02436639807edc7e6b722cbe64f30824487eddbf392  http___kashimayunohana.jp_ngcmo8kp [2]
  123. 786a67b609f6a148731f239b481a6be4a5f4b5208461ddcf1404fb3b95826aba  http___keshuimei.com_m8n5fe
  124. 9a86da0421d1a52ed613e2c8e6f560903f463f4bd88cfed444fa31f546468ba7  http___komsutekstil.com_jq3vm7pp8x
  125. 4f31bac2bd5615833a10f35108ae0a8ae51bbc64d9edf992faf201ad5fb1b2cc  http___kozmologic.com_kwb3lbdd9
  126. f7a73d9b7e57842fa6c1508192190da80be5d1742caacc48363bc34a22f75774  http___krepiec.pl_gvpzgxj
  127. d016a4a96883a89b2504d367aae7321421012b86c413c2cf6932513aad011d83  http___ltinvest.de_95jrjqvbw
  128. cdf4649212a2dc9ea0aac19bc4c13dea5a54a43bb020d2bc1c55a6dc43b8aa45  http___manage.parafx.com_f0frth
  129. e81348cbab43b3156ec07fd7ed9f178d5ee5f1d412ce628d19b0fc1fb597f637  http___mckains.net_brdrcps
  130. 4ae09cf649ab1580f4120e63d6e499166a2a27879babd03c2637e64f0408cc39  http___megalingeriemall.com_boyva3
  131. cb550da2698c12ee0ef4c6a7ded30160822be2ebe381e6b9f8b712c2dcaf1921  http___microsupport.net_7uorwndr
  132. d3c387ab4cd6131ff903571ccc43bbd875128851fdfcbd7c1d95a2b3a55cd826  http___mirofusion.com_kmrkwc
  133. 101f7263c71e1600a1b4fc6b618185e819864dbec8896e60e969dad7407a44cc  http___movewithgrace.ca_ht0r18t9zn
  134. ff990190e90acbfaa738f05b1176ea786c17882191ba3d0bf888c5668e2eed50  http___muongcaupo.net_khdym6am
  135. 0ea2f9cfdda197b55a5b92a3b0142913df09d9e10941c263a1080dcabece70ba  http___muongcaupo.net_o2c9lrvs
  136. b195041017ad8efa9bf8adb7c1c4d0f84934f002f6b7e3295f4e4ac1d1ad2c42  http___muongcaupo.net_pk3nto0ijv [3]
  137. 7ca53f108e56b8bcb9fec626fbe490a84fc8026706b64b879a316e762f056bf3  http___muongcaupo.net_z7elrjzmg
  138. db22e6e9b96acf7286ae40dd7c7462c0cb87627d29d89154666f44eede5571ea  http___netshot.co.uk_xxv7wydec
  139. 6e323d8c234f60858f9ca4e02d8d4a4f3ea7b74f6e52876174c18d53c8042d9c  http___ninjah47.home.pl_tmtq9jgt [5]
  140. 8c2f927f385b4d61ca3bffce7eeca190bdfd1d6a1c57325218cdac6c07912b99  http___notyou.ru_uq5e06v
  141. 10199e9d072ef0a232298afa33f72103c343192b1f50657d7098e5043948ac14  http___oakscardclub.com_ykbrfu
  142. 4a977559e7b98d0a28c208870bdbc61947b45e2b2fed3fb861b649d8ffa43463  http___omrolsztyn.neostrada.pl_xlos1wk5r [8]
  143. 96f0ec6a71597e0819cad8c45a89c2b3a4a3327be01780e9f5a773cecde1b174  http___oncotice.org_pz0ldtz
  144. 62528e51e34802c40a994afa35919cb40b4c5889d3d287e4a881217ecc3620ab  http___ourfrontline.com_y9g6sdx7e [4]
  145. c4ba0766b05013ea80dc4f335e572e0316f994574c39b10152e5eaafca6eef1a  http___ozka.ro_ryvev
  146. 8d110d396ea0f9c17a848bea8df98f02e5fce628769594abbbbb34d52fe96681  http___palisandr38.ru_s63ws8
  147. 0172eda6bfa4a4dbe9af311ac1b29f29765af32eb4bf9d98df757af74a1836ac  http___pathkids.com_teh0qnj8
  148. e15534942e011a8053e65f971a6614fdca7dacf078c1927da8f62fd9896d1de9  http___pgringette.ca_siznjnydsw
  149. f96db98f91567ac3db1c227320e386f5c7c25fc63fee52e0cca9741b5c5b130e  http___protescil.net_sq3vaei [7]
  150. f091010fc6f9f4f8326e49c39a2da02b758372989d8689865f549bc9e194abc5  http___psdha.ir_ogka1jiz
  151. a5c4274a1c94c915eab7dcfefcb912ba55cd9d05209e857930ddcc085eff4c5b  http___rent-guarantee-insurance.co.uk_zgscbvvtty
  152. 5c7bdf7a887ec5c9a225c64e861cf32df5a744452d0adfb11144424637f6e622  http___tytswirl.com_dlszp
  153. 5eb25839191515953505a53ccb5308cf4aea9044edbcb51d0ce89d6ee631acb1  http___tytswirl.com_haxels
  154. 6bef6c23c3abd47dda524271f91fc0765e100bf399f0cc5bcbbeac71fa176d62  http___tytswirl.com_rmeib8k
  155. - decoded
  156. 321ad69b535da6364646d6b0f40857ae068992af8140997ce4f3058bb3b1ad27 [1]
  157. dd569277d10d17f7aa9490b12c80797e028f8bb7a0e7e5374158b57a4f44be94 [2]
  158. 74a2b796ff108c97519579c438b42d5d3df246e649096452cc752a7ef860e8b2 [3]
  159. 3d5ec2e79b927a099404d7468570e90fef53d4bd28f5d61169289594f2b7f19a [4]
  160. 5b08095f0e14b8ff92d6225c893953fea68b03e1aaa85c7421f74b6ecdf856dd [5]
  161. 528adf6387cfd07f39a2b38df182196e68f9c2e0c7ebd70dde03ad0f15d41b85 [6]
  162. 8d8e5d314f4b26d3b98601f306bdcb0682bf2976d65dc5238a9b9ff40ccf68d9 [7]
  163. ae48a428a4dc75ab447898bb89909d871120573ea94cf80794a6c3a097aff366 [8]
  164. - executed by "rundll32.exe %TEMP%\<filename>,cikTn"
  165.  
  166. C2:
  167. POST http://185.75.46.138/information.cgi
  168. POST http://195.123.211.46/information.cgi
  169. POST http://dbqvbkpmodlvl.ru/information.cgi
  170. POST http://etdpdyvafjq.org/information.cgi
  171. POST http://hcfogxjusylnuaci.pl/information.cgi
  172. POST http://moexkrf.click/information.cgi
  173. POST http://nfhburjha.info/information.cgi
  174. POST http://pawrwqptmhla.pw/information.cgi
  175. POST http://poukjdcnatd.info/information.cgi
  176. POST http://qileduiimgowve.su/information.cgi
  177. POST http://rcfghdwtwraahhvmu.su/information.cgi
  178. POST http://thhsbrkwvnmcmepf.ru/information.cgi
  179. POST http://ughnnuuli.ru/information.cgi
  180. POST http://wvywlaahbrm.pw/information.cgi
RAW Paste Data
Top