API tools faq
paste
Racco42

2016-10-28 Locky "DOC, FAX, IMG, SCAN"

Racco42
Oct 28th, 2016
2,101
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.83 KB | None | 0 0
raw download clone embed print report
  1. 2016-10-28: #locky email phishing campaign "DOC, FAX, IMG, SCAN"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------------------------------------
  5. From: "Etta" <Etta74@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: IMG_0069
  8. Date: Fri, 28 Oct 2016 11:13:12 -0500
  9.  
  10. Attached: IMG_0069.zip
  11. ----------------------------------------------------------------------------------------------------------------------
  12. - email sender varies between emails, but sender domain is same as recipient's
  13. - subject of the email is "DOC_<number>", "FAX_<number>", "IMG_<number>", "SCAN_<number>"
  14. - body of the email is empty
  15. - attached file name "<%subject%>.zip" contains file "<%subject%>.wsf", a JScript downloader
  16.  
  17. Download sites (the actuals URLs have suffix ?<random>=<random> which does not influence the download):
  18. http://00005ik.rcomhost.com/7fg3g
  19. http://104.131.83.218/7fg3g
  20. http://122.15.8.163/7fg3g
  21. http://1smart.nu/7fg3g
  22. http://2014.taktik-id.ch/7fg3g
  23. http://203kitchen.com/7fg3g
  24. http://2bconstruction.co.uk/7fg3g
  25. http://88.150.144.236/7fg3g
  26. http://94.127.33.126/7fg3g
  27. http://abn.info.ve/7fg3g
  28. http://accademiamoda.com/7fg3g
  29. http://ambrino.com/7fg3g
  30. http://arc.com.pk/7fg3g
  31. http://armcoinfrared.com/7fg3g
  32. http://armco-inspections.com/7fg3g
  33. http://artofovernight.com/7fg3g
  34. http://aspirekitchens.in/7fg3g
  35. http://autenticostacosdecanasta.com/7fg3g
  36. http://avnbiz.in/7fg3g
  37. http://batchmiami.com/7fg3g
  38. http://binarytradesignal.com/7fg3g
  39. http://blog.webskitters.com/7fg3g
  40. http://bptpm.sragenkab.go.id/7fg3g
  41. http://bpt.sragenkab.go.id/7fg3g
  42. http://brandactivators.be/7fg3g
  43. http://brinktest.com/7fg3g
  44. http://bruehwiler.ch/7fg3g
  45. http://caribbeachresort.com/7fg3g
  46. http://cemiselbiseleri.com/7fg3g
  47. http://charlesworth.com.ng/7fg3g
  48. http://chefsmart.com/7fg3g
  49. http://crewclaims-lubpi.com/7fg3g
  50. http://csrj-ah.rau.ro/7fg3g
  51. http://davepotterhonda.com.au/7fg3g
  52. http://dedicateddevelopers.us/7fg3g
  53. http://detrust888.com/7fg3g
  54. http://discoveryourevent.com/7fg3g
  55. http://dlmweddings.com/7fg3g
  56. http://dmg-properties.com/7fg3g
  57. http://dndwebtech.com/7fg3g
  58. http://dolutesisat.com/7fg3g
  59. http://dominatetheplate.com/7fg3g
  60. http://dotpixels.in/7fg3g
  61. http://ecolelavasa.edu.in/7fg3g
  62. http://ecolotienda.com/7fg3g
  63. http://ecommercedevelopment.us/7fg3g
  64. http://eipldevelopers.com/7fg3g
  65. http://empirek9.com/7fg3g
  66. http://empmon.com/7fg3g
  67. http://energiaadebate.info/7fg3g
  68. http://energietool.susteen.nl/7fg3g
  69. http://esnaftansatlik.com/7fg3g
  70. http://eurofruits.com/7fg3g
  71. http://excellentiasacademy.org/7fg3g
  72. http://fredandginger.com.au/7fg3g
  73. http://fshr.al/7fg3g
  74. http://givbee.com/7fg3g
  75. http://grandmar.nextmp.net/7fg3g
  76. http://hqunit.com/7fg3g
  77. http://innoservtest.in/7fg3g
  78. http://investps.com.au/7fg3g
  79. http://iridiumbox.com/7fg3g
  80. http://jasonvergara.com/7fg3g
  81. http://jobsdeed.com/7fg3g
  82. http://jrgolfbuddy.com/7fg3g
  83. http://keshamrit.com/7fg3g
  84. http://lmprojekte.de/7fg3g
  85. http://lolitojr.com.mx/7fg3g
  86. http://maheshpunjabi.com/7fg3g
  87. http://managedtech.net/7fg3g
  88. http://manuelcedeno.com/7fg3g
  89. http://meccinc.com/7fg3g
  90. http://metawellness.in/7fg3g
  91. http://mexusconsulting.com/7fg3g
  92. http://modelpayments.net/7fg3g
  93. http://mt-ph-champ.j-g.ch/7fg3g
  94. http://nationaltaxoffice.com/7fg3g
  95. http://palaschoga.com/7fg3g
  96. http://payserairan.com/7fg3g
  97. http://peggymurrahonline.com/7fg3g
  98. http://p-g-a.org/7fg3g
  99. http://primermundo.net/7fg3g
  100. http://pr.moi.go.th/7fg3g
  101. http://projectprocurement.com.au/7fg3g
  102. http://psagegenabsturz.de/7fg3g
  103. http://radiantstars.org/7fg3g
  104. http://rentadeplantaselectricas.com/7fg3g
  105. http://revistart.net/7fg3g
  106. http://robekadevelopment.com/7fg3g
  107. http://roommanageronline.com/7fg3g
  108. http://santtorre.com/7fg3g
  109. http://shreemahalaxmiagro.com/7fg3g
  110. http://site4.pulusajans.com/7fg3g
  111. http://skartusnea.net/7fg3g
  112. http://sne.bydgoszcz.pl/7fg3g
  113. http://socialcampaigns.co.in/7fg3g
  114. http://swarbandh.com/7fg3g
  115. http://tcmrecipe.com/7fg3g
  116. http://thingsandsuch.co.uk/7fg3g
  117. http://thungchang.go.th/7fg3g
  118. http://tradium.com.mx/7fg3g
  119. http://travellersstop.com/7fg3g
  120. http://turningpointdigital.com/7fg3g
  121. http://uscpl.net/7fg3g
  122. http://velociter.in/7fg3g
  123. http://vibrantdeal.com/7fg3g
  124. http://vintageprintable.com/7fg3g
  125. http://visbymaklarna.se/7fg3g
  126. http://vitasave.ca/7fg3g
  127. http://walkprint.com/7fg3g
  128. http://winawoof.com/7fg3g
  129. http://wordpress-developer.us/7fg3g
  130. http://www.designdepot.in/7fg3g
  131. http://www.kamakhyaits.com/7fg3g
  132. http://www.modwraps.com/7fg3g
  133. http://yellowbox.co.za/7fg3g
  134. http://yikson.com/7fg3g
  135. http://zarasresort.com/7fg3g
  136. http://zizicamarda.com/7fg3g
  137.  
  138.  
  139. Malware:
  140. - encoded on download, SHA256 19da9df3cde90416e64b9cee88df360cceb4dde4731d5bed9794f396d3322a24, filesize 237568 bytes
  141. - executed by "rundll32.exe %TEMP%\<dll_name>,EnhancedStoragePasswordConfig"
  142. - samples:
  143. https://www.reverse.it/sample/aeb6a2842628ffa6688fb7bde305ab00f4dc9e874f8d70865cc47545a0204839?environmentId=100
  144. https://www.reverse.it/sample/7575a384da1a464249cad3ac2cecc19e6435006ef5cd8a254cdbd490fa02ec0e?environmentId=100
  145. https://www.reverse.it/sample/6d8647d863c97b0347de9f08ff59499e077f010c8366d06abbae2610a66e1427?environmentId=100
  146. https://www.reverse.it/sample/2aa1228400c0e71cda456e1c31668dec8eadf3938819509d318e1cb2077d7088?environmentId=100
  147. https://www.reverse.it/sample/a71005d497d227e95968b3cd10f6172aca5d53782a9957b4662445fda5e2fe93?environmentId=100
  148. https://www.reverse.it/sample/d426eec3089c6193623f60df1b8f5d454a48a0648fdc85b331ae4397b2aa747b?environmentId=100
  149. https://www.reverse.it/sample/046605902ae8466d90948d54ac571295a359f8a2dc70fbdbd29d87c03d1196d4?environmentId=100
  150.  
  151. C2:
  152. POST 91.107.107.241:80/linuxsucks.php
  153. POST 46.148.26.99:80/linuxsucks.php
  154. POST uxpxpirusm.xyz:80/linuxsucks.php [192.42.116.41]
  155. POST qggdljlijbygeutc.click:80/linuxsucks.php [192.42.116.41]
  156. POST pqrifsjpryygmip.pw:80/linuxsucks.php [192.42.116.41]
  157. POST wbaskcsxiffiax.info:80/linuxsucks.php [69.195.129.70]
  158. POST fpeuwdde.xyz:80/linuxsucks.php [192.42.116.41]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!