SHARE
TWEET

2016-12-06 Locky "Recent order"

Racco42 Dec 6th, 2016 (edited) 199 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-06 #locky email phishing campaign "Recent order"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------------
  5. From: "Martina Clarke" <Clarke.Martina@sabanet.ir>
  6. To: [REDACTED]
  7. Subject: Recent order
  8. Date: Tue, 06 Dec 2016 01:24:09 -0700
  9.  
  10. Dear [REDACTED],
  11.  
  12. The counteragent has conducted the checking and found no confirmed payment for the recent order.
  13. Please process the payment ($89307977709734936764340663590223817224101777922093860908195453921228256903435302543133345189781940410421180768810469329510005722611509783204471254902302977078504272733092560473925875872418536646314944362573629156533657076108607103807460326954716857037368604236090022222665681890599713969618046235880818448417380234802792720059389316696617214682010881294061577698172785540052074636092042671677282339136806743088887957717574248863378849143870993195576615033862364116088816558046189063289293699584335027538036272642538459175137079119834241614506102769676295712288880855843251370084909005323488331013448901807234707576661181754157469979328620294382100178337594514235463741358580820594963995408538372738977165056864200273195670927885364352124620192733447407586420216316476233887348151008622176284472878530487960646489160259652595214565535468659401186675488001692499322483427318695780038017801142677303904653441180111095245067146162411042266190514690385403344565617965652953319177413203111484393315319036121920182349912644888738300522454233871921559195019310467266583870612863108947824761709299088846342838150541485404641150377238893797725397045870253343602862643004861725436435207919072632144856821363321855780325300426645866872614704868011733456588260872703883697785892197563735546143894670027548511989067251341999474647271631016566438232946804987005037496973130928111697557184496957535592266648397626958309828958194813442100944742766046212089009030683109366737100984986900879030050311283763505488735057845844710477515111353752501847610378820804644836924940569376575918636393712450918426295592731717883116720828701437165349506246186459834670855707638575482392702668275300271432930326746070542235854888589507510850001656576954009288708711614195281855277506238866658886263426774446138120880572804703007172504160087449702686397028624187721541550749236060695517095472269780605451394119267267768585031745669295475289651104015687022765659687351312476731201719653010211718807369951273177294204052808590819 again. All details are in the attachment.
  14.  
  15. Feel free to email us if you have any inquiry.
  16.  
  17.  
  18. ----
  19. King Regards,
  20. Martina Clarke
  21.  
  22. Attachment: order4910521.zip -> ~8FX934T59F85.js
  23. -------------------------------------------------------------------------------------------------------------------
  24. - sender varies between emails
  25. - subject is "Recent order"
  26. - email body does contain a strange long number, yes :-)
  27. - attached file "order<7 digits>.zip" contains file "~<random uppercase letters and digis>", a JScript downloader
  28.  
  29.  
  30. Download sites:
  31. http://7thpower.com/yetgt1
  32. http://anjoman146.ir/06t14eim59
  33. http://aynuri.cn/pao8w9
  34. http://bel-stroymarket.ru/qzybv5xoj
  35. http://betrend.dk/rxal56tkc
  36. http://bookletta.com/nsb6sxsg
  37. http://comfortdiscovered.com.au/x0je0oyo
  38. http://eplotery.pl/mzcwjqad9
  39. http://experimentaloikos.com/xqx9nzroeg
  40. http://franklinhousetavern.net/ijh6i9qcwa
  41. http://fw-nes.de/xmtxufz
  42. http://gadanie.vgolovanov.ru/o2kkiww7q
  43. http://hawanur.com/w4f0t3n6mi
  44. http://hosting.spep.nl/ff0vuhhkha
  45. http://ischool.org/iobskh
  46. http://isikpeyzaj.com/yfutj8
  47. http://krosha.myjino.ru/pggzm
  48. http://lowcountryday.com/whvneqrjz
  49. http://mcclone.com/ywme2n
  50. http://mensa-edu.com/rrq08fz2hn
  51. http://m.figuren-spiele.de/qhnycc
  52. http://n2.by/hprahz
  53. http://new.sunmar.ca/wdut0yzm
  54. http://nonelikeit.com/ylvsic
  55. http://ns10.servidorprotegido.net/jeidn
  56. http://poised.co.in/lr5xojpdrx
  57. http://reefclub.ru/pbejg
  58. http://ruchengfcw.com/fskvi
  59. http://ruwechat.ru/a3qls
  60. http://saintsraw.com/9htfn95i
  61. http://scapin.de/uopqd
  62. http://servisix.com/1uwztx
  63. http://setoxy.com/dyfvvqp31
  64. http://shydnt.com/7dwige
  65. http://signumtte.net/cldwsmtea
  66. http://skladdomodedovo.ru/in6kx
  67. http://smartcandle.ie/7xltk7ga1x
  68. http://soonmarketing.com/hsjva
  69. http://spisek.freehost.pl/h16yw7fp8
  70. http://sp-tulun.ru/hp8c234aq
  71. http://square100.com/8rnr5wq
  72. http://sreekrishnatemple.com/agmzvm
  73. http://steffweb.dk/bkjybit
  74. http://stevetoulch.com/4pjzomy
  75. http://svastara.info/gtuphxz2
  76. http://svd-serv.sonmax.com.ua/nwl4ci8l1
  77. http://swkitchens.com.au/etgp6ndo
  78. http://tamsoon.net/ec1jyz3fu
  79. http://tasrdk.ru/jf1lh3onnd
  80. http://thermo.dk/8ukzvcxw
  81. http://tolga-tosun.com/bqtwi54d3n
  82. http://vastgoedconcept.be/8rarbjfj
  83. http://vsenabis.ru/ptvkgcpp6h
  84. http://www.02seo.com/iag7a
  85. http://www.demelkwegtuk.nl/ub4btafy96
  86. http://www.ebusiness-articles.com/clja9ztg0
  87. http://www.glutax-ori.com/l9woon
  88. http://www.icelandnavigator.com/ndt3al
  89. http://www.pgringette.ca/ngokspwr
  90. http://www.tutmacli.com/zunhdwvc
  91.  
  92. UPDATE:
  93. http://osawa.be/ji6vl8p
  94. http://petra-roebig.de/hqv4kz
  95. http://smarttrain.edu.vn/5iim4uhd
  96. http://studionero.com/4rjs9e1wkq
  97. http://ventrust.ro/5egp5rgwdo
  98.  
  99. Malware:
  100. - encoded on download
  101. 0f1ef6589e046c80ae4c1e93834d276a6560de7bc528b281f4f831a4bf4850c5  http___7thpower.com_yetgt1
  102. 5c4eb87ff2d1b2db6ae26df1de5851fcec10f333c31a15b0d57264e83cdb644d  http___anjoman146.ir_06t14eim59
  103. 9ebb0c7ea7c9257f697774eb7d7f966ab5894174d4bcb2f81582e713d3b06447  http___aynuri.cn_pao8w9
  104. 7a7ecc69fbccf01c4c9cc9a577df470c65f7bf3a582baa93b29310c8ca9456af  http___bel-stroymarket.ru_qzybv5xoj
  105. 880407a486217acef57a39e176654ab97e2d578ff05e1ac46db052cd7b52ae02  http___betrend.dk_rxal56tkc
  106. 76e0d8b323da67a2328b5ef9b3973814bc8bcb2840a89de31c46d3cd821011d1  http___bookletta.com_nsb6sxsg
  107. 5cc2752a8385cf3709d9eeeb107af05ed9399185c79335bebe2eb849ecbd7adb  http___comfortdiscovered.com.au_x0je0oyo
  108. 050ee6cab348f81e5ef196e8fa0d77d03919d58ffb0ce2759f40f5e4bf2e9563  http___eplotery.pl_mzcwjqad9 [2]
  109. 456a112e68014a44b64138877da76ecc0d9c7936a9a141f4e89de748e34dbf9f  http___experimentaloikos.com_xqx9nzroeg
  110. ea86f13d9e93d0e3df4a503d023ae73a19ef9e919bb54382283c162308d9155a  http___franklinhousetavern.net_ijh6i9qcwa
  111. 32a1f98b5a1fbc7d1da97259e25dae294d60b1ff6d5cccf418b0082be32dd2d7  http___gadanie.vgolovanov.ru_o2kkiww7q
  112. ee12ed508c31af2f27971d39a56650e8cd0e5e24ec92f4be194ecd03708433e8  http___hawanur.com_w4f0t3n6mi
  113. 7600db4ffcd96ba3a8cfb76dccffc3c16e76ed3028343aed761a1cfb92b2c6de  http___hosting.spep.nl_ff0vuhhkha
  114. 81ae3ea6311c240ccc68656f65314ed8c4bd51ee8c173760272c7bdbad3f8d5b  http___isikpeyzaj.com_yfutj8
  115. 75ebd122101651cc0b5d3170a425d2677a9cdf422bb89f68594f866889f1aaf2  http___lowcountryday.com_whvneqrjz
  116. 7690ad32fb17702f07e2c78eb6d3049b036d4183f9c271dcdfc62452ad29f2e3  http___mcclone.com_ywme2n
  117. 33a0a4956ee7a3a2dc001bc3c7761706dbf0a6839d313e80ffcd066dfd0312d5  http___mensa-edu.com_rrq08fz2hn
  118. 05aecf4fc11d93b3b06937da4239df24fb311916b3286733676bba1c3e6b4908  http___m.figuren-spiele.de_qhnycc
  119. 27d6e0ad477b4084f9053c0c5eb29de5ef0b35079edc5779ab4c6c698c75844e  http___n2.by_hprahz
  120. 7b49a34b1c10692ac75738ca042966ba2643d9d549336f9ef443e3fc8809919f  http___new.sunmar.ca_wdut0yzm
  121. c3ca81dedd22089a00247eb266bbc5f683e4ee894c3311baacdb3a4f13763343  http___nonelikeit.com_ylvsic
  122. 3d66a32ad313b6b8ba3a3aafa923a531e43cb70100ba706fcb6f97ef8274e280  http___ns10.servidorprotegido.net_jeidn
  123. b239c0079e2a0a3e5c942e079852af44bdce2a89e9634cc8234282aeaa51cc89  http___poised.co.in_lr5xojpdrx
  124. af7c16005f9cd9da9312159b414d0b0cbecb51dfb9b2d1d22f862469e8fe9862  http___reefclub.ru_pbejg
  125. ef9bb79e0665592c6ac043ab1c1f7da2724cda78a1c48cba05075724bcb62fd6  http___ruchengfcw.com_fskvi
  126. ba6ee69c50eb59cab886dc71ab07f0c81a7019053ecbccb9fcf5dc58284516b6  http___ruwechat.ru_a3qls
  127. 537c1d9fe635379d15482822bd2536858c3736938185cf545b6a3c288a48b7a0  http___saintsraw.com_9htfn95i
  128. 92a0a17452f66cd45775c662a544486124e305a7cfa451a2071dafadbcc955c5  http___servisix.com_1uwztx
  129. 7df6e0b353fc8225c7fbc4ead1e184f6c70183ecd560d8c08c77307278cc65d4  http___setoxy.com_dyfvvqp31
  130. 6f2e2a0093ec8561edc07d14e78536c8fcf4e36213edf9ef9e49341716e14274  http___shydnt.com_7dwige
  131. 717982ae70199cc0d9e69d7e2e89c00b7d2727a5b9132a01a9aa00c4e603f347  http___signumtte.net_cldwsmtea
  132. ff227ac5b2652091a2754b17e276a51eaeb75c14ca07d0ddf6fe70a39b840e6b  http___skladdomodedovo.ru_in6kx
  133. ee7b4285e57ba88ea44fa7e5c81e084a33ead38bb2ba0be591731ee168eb1f0e  http___smartcandle.ie_7xltk7ga1x
  134. 04345fec4e2f9f9245a1ee9ba483b45cef9a1f73c9d8b440bf1d23d9cd4aaa23  http___soonmarketing.com_hsjva
  135. 828ee66b1bb7055e75f2d03e90f284cd0ce8cf501fed6c2af45cf81ff8af76a3  http___spisek.freehost.pl_h16yw7fp8
  136. 7ad75eaa62ad77326dd2c57a51fc62173c67daa42e92f9d065e478bea2bc786c  http___sp-tulun.ru_hp8c234aq
  137. 4f053420dd59228fb6ebdaaed2774dcee648a38e7f7e521853dcc0ca496d0161  http___square100.com_8rnr5wq
  138. 3de42b5c8e45dba5f8c40f2495f44eb18b557a80373a48034f58148e9d9a6f38  http___sreekrishnatemple.com_agmzvm
  139. 85eebae03e595859f633ac5d416d91dae279b27b5de894b2ebde318fa026370a  http___steffweb.dk_bkjybit [1]
  140. 3df5834e4599d021f79523975c515f5c8747276f29ffe8f8c95a70ccabe4e7ad  http___stevetoulch.com_4pjzomy
  141. f164670a22c774732d3eda44f206ddc8dbc94905e0fb075af076c28629c0948d  http___svastara.info_gtuphxz2
  142. 26e5d743ee201f0df95182252ca55ff1ae3a4aa92983a56bd640c69f5636105f  http___svd-serv.sonmax.com.ua_nwl4ci8l1
  143. b4aa8bdefd431fef65b0007355681584b41fd8e3900d8dfcd66fea452a476f11  http___swkitchens.com.au_etgp6ndo [3]
  144. 71eab1718bf481215fb95ba28105cb6438c6af5e2d1e7d076bd760306c4bd85e  http___tamsoon.net_ec1jyz3fu
  145. a10bb2d4b62426da1f1622e2a78bd708431e9d66d6cb2a72a9f800df974f1e53  http___tasrdk.ru_jf1lh3onnd
  146. e57516e499dc23ff60ab44f829802627cab24e48ed64159a63f787f35b82329f  http___thermo.dk_8ukzvcxw
  147. 9b1139579004c5e4c9532998909df831f7f3047b504a1772b2718b2e8f0bdb35  http___tolga-tosun.com_bqtwi54d3n
  148. 177559c7018a40b0dbc3aafcd9f357275030ec236c451ce21e88c19d41ecace8  http___vastgoedconcept.be_8rarbjfj
  149. c4024c3aecb5cdd31f1f9ecc2c45b93c6214867e35ceb5aa22af167fc4489945  http___vsenabis.ru_ptvkgcpp6h
  150. e17f4ac42ffb63fe415d4c085304ade8b2bd98a76638fdddd4c9acf9aac9969b  http___www.02seo.com_iag7a
  151. d35a2747c81b34f29b83356a1f64a4277ef0459dfc4d443e941f297f75e3b3de  http___www.demelkwegtuk.nl_ub4btafy96
  152. 9ca5a6a6ba413ce35602c6f32335402c26792d0460c8f4790bb9616946566e75  http___www.icelandnavigator.com_ndt3al
  153. 07ba8cbb26893a2eea6ca9912423681bf552d5d25f311794c20da1afd5327533  http___www.pgringette.ca_ngokspwr
  154. f41387425bb7cf447d72d50a4d84c1362ad5aae308225c222253dff55619e2b5  http___www.tutmacli.com_zunhdwvc
  155. - decoded
  156. 954e1c5227e613c498cf8cbccd4ddd25daf678dcdf0a31f8ca2b30819a26173b [1]
  157. 1459d71c23109f30a297c19737b93d93fd2499d549e954cf589f749f9cb21349 [2]
  158. 1e5c09bfdc302cb2aae270e5c35a0ed88dcbef80c3ad637829f3dd4ecc2b0da3 [3]
  159. - executed by "rundll32.exev %Temp%\<filename>.ZK,FpNSZhx6K63bRJnIKaIiFS7Gid"
  160. - samples
  161. https://www.virustotal.com/file/954e1c5227e613c498cf8cbccd4ddd25daf678dcdf0a31f8ca2b30819a26173b/analysis/1481019156/ [1]
  162. https://www.virustotal.com/file/1459d71c23109f30a297c19737b93d93fd2499d549e954cf589f749f9cb21349/analysis/1481019163/ [2]
  163. https://www.virustotal.com/file/1e5c09bfdc302cb2aae270e5c35a0ed88dcbef80c3ad637829f3dd4ecc2b0da3/analysis/1481019174/ [3]
  164.  
  165. C2:
  166. POST http://176.112.219.101/checkupdate
  167. POST http://85.143.213.71/checkupdate
  168. POST http://91.203.5.176/checkupdate
  169. POST http://95.46.114.147/checkupdate
RAW Paste Data
Top