API tools faq
paste
Racco42

2016-09-06 Locky "Invoice INV0000xxxxx"

Racco42
Sep 12th, 2016
1,443
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.87 KB | None | 0 0
raw download clone embed print report diff
  1. 2016-09-06 #locky email phishing campaign "Invoice INV0000xxxxx"
  2.  
  3. Email:
  4. --------------------------------------------------------------------------------------------
  5. From: "Willy aikman" <Willy38@perita.nl>
  6. To: [REDACTED]
  7. Subject: Invoice INV000073388
  8. Date: Tue, 06 Sep 2016 19:54:13 +0700
  9.  
  10. Please find our invoice attached.
  11.  
  12. Attachment: Invoice_INV000073388.zip
  13. --------------------------------------------------------------------------------------------
  14. - sender varies
  15. - subject is "Invoice INV0000<number>"
  16. - attached file "Invoice INV0000<number>.zip" corresponds to subject
  17. - attached file contains file "<random chars>.wsf" containing a JScript downloader
  18.  
  19. Download sites (actual URLs contain suffix ?<random>=<random> which does not influence download)
  20. http://209.41.183.242/j8fn3rg3
  21. http://alians-ekb.ru/j8fn3rg3
  22. http://andante-co.jp/j8fn3rg3
  23. http://andreas414.republika.pl/j8fn3rg3
  24. http://around4percent.web.fc2.com/j8fn3rg3
  25. http://bostoncittyregenerww.com/js/j8fn3rg3
  26. http://bushman-rest.com/j8fn3rg3
  27. http://cmacos.com/j8fn3rg3
  28. http://dashman.web.fc2.com/j8fn3rg3
  29. http://fidelitas.heimat.eu/j8fn3rg3
  30. http://gam-e20.it/j8fn3rg3
  31. http://hotelimperium.go.ro/j8fn3rg3
  32. http://josemedina.com/j8fn3rg3
  33. http://kreativmanagement.homepage.t-online.de/j8fn3rg3
  34. http://lacomete52.perso.sfr.fr/j8fn3rg3
  35. http://lalarabbit.web.fc2.com/j8fn3rg3
  36. http://marcotormento.de/j8fn3rg3
  37. http://michik.web.fc2.com/j8fn3rg3
  38. http://mixup0813.web.fc2.com/j8fn3rg3
  39. http://ngenge.web.fc2.com/j8fn3rg3
  40. http://onlineportal-2012.de/j8fn3rg3
  41. http://pea5.cba.pl/j8fn3rg3
  42. http://portadeenrolar.ind.br/j8fn3rg3
  43. http://qualityacoustic.comcastbiz.net/j8fn3rg3
  44. http://rosivani.go.ro/j8fn3rg3
  45. http://sebangou8.xxxxxxxx.jp/j8fn3rg3
  46. http://sitio655.vtrbandaancha.net/j8fn3rg3
  47. http://sp-moto.ru/j8fn3rg3
  48. http://tst-technik.de/j8fn3rg3
  49. http://unimet.tmhandel.com/j8fn3rg3
  50. http://w8kvpd5ib.homepage.t-online.de/j8fn3rg3
  51. http://wccf.huuryuu.com/j8fn3rg3
  52. http://wolffram.homepage.t-online.de/j8fn3rg3
  53. http://www.aldesco.it/j8fn3rg3
  54. http://www.alpstaxi.co.jp/j8fn3rg3
  55. http://www.association-julescatoire.fr/j8fn3rg3
  56. http://www.auret.at/j8fn3rg3
  57. http://www.beniculturali.org/j8fn3rg3
  58. http://www.bytove.jadro.szm.com/j8fn3rg3
  59. http://www.ccnprodusenaturiste.home.ro/j8fn3rg3
  60. http://www.cmg-ingegneria.it/j8fn3rg3
  61. http://www.coropeppinumereu.it/j8fn3rg3
  62. http://www.facturi.go.ro/j8fn3rg3
  63. http://www.folkjuannepiu.it/j8fn3rg3
  64. http://www.fpizzuto.eu/j8fn3rg3
  65. http://www.gengokk.co.jp/j8fn3rg3
  66. http://www.hestia-bewindvoering.nl/j8fn3rg3
  67. http://www.hung-guan.com.tw/j8fn3rg3
  68. http://www.keramikobjekt.de/j8fn3rg3
  69. http://www.laribalta.org/j8fn3rg3
  70. http://www.lindenkapelle.de/j8fn3rg3
  71. http://www.lnowak.tkdami.net/j8fn3rg3
  72. http://www.mikeg7hen.talktalk.net/j8fn3rg3
  73. http://www.montegelato.it/j8fn3rg3
  74. http://www.oltransservice.org/j8fn3rg3
  75. http://www.one-clap.jp/j8fn3rg3
  76. http://www.parrucchieriagiacomo.com/j8fn3rg3
  77. http://www.peritiassicurativi.org/j8fn3rg3
  78. http://www.pittorf.de/j8fn3rg3
  79. http://www.planet-auto.go.ro/j8fn3rg3
  80. http://www.plumbntile.talktalk.net/j8fn3rg3
  81. http://www.porchettadicolledara.com/j8fn3rg3
  82. http://www.radicegioielli.com/j8fn3rg3
  83. http://www.roboticapc.com/j8fn3rg3
  84. http://www.sieas.com/j8fn3rg3
  85. http://www.spiritueelcentrumaum.net/j8fn3rg3
  86. http://www.texelvakantiehuisje.nl/j8fn3rg3
  87. http://www.threshold-online.co.uk/j8fn3rg3
  88. http://www.vanetti.it/j8fn3rg3
  89. http://www.vilastefania.go.ro/j8fn3rg3
  90. http://www.wellworx.de/j8fn3rg3
  91. http://www.whitakerpd.co.uk/j8fn3rg3
  92. http://www.xolod-teplo.ru/j8fn3rg3
  93. http://zse2.pl/j8fn3rg3
  94. http://zui9reica.web.fc2.com/j8fn3rg3
  95.  
  96. Malware:
  97. - encoded on download, SHA256 b09fd941cf46fe994af6b88856969b860ab666dedfe198db4ff1ac49b788a870, filesize 76288 bytes
  98. - decoded SHA256 adc7cc912bd255e17431ead2dfa592f3176ddfa72cdc84cd3b78ab87f5a3f12d
  99.  
  100. https://www.reverse.it/sample/40cfb75451d3c878c0d19de31f8ab29146cc3b17ee0ad1e8bea61d022f94abcf?environmentId=100
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!