API tools faq
paste
Racco42

2017-09-07 Locky "Microsoft Store E-invoice for your order"

Racco42
Sep 7th, 2017
2,157
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.33 KB | None | 0 0
raw download clone embed print report
  1. 2017-09-07: #locky email phishing campaign "Microsoft Store E-invoice for your order"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------
  5. From: Microsoft <do_not_reply@asia.microsoft.com>
  6. To: [REDACTED]
  7. Subject: Microsoft Store E-invoice for your order #7462959180
  8. Date: Thu, 07 Sep 2017 17:25:53 -0400
  9.  
  10. Dear Customer,
  11. Thank you for shopping with Microsoft Store
  12.  
  13. Please find attached or download your official Microsoft Store Invoice.
  14. Please retain a copy of this invoice for your records. Your Microsoft
  15. invoice may also be required to obtain warranty services.
  16.  
  17. Thank you
  18.  
  19. Microsoft Store 2017
  20.  
  21. Attachment: MS_INV_6221.7z -> MS_INV_6746.vbs
  22. -----------------------------------------------------------------------------------------------------------
  23. - sender is "Microsoft <do_not_reply@[us|eu|asia].microsoft.com>"
  24. - subject is "Microsoft Store E-invoice for your order #<10 digits>"
  25. - body of the email contains link which will download another downloader like the one attached.
  26. - attached file "MS_INV_<4 digits>.7z" contains file "MS_INV_<4 digits>.vbs", a VBScript downloader which will download encode malware
  27.  
  28. Downloader download sites:
  29. http://anloandy.co.uk/MS_INV_1046.7z
  30. http://arkberg-design.fi/MS_INV_1046.7z
  31. http://artesoba.be/MS_INV_1046.7z
  32. http://brianwells.net/MS_INV_1046.7z
  33. http://carpenteriemcm.com/MS_INV_1046.7z
  34. http://cer-torcy.com/MS_INV_1046.7z
  35. http://chorleystud.com/MS_INV_1046.7z
  36. http://crda-addenmali.org/MS_INV_1046.7z
  37. http://downstairsonfirst.com/MS_INV_1046.7z
  38. http://egdevcenter.com/MS_INV_1046.7z
  39. http://emailrinkodara.lt/MS_INV_1046.7z
  40. http://embutidosanezcar.com/MS_INV_1046.7z
  41. http://holmac.co.nz/MS_INV_1046.7z
  42. http://intelicalls.com/MS_INV_1046.7z
  43. http://jtpsolutions.com.au/MS_INV_1046.7z
  44. http://labkonstrukt.com/MS_INV_1046.7z
  45. http://lgmartinmd.com/MS_INV_1046.7z
  46. http://melospub.hu/MS_INV_1046.7z
  47. http://mercaropa.es/MS_INV_1046.7z
  48. http://mobimento.com/MS_INV_1046.7z
  49. http://mybarracuda.ca/MS_INV_1046.7z
  50. http://pacalik.net/MS_INV_1046.7z
  51. http://pahema.es/MS_INV_1046.7z
  52. http://peopleiknow.org/MS_INV_1046.7z
  53. http://pesonamas.co.id/MS_INV_1046.7z
  54. http://playitmore.com/MS_INV_1046.7z
  55. http://pmpimmobiliare.it/MS_INV_1046.7z
  56. http://promotamail.co.uk/MS_INV_1046.7z
  57. http://queerfilms.eu/MS_INV_1046.7z
  58. http://roadsendretreat.org/MS_INV_1046.7z
  59. http://robbie.ggc-bremen.de/MS_INV_1046.7z
  60. http://robsacks.com/MS_INV_1046.7z
  61. http://sambad.com.np/MS_INV_1046.7z
  62. http://sargut.biz/MS_INV_1046.7z
  63. http://schultedesign.de/MS_INV_1046.7z
  64. http://schwellenwertdaten.de/MS_INV_1046.7z
  65. http://shamanic-extracts.biz/MS_INV_1046.7z
  66. http://socalconsumerlawyers.com/MS_INV_1046.7z
  67. http://sonucbirebiregitim.com/MS_INV_1046.7z
  68. http://tbba.co.uk/MS_INV_1046.7z
  69.  
  70. Malware download sites:
  71. http://aac-autoecole.com/3936jkgHGdcm
  72. http://activ-conduite.eu/3936jkgHGdcm
  73. http://autoecolecarnot.com/3936jkgHGdcm
  74. http://awholeblueworld.com/3936jkgHGdcm
  75. http://bit-chasers.com/3936jkgHGdcm
  76. http://blaeberrycabin.com/3936jkgHGdcm
  77. http://brandingforbuyout.com/3936jkgHGdcm
  78. http://dueeffepromotion.com/3936jkgHGdcm
  79. http://etforhartohat.info/af/3936jkgHGdcm
  80. http://geolearner.com/3936jkgHGdcm
  81. http://handhi.com/3936jkgHGdcm
  82. http://lagrangeglassandmirrorco.com/3936jkgHGdcm
  83. http://lp-usti.cz/3936jkgHGdcm
  84. http://montessibooks.com/3936jkgHGdcm
  85. http://multicolourflyers.co.uk/3936jkgHGdcm
  86. http://ostiavolleyclub.it/3936jkgHGdcm
  87. http://pack-lines.com/3936jkgHGdcm
  88. http://qxr33qxr.com/3936jkgHGdcm
  89. http://studiotoscanosrl.it/3936jkgHGdcm
  90. http://suncoastot.com/3936jkgHGdcm
  91. http://weekendjevliegen.nl/3936jkgHGdcm
  92.  
  93. Malware:
  94. - locky ransowmare, lukitus variant
  95. - encoded on download SHA256: 3e1924867806778624d231df10928d4d4deef2b3f24de5505f624ddde7d33636, MD5: 63ed156f8d2efad83cb2d835c3575d16
  96. - decode by XORing with "ttXahvVnoAyxGwH7YyrZV3PphTR8lbYw"
  97. - decoded SHA256: 278e5503f777b0fec03cff2acddedb67f8b62bb14f34a9e761408aaf3ce5450f, MD5: 7210b3a262d96b514d07abfe8d601390
  98. - VT: https://www.virustotal.com/en/file/278e5503f777b0fec03cff2acddedb67f8b62bb14f34a9e761408aaf3ce5450f/analysis/1504818759/
  99. - HA: https://www.reverse.it/sample/278e5503f777b0fec03cff2acddedb67f8b62bb14f34a9e761408aaf3ce5450f?environmentId=100
  100. - C2: POST http://185.67.2.156/imageload.cgi, http://46.148.20.53/imageload.cgi
  101. - config https://pastebin.com/Mg7vuDek, by @James_inthe_box
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!