Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-24 #locky email phishing campaign "scan paper"
- Email sample:
- -----------------------------------------------------------------------------------------------------------
- From: "CORA BREWSHER" <cora.brewsher@avivendi.co.uk>
- To: [REDACTED],
- Subject: scan paper
- Date: Thu, 24 Nov 2016 18:43:43 +0700
- Thanks & Regards,
- Cora
- Insurance Authority Certificate No:222
- Insurance Advisor
- E cora.brewsher@avivendi.co.uk
- M +971 56 7185865
- M +971 56 4305143
- P +971 4 3577997
- F +971 4 3577844
- Attached: Scan0066.zip -> 181_IGCC_1161.wsf
- -----------------------------------------------------------------------------------------------------------
- - sender varies between emails, display name is all uppercase
- - subject is "scan paper"
- - attached file "Scan<4 digits>.zip" contains file "<3 digits>_<4 or 5 uppercase letters>_<4 digits>.wsf", a Jscript downloader
- Download sites (actual URLs have suffix ?<random>=<random> which does not influence the download):
- http://allinfo.xyz.com/g3r7ewc
- http://facerecognition.com.ba/g3r7ewc
- http://hundeschulegoerg.de/g3r7ewc
- http://medicariel.com/g3r7ewc
- http://muka.tnmrk.ru/g3r7ewc
- http://namicg.com/g3r7ewc
- http://newskillacademy.com/g3r7ewc
- http://newtoyou.nl/g3r7ewc
- http://nihonpedia.de/g3r7ewc
- http://norpecas.pt/g3r7ewc
- http://novacinema.eu/g3r7ewc
- http://nuk1956.com/g3r7ewc
- http://oyasinsaat.com.tr/g3r7ewc
- http://paultuttle.us/g3r7ewc
- http://pesaroeventi.it/g3r7ewc
- http://phaleshop.com/g3r7ewc
- http://phonerepairguy.com/g3r7ewc
- http://phukiengalaxy.com/g3r7ewc
- http://pianoamulet.com/g3r7ewc
- http://pishitm.com/g3r7ewc
- http://pkgeneralcontracting.com/g3r7ewc
- http://plast-chem.com.pl/g3r7ewc
- http://plightadvertising.com/g3r7ewc
- http://pnw.pl/g3r7ewc
- http://poorten-derycke.be/g3r7ewc
- http://portalkerjaya.com/g3r7ewc
- http://premierpromotions.co.uk/g3r7ewc
- http://prizor.net/g3r7ewc
- http://prmiramar.com/g3r7ewc
- http://proariesgos.com.ar/g3r7ewc
- http://procor.com.mx/g3r7ewc
- http://profsonstage.com/g3r7ewc
- http://proracks.ro/g3r7ewc
- http://pulse-tv.net/g3r7ewc
- http://puttechnologies.com/g3r7ewc
- http://qazz.co.uk/g3r7ewc
- http://qinglv999.com/g3r7ewc
- http://qubamosque.org/g3r7ewc
- http://raihaan.com/g3r7ewc
- http://raje.dk/g3r7ewc
- http://readtogether.org.uk/g3r7ewc
- http://redacor.ro/g3r7ewc
- http://rek-style.ru/g3r7ewc
- http://relianceclouds.com/g3r7ewc
- http://rentvspb.ru/g3r7ewc
- http://restauranttajmahal.ca/g3r7ewc
- http://rhenn.ca/g3r7ewc
- http://rightofdecimal.com/g3r7ewc
- http://rijschool-storm.nl/g3r7ewc
- http://rimiller.com/g3r7ewc
- http://riyuegu.net/g3r7ewc
- http://rutamutis.org/g3r7ewc
- http://sagaoil.ro/g3r7ewc
- http://schnoida.net/g3r7ewc
- http://senabel.com/g3r7ewc
- http://sergloform.com/g3r7ewc
- http://sertificat-nb-test.ru/g3r7ewc
- http://skgs.nl/g3r7ewc
- http://skuter.c0.pl/g3r7ewc
- http://somersetautotints.co.uk/g3r7ewc
- http://soyyigit.com.tr/g3r7ewc
- http://spartanwoman.ru/g3r7ewc
- http://sportstips.eu/g3r7ewc
- http://staging.santana.eu/g3r7ewc
- http://superagencja.eu/g3r7ewc
- http://svcangel.com/g3r7ewc
- http://szhuangming.com/g3r7ewc
- http://tandembikereviews.com/g3r7ewc
- http://terrabit.ro/g3r7ewc
- http://theprick5k.com/g3r7ewc
- http://thoseads.com/g3r7ewc
- http://trikeneigh.net/g3r7ewc
- http://turystyka.cal.pl/g3r7ewc
- http://tzabanga.com/g3r7ewc
- http://uae4all.com/g3r7ewc
- http://uhassler.de/g3r7ewc
- UPDATE:
- http://ojiplus.com/g3r7ewc
- http://pixine.cl/g3r7ewc
- http://quickweightloss.eu/g3r7ewc
- http://uslugitransportowe-warszawa.pl/g3r7ewc
- Malware:
- - encoded on download, SHA256 548c57e2218a798935bcda80a6562eece21e069d58371af6c57829b336a3fe26, MD5 06ae36ce998d2acfe71f63f1a05ccc2d
- - decoded SHA256 1707223ee047e9c0564237e6c3567c30049cc91c5e558814aff06dbc967947de, MD5 35aad6b9723e3522c411b58af7b1d6be
- - executed by "rundll32.exe %TEMP%\<dll_name>,momo"
- C2:
- POST http://109.248.222.47/information.cgi
- POST http://91.201.41.91/information.cgi
- POST http://cddcjcuefrhwi.pl/information.cgi
- POST http://jwkwqvdcgpbymwed.pw/information.cgi
- POST http://jxrldvty.pl/information.cgi
- POST http://krtncsrnmcgjx.info/information.cgi
- POST http://pdlbtnfhtoxghb.org/information.cgi
- POST http://qhmfwifp.work/information.cgi
- POST http://rbotlntb.pw/information.cgi
- POST http://wrfviojjvajxtlwr.click/information.cgi
- POST http://wxjvooq.pl/information.cgi
- POST http://ymcniap.biz/information.cgi
- POST http://ymwusvyuvfugv.pl/information.cgi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement