SHARE
TWEET

2016-12-12 Locky "Payment Confirmation"

Racco42 Dec 12th, 2016 (edited) 227 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-12: #locky email phishing campaign "Payment Confirmation"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------------
  5. From: "Dewey Davenport" <Davenport.Dewey@azimuth-tour.com>
  6. To: [REDACTED]
  7. Subject: Payment Confirmation
  8. Date: Tue, 13 Dec 2016 07:04:02 +0700
  9.  
  10. Dear [REDACTED], Please confirm the recent payment (Receipt #2658426, $285.32).
  11. For that, open the attached document and contact us specifying the number of invoices one by one.
  12.  
  13. Thank you.
  14.  
  15. ----
  16. Best Regards,
  17. Dewey Davenport
  18.  
  19. Attachment: "payment2658426.zip" -> ~_C7T1VN_~.wsf
  20. ------------------------------------------------------------------------------------------------------------------
  21. - sender varies between emails
  22. - subject is "Payment Confirmation"
  23. - attached file "payment<7 digits>.zip" contains file "~_<5-7 uppercase chars and digits>_~.wsf", a JScript downloader
  24.  
  25. Download sites:
  26. http://baldwinhistory.portalstream.net/tbsgnn
  27. http://beauty-jasmine.ru/s7w16ifafk
  28. http://brianzainformatica.it/wajunuajcn
  29. http://bronz.standartmedya.com/aoypyrfu
  30. http://dou104.rybadm.ru/mpnvlruoqg
  31. http://easylation.com/fcguubb
  32. http://erkenne-mich-selbst.de/oxrxt
  33. http://ipp-diz.ru/notg9d
  34. http://izeinstruments.com/mujbmz
  35. http://karinschacht.addr.com/wx1oqhf
  36. http://raovat4u.com/l3g8ffx
  37. http://rhinohosts.com/lzme3mtv
  38. http://robbeottoy.dommel.be/o2klycy35
  39. http://silverhand.eu/0gbfodai
  40. http://simplybridalweddingmakeup.co.uk/xsjmk
  41. http://singhaii.com/0b2nchf
  42. http://sky-express.ru/axujfqmix
  43. http://slagelse-maskinforretning.dk/fsyvthpfu
  44. http://sokenthai.com/didg6wydko
  45. http://space4elephants.org/0jgoo
  46. http://spoiltgirlsclub.com/calsrivyi5
  47. http://starawawa.website.pl/9okji
  48. http://staris.de/iogzkj
  49. http://storebet.ru/ecbiug9
  50. http://sudarsan.net/7x6ghbe1u
  51. http://sudeepgurtu.com/fm39qsv
  52. http://suhangtime.cn/9o40fvzmf
  53. http://sureyyaperde.com/askqszskol
  54. http://sweetandsour.com/80aknx
  55. http://taghdis.ir/ksovhacm9
  56. http://taier666.com/fwhvor7
  57. http://taikosushibar.com.br/f3vss
  58. http://taokefx.com/hnh1b
  59. http://taylormedia.com.au/ed1rrsygn
  60. http://teatr-x.ru/wmnet0riwk
  61. http://thesprezzatura.com/hybjso
  62. http://thesurfbreak.com/hkxdlcqb0
  63. http://tidytrend.com/9za644
  64. http://tiffeat.com/glvx1jeipc
  65. http://tirpse.com/2a3y6xc
  66. http://tollytalkies.com/7ylj0y
  67. http://tongfangjd.com/4lxi88l
  68. http://trackdayphotography.co.uk/hcgq1i9y6q
  69. http://trgovinapopek.com/iiazfpu5h
  70. http://tribech.com/hj8ubhh
  71. http://tt-comp.ru/cifpf
  72. http://twssthai.com/hqysr0
  73. http://villa31.com/cyszd9m
  74. http://www.aikicere.it/xz7qwjk1w4
  75. http://www.cmt.ro/umg7y
  76. http://www.diacelalimentacion.es/mkppealw
  77. http://www.fabioalbini.com/wxvhgedc
  78. http://www.instalacionesjosearteaga.com/mzfqt
  79. http://www.kardborren.se/z3ebghmg
  80. http://www.lenkinetorty.szm.com/yohyhvz
  81. http://www.maurop.it/x7yvi0q7
  82. http://www.pastificiodelduca.com/xvpalefy5s
  83. http://www.prometsrl.org/vcrhjnqh
  84. http://www.richtenberg.be/xoiuqt0tc
  85. http://www.topmag.com.cn/fy4ymmr
  86.  
  87. Malware:
  88. - encoded on download:
  89. 583b94203c34dd2e5d6c586a1f82355dd8c73702d8163e309333655fc88a2205  http___baldwinhistory.portalstream.net_tbsgnn
  90. 4fcb78de927203d361ce7e284c64de2ea968f4bf43abd62b43f0ede4206f196e  http___beauty-jasmine.ru_s7w16ifafk
  91. b541e62bcaeef90a794427a19fb42e25616f854a9450eac8fbde232260d9deed  http___brianzainformatica.it_wajunuajcn
  92. e5c167369279601e66e8722628447bb911220b6ea428e0e22f14266aab29b8e0  http___bronz.standartmedya.com_aoypyrfu
  93. fd755c013eadb929bd6a5f8e8db16ef3c6da29c469c5737fdd950b5575eee6d6  http___dou104.rybadm.ru_mpnvlruoqg
  94. 2cf909dfc896946856701c1f76f7595e80b05983de6d9c1266b9852390ff211b  http___easylation.com_fcguubb
  95. 134bae5c4d78571b13d825dae9044b24ec72db4b870e00411455994ecef037b0  http___erkenne-mich-selbst.de_oxrxt
  96. e5a95a9b0579cef5b37ecb5d31df5b422887048caa23d073d35ae54f9fd16b95  http___ipp-diz.ru_notg9d
  97. 69e62bf6e9c9e05b3cf0e0a5ad10a3bc1a39c1914f989f0c388dfec0e94bcd35  http___izeinstruments.com_mujbmz [4]
  98. fc41bb4b25e6e3fa36f8285fe2e37aac0761f2589930518ec8c121c3d96ce776  http___karinschacht.addr.com_wx1oqhf
  99. 20bdc307525894fb2105b4890853a2f31c93cd5b931fe4ccdc41ffd9b883f1b4  http___raovat4u.com_l3g8ffx
  100. 8b5d434bc0cf4b348a6835e6ae89665f1dcb7e4d9a6172f2e7a84dba5b96c5e4  http___rhinohosts.com_lzme3mtv
  101. d75b0c07d2eb573704c3f189008d5033ab1f98c4b4800183ded6e4ee02598c7f  http___robbeottoy.dommel.be_o2klycy35
  102. 2c170efeec49f75dbffd530ea8d2b35c2dc6209aa3468eaadab2a084acfd1903  http___silverhand.eu_0gbfodai
  103. 2c4f47c509156cb19409d947df875e597be8d58c01b8b3a6721c62517f484dff  http___simplybridalweddingmakeup.co.uk_xsjmk
  104. 90dcb68910b852f8b7b81add5a49d7e25319be60d0fb1ad09e4bdd2bcca48d79  http___singhaii.com_0b2nchf
  105. 1bd5eb5bd7edb7ee826a1e56b8b43f2bf3c106033180f2b4472d4ad308be134a  http___sky-express.ru_axujfqmix
  106. 4891d889ba88e858429ce4d9bd4de27ea0fdf00782a8507507556f4ba5d6d9e2  http___slagelse-maskinforretning.dk_fsyvthpfu
  107. 129ddcc1413478f20cf12a93e35008889f81ba04c686afed43b606ad9857caed  http___sokenthai.com_didg6wydko
  108. b548ff9b5af55454287346a0d203379281bb2a3d9196e16b7cf9ddfbade7fdc5  http___space4elephants.org_0jgoo
  109. 01b5ffd14fd0d06c639a740ee7828a7d2d57851c655fcdfdc3eb8a63cc8c4a67  http___spoiltgirlsclub.com_calsrivyi5
  110. 8ab660cf902139bc05f288eeeee7afee6d8ec770302210dde731e0cfd04e4222  http___starawawa.website.pl_9okji
  111. cd144e4e8ac386cadcc8a3b62a4ab87ea624ee03a5642516e4042a0eb06f6e00  http___staris.de_iogzkj
  112. 6c099f00ca43b7d91e996c52aecd910282fa387396b216de5046af9b2da2819a  http___storebet.ru_ecbiug9
  113. 9a7f6e8a03293c5f928c0619b2a9b4f6822c6abca9fe9cd40b56d306c352ea79  http___sudarsan.net_7x6ghbe1u
  114. b90b7af480de838f3d3a09f788c0331fc0482337d162b64d44b0fa994cde1052  http___sudeepgurtu.com_fm39qsv [2]
  115. 01005fc55c9f4940c21a676abf1b14b178ceeac946ff38082e3d041dadc290c0  http___suhangtime.cn_9o40fvzmf
  116. d31b2e312e0d21f33436d360471dae2dc9f089e95a22f1d20559b4704f7e46bd  http___sureyyaperde.com_askqszskol
  117. 34c36e2515f884439fb2ae74425f526860e54b8af74205b64533fa664157f09e  http___taghdis.ir_ksovhacm9
  118. e56976d8a5764d4d33a3b9ec80c55cbd90dff6a6d01fac6db496aed67fbfe6a5  http___taier666.com_fwhvor7
  119. ea15eaede7c1c28171cfb252b20c0e163014592e65256df27616b1fab6c1fd70  http___taikosushibar.com.br_f3vss
  120. 541b500cb611885a586ca0ed6e1f00c4e2c4afc62f3b56e74d4535828f8b5232  http___taylormedia.com.au_ed1rrsygn
  121. 100902c711f348cdcf4671b08d1b7e04a0fa403c587af0bbf0d6b9a1129a09bc  http___teatr-x.ru_wmnet0riwk
  122. c52edb48bc4f7cb5d473e911c185aa6a7d0f311c0ff5eb4e1f2018d73c004826  http___thesprezzatura.com_hybjso
  123. b1c3e96ca52ac23ca89fdb0b8f54a30ed02bc1f58c407471e0753e30bebb2603  http___thesurfbreak.com_hkxdlcqb0
  124. 5c550f222cffbe470b3a82c4a2e7257f8defaa0bd58b5ff8c32c62db8e0ddcfa  http___tidytrend.com_9za644
  125. 2bc3b4564ac73f59d3077fb8ed7f0e8cefba57430cba407081e9f94046f2b4a6  http___tiffeat.com_glvx1jeipc [1]
  126. 6263fedc0ea1b7a094f2ef4d419c3f19332e9c044dd95ff95516921eed8ae8cb  http___tirpse.com_2a3y6xc
  127. 4f4fb87aa7221bebc00282288b1f2bbe6d5a912629ccf838de3335dae3892744  http___tollytalkies.com_7ylj0y
  128. bca0c03678d1b7959ad0b28058316997adf6e8a30ac343fa2213ec66b522c6bb  http___tongfangjd.com_4lxi88l
  129. fc9d2da99f0421a5b393dffc2435a893cdcfd7bad902f0a2b3fede76daf8665b  http___trackdayphotography.co.uk_hcgq1i9y6q
  130. 41830a78412ec9ca11f04ff7d8ddc0e43a5009a26baae24b69614022fe6030d9  http___trgovinapopek.com_iiazfpu5h
  131. 4c9ba1de53ad8c94a713fc0adc9f5ecb770cd944d961b10638a3190795d64f00  http___tribech.com_hj8ubhh
  132. 5e35f45d948ca995815cf44cd43a7b3d813bb7534052b415dd1bbff2fbfa81a9  http___tt-comp.ru_cifpf
  133. f8b42774cc08a598ea2df2e9e1357b17f9027ebac8ed4acac391dad54065c312  http___twssthai.com_hqysr0 [5]
  134. 21e27b422526d5187d6eb922ae8826b9aa452f0062ca094c698d9139387514c3  http___villa31.com_cyszd9m
  135. 5368e1f41539c063b9e6a8567af0e018caf4ec40f843821118d48ca57b892296  http___www.aikicere.it_xz7qwjk1w4
  136. 6b3bbca4e43323d3b38c938bf9fa22cd12ee4d6ef3cfaa334b3cb29158a4f484  http___www.cmt.ro_umg7y
  137. b45c2763433c4930f1a1659265da2c4f6c624ad57adfca2246a5ae3ecf0efe9a  http___www.diacelalimentacion.es_mkppealw [3]
  138. 94efd8d4e8e57b027abd23c473712e6b475973a4c459a6d7de74f0d053377a44  http___www.fabioalbini.com_wxvhgedc
  139. e3d2f18762a813db9157330336ca0f9e6c9d1dae01d2172ca3bac68ddfcf95ce  http___www.instalacionesjosearteaga.com_mzfqt
  140. ce84710befba83745693e5214ebbed13c1f5d70455295b83b4916dc4551d6ad2  http___www.kardborren.se_z3ebghmg
  141. 6c0c76ff4b098db7e0c77689a4e0004c8c782f70c13d1483c45bb648a008ddbd  http___www.lenkinetorty.szm.com_yohyhvz
  142. 6fa57584f5e7e92c9bf0c122c5b93c647bbc211685004feb96387c5e180d1d80  http___www.maurop.it_x7yvi0q7
  143. 4bb081df7a3af6c16eec40cf9b10869740ae05a2cd34750e6340291c47b91118  http___www.pastificiodelduca.com_xvpalefy5s
  144. 61328b54ea28641366b3fd4cfcd6f57bfb537c8b0c34eb4ab9adfd7a49aa7dfc  http___www.prometsrl.org_vcrhjnqh [6]
  145. 4321e0ceebf9d8cdd83bd6c5eb153060d1e36468a1e768a5dc554576f8ded94d  http___www.richtenberg.be_xoiuqt0tc
  146. bdd5cc6f8a5b97085d0223ff9fa139539a4959d7c69ecc593b194fa458d90744  http___www.topmag.com.cn_fy4ymmr
  147. - decoded
  148. 1e3fa998d6734385c019bf29a185495b519d1800f69ea84c288211108c278c3c [1]
  149. 34e0b2ac23de5ff5db3c6dcab9e68b2f694ad38d0cb91539c0dd2aa24089c8fd [2]
  150. 1cd2b01514fc3a5e4247a3438bfd4deea4fc549bf1f6f719a0904feaba53bae1 [3]
  151. 2e3b2a9da1430a93fcd4c39d0c934b854b845b90c53d8590e987b4cae5190254 [4]
  152. ebfd895af946fa8bd55a8d480f33d979c8a07a224899bd9134a60be84adcd84e [5]
  153. 5bdcc4e00bdc9533eb40b6a216a577c33ea6cdb5b65791e199b25b15055e89f2 [6]
  154. - executed by "rundll32.exe %TEMP%\<filename>.ZK,BPfXDy5deSOi3gcqEuQ1Zxk"
  155. - samples
  156. https://www.virustotal.com/file/1e3fa998d6734385c019bf29a185495b519d1800f69ea84c288211108c278c3c/analysis/1481589339/ [1]
  157. https://www.virustotal.com/file/b90b7af480de838f3d3a09f788c0331fc0482337d162b64d44b0fa994cde1052/analysis/1481589377/ [2]
  158. https://www.virustotal.com/file/1cd2b01514fc3a5e4247a3438bfd4deea4fc549bf1f6f719a0904feaba53bae1/analysis/1481589406/ [3]
  159. https://www.virustotal.com/file/69e62bf6e9c9e05b3cf0e0a5ad10a3bc1a39c1914f989f0c388dfec0e94bcd35/analysis/1481589442/ [4]
  160. https://www.virustotal.com/file/ebfd895af946fa8bd55a8d480f33d979c8a07a224899bd9134a60be84adcd84e/analysis/1481589485/ [5]
  161. https://www.virustotal.com/file/5bdcc4e00bdc9533eb40b6a216a577c33ea6cdb5b65791e199b25b15055e89f2/analysis/1481589516/ [6]
  162.  
  163. C2:
  164. POST http://185.46.11.236/checkupdate
  165. POST http://213.32.113.203/checkupdate
  166. POST http://91.200.14.109/checkupdate
  167. POST http://95.213.169.233/checkupdate
RAW Paste Data
Top