API tools faq
paste
Advertisement
Racco42

2016-11-24 Locky "scan paper"

Racco42
Nov 24th, 2016
2,461
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.32 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-24 #locky email phishing campaign "scan paper"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------
  5. From: "CORA BREWSHER" <cora.brewsher@avivendi.co.uk>
  6. To: [REDACTED],
  7. Subject: scan paper
  8. Date: Thu, 24 Nov 2016 18:43:43 +0700
  9.  
  10. Thanks & Regards,
  11. Cora
  12. Insurance Authority Certificate No:222
  13. Insurance Advisor
  14.  
  15. E cora.brewsher@avivendi.co.uk
  16. M +971 56 7185865
  17. M +971 56 4305143
  18.  
  19. P +971 4 3577997
  20. F +971 4 3577844
  21.  
  22. Attached: Scan0066.zip -> 181_IGCC_1161.wsf
  23. -----------------------------------------------------------------------------------------------------------
  24. - sender varies between emails, display name is all uppercase
  25. - subject is "scan paper"
  26. - attached file "Scan<4 digits>.zip" contains file "<3 digits>_<4 or 5 uppercase letters>_<4 digits>.wsf", a Jscript downloader
  27.  
  28. Download sites (actual URLs have suffix ?<random>=<random> which does not influence the download):
  29. http://allinfo.xyz.com/g3r7ewc
  30. http://facerecognition.com.ba/g3r7ewc
  31. http://hundeschulegoerg.de/g3r7ewc
  32. http://medicariel.com/g3r7ewc
  33. http://muka.tnmrk.ru/g3r7ewc
  34. http://namicg.com/g3r7ewc
  35. http://newskillacademy.com/g3r7ewc
  36. http://newtoyou.nl/g3r7ewc
  37. http://nihonpedia.de/g3r7ewc
  38. http://norpecas.pt/g3r7ewc
  39. http://novacinema.eu/g3r7ewc
  40. http://nuk1956.com/g3r7ewc
  41. http://oyasinsaat.com.tr/g3r7ewc
  42. http://paultuttle.us/g3r7ewc
  43. http://pesaroeventi.it/g3r7ewc
  44. http://phaleshop.com/g3r7ewc
  45. http://phonerepairguy.com/g3r7ewc
  46. http://phukiengalaxy.com/g3r7ewc
  47. http://pianoamulet.com/g3r7ewc
  48. http://pishitm.com/g3r7ewc
  49. http://pkgeneralcontracting.com/g3r7ewc
  50. http://plast-chem.com.pl/g3r7ewc
  51. http://plightadvertising.com/g3r7ewc
  52. http://pnw.pl/g3r7ewc
  53. http://poorten-derycke.be/g3r7ewc
  54. http://portalkerjaya.com/g3r7ewc
  55. http://premierpromotions.co.uk/g3r7ewc
  56. http://prizor.net/g3r7ewc
  57. http://prmiramar.com/g3r7ewc
  58. http://proariesgos.com.ar/g3r7ewc
  59. http://procor.com.mx/g3r7ewc
  60. http://profsonstage.com/g3r7ewc
  61. http://proracks.ro/g3r7ewc
  62. http://pulse-tv.net/g3r7ewc
  63. http://puttechnologies.com/g3r7ewc
  64. http://qazz.co.uk/g3r7ewc
  65. http://qinglv999.com/g3r7ewc
  66. http://qubamosque.org/g3r7ewc
  67. http://raihaan.com/g3r7ewc
  68. http://raje.dk/g3r7ewc
  69. http://readtogether.org.uk/g3r7ewc
  70. http://redacor.ro/g3r7ewc
  71. http://rek-style.ru/g3r7ewc
  72. http://relianceclouds.com/g3r7ewc
  73. http://rentvspb.ru/g3r7ewc
  74. http://restauranttajmahal.ca/g3r7ewc
  75. http://rhenn.ca/g3r7ewc
  76. http://rightofdecimal.com/g3r7ewc
  77. http://rijschool-storm.nl/g3r7ewc
  78. http://rimiller.com/g3r7ewc
  79. http://riyuegu.net/g3r7ewc
  80. http://rutamutis.org/g3r7ewc
  81. http://sagaoil.ro/g3r7ewc
  82. http://schnoida.net/g3r7ewc
  83. http://senabel.com/g3r7ewc
  84. http://sergloform.com/g3r7ewc
  85. http://sertificat-nb-test.ru/g3r7ewc
  86. http://skgs.nl/g3r7ewc
  87. http://skuter.c0.pl/g3r7ewc
  88. http://somersetautotints.co.uk/g3r7ewc
  89. http://soyyigit.com.tr/g3r7ewc
  90. http://spartanwoman.ru/g3r7ewc
  91. http://sportstips.eu/g3r7ewc
  92. http://staging.santana.eu/g3r7ewc
  93. http://superagencja.eu/g3r7ewc
  94. http://svcangel.com/g3r7ewc
  95. http://szhuangming.com/g3r7ewc
  96. http://tandembikereviews.com/g3r7ewc
  97. http://terrabit.ro/g3r7ewc
  98. http://theprick5k.com/g3r7ewc
  99. http://thoseads.com/g3r7ewc
  100. http://trikeneigh.net/g3r7ewc
  101. http://turystyka.cal.pl/g3r7ewc
  102. http://tzabanga.com/g3r7ewc
  103. http://uae4all.com/g3r7ewc
  104. http://uhassler.de/g3r7ewc
  105.  
  106. UPDATE:
  107. http://ojiplus.com/g3r7ewc
  108. http://pixine.cl/g3r7ewc
  109. http://quickweightloss.eu/g3r7ewc
  110. http://uslugitransportowe-warszawa.pl/g3r7ewc
  111.  
  112. Malware:
  113. - encoded on download, SHA256 548c57e2218a798935bcda80a6562eece21e069d58371af6c57829b336a3fe26, MD5 06ae36ce998d2acfe71f63f1a05ccc2d
  114. - decoded SHA256 1707223ee047e9c0564237e6c3567c30049cc91c5e558814aff06dbc967947de, MD5 35aad6b9723e3522c411b58af7b1d6be
  115. - executed by "rundll32.exe %TEMP%\<dll_name>,momo"
  116.  
  117. C2:
  118. POST http://109.248.222.47/information.cgi
  119. POST http://91.201.41.91/information.cgi
  120. POST http://cddcjcuefrhwi.pl/information.cgi
  121. POST http://jwkwqvdcgpbymwed.pw/information.cgi
  122. POST http://jxrldvty.pl/information.cgi
  123. POST http://krtncsrnmcgjx.info/information.cgi
  124. POST http://pdlbtnfhtoxghb.org/information.cgi
  125. POST http://qhmfwifp.work/information.cgi
  126. POST http://rbotlntb.pw/information.cgi
  127. POST http://wrfviojjvajxtlwr.click/information.cgi
  128. POST http://wxjvooq.pl/information.cgi
  129. POST http://ymcniap.biz/information.cgi
  130. POST http://ymwusvyuvfugv.pl/information.cgi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!