Racco42

2016-10-28 Locky "DOC, FAX, IMG, SCAN"

Oct 28th, 2016
2,143
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.83 KB | None | 0 0
  1. 2016-10-28: #locky email phishing campaign "DOC, FAX, IMG, SCAN"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------------------------------------
  5. From: "Etta" <Etta74@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: IMG_0069
  8. Date: Fri, 28 Oct 2016 11:13:12 -0500
  9.  
  10. Attached: IMG_0069.zip
  11. ----------------------------------------------------------------------------------------------------------------------
  12. - email sender varies between emails, but sender domain is same as recipient's
  13. - subject of the email is "DOC_<number>", "FAX_<number>", "IMG_<number>", "SCAN_<number>"
  14. - body of the email is empty
  15. - attached file name "<%subject%>.zip" contains file "<%subject%>.wsf", a JScript downloader
  16.  
  17. Download sites (the actuals URLs have suffix ?<random>=<random> which does not influence the download):
  18. http://00005ik.rcomhost.com/7fg3g
  19. http://104.131.83.218/7fg3g
  20. http://122.15.8.163/7fg3g
  21. http://1smart.nu/7fg3g
  22. http://2014.taktik-id.ch/7fg3g
  23. http://203kitchen.com/7fg3g
  24. http://2bconstruction.co.uk/7fg3g
  25. http://88.150.144.236/7fg3g
  26. http://94.127.33.126/7fg3g
  27. http://abn.info.ve/7fg3g
  28. http://accademiamoda.com/7fg3g
  29. http://ambrino.com/7fg3g
  30. http://arc.com.pk/7fg3g
  31. http://armcoinfrared.com/7fg3g
  32. http://armco-inspections.com/7fg3g
  33. http://artofovernight.com/7fg3g
  34. http://aspirekitchens.in/7fg3g
  35. http://autenticostacosdecanasta.com/7fg3g
  36. http://avnbiz.in/7fg3g
  37. http://batchmiami.com/7fg3g
  38. http://binarytradesignal.com/7fg3g
  39. http://blog.webskitters.com/7fg3g
  40. http://bptpm.sragenkab.go.id/7fg3g
  41. http://bpt.sragenkab.go.id/7fg3g
  42. http://brandactivators.be/7fg3g
  43. http://brinktest.com/7fg3g
  44. http://bruehwiler.ch/7fg3g
  45. http://caribbeachresort.com/7fg3g
  46. http://cemiselbiseleri.com/7fg3g
  47. http://charlesworth.com.ng/7fg3g
  48. http://chefsmart.com/7fg3g
  49. http://crewclaims-lubpi.com/7fg3g
  50. http://csrj-ah.rau.ro/7fg3g
  51. http://davepotterhonda.com.au/7fg3g
  52. http://dedicateddevelopers.us/7fg3g
  53. http://detrust888.com/7fg3g
  54. http://discoveryourevent.com/7fg3g
  55. http://dlmweddings.com/7fg3g
  56. http://dmg-properties.com/7fg3g
  57. http://dndwebtech.com/7fg3g
  58. http://dolutesisat.com/7fg3g
  59. http://dominatetheplate.com/7fg3g
  60. http://dotpixels.in/7fg3g
  61. http://ecolelavasa.edu.in/7fg3g
  62. http://ecolotienda.com/7fg3g
  63. http://ecommercedevelopment.us/7fg3g
  64. http://eipldevelopers.com/7fg3g
  65. http://empirek9.com/7fg3g
  66. http://empmon.com/7fg3g
  67. http://energiaadebate.info/7fg3g
  68. http://energietool.susteen.nl/7fg3g
  69. http://esnaftansatlik.com/7fg3g
  70. http://eurofruits.com/7fg3g
  71. http://excellentiasacademy.org/7fg3g
  72. http://fredandginger.com.au/7fg3g
  73. http://fshr.al/7fg3g
  74. http://givbee.com/7fg3g
  75. http://grandmar.nextmp.net/7fg3g
  76. http://hqunit.com/7fg3g
  77. http://innoservtest.in/7fg3g
  78. http://investps.com.au/7fg3g
  79. http://iridiumbox.com/7fg3g
  80. http://jasonvergara.com/7fg3g
  81. http://jobsdeed.com/7fg3g
  82. http://jrgolfbuddy.com/7fg3g
  83. http://keshamrit.com/7fg3g
  84. http://lmprojekte.de/7fg3g
  85. http://lolitojr.com.mx/7fg3g
  86. http://maheshpunjabi.com/7fg3g
  87. http://managedtech.net/7fg3g
  88. http://manuelcedeno.com/7fg3g
  89. http://meccinc.com/7fg3g
  90. http://metawellness.in/7fg3g
  91. http://mexusconsulting.com/7fg3g
  92. http://modelpayments.net/7fg3g
  93. http://mt-ph-champ.j-g.ch/7fg3g
  94. http://nationaltaxoffice.com/7fg3g
  95. http://palaschoga.com/7fg3g
  96. http://payserairan.com/7fg3g
  97. http://peggymurrahonline.com/7fg3g
  98. http://p-g-a.org/7fg3g
  99. http://primermundo.net/7fg3g
  100. http://pr.moi.go.th/7fg3g
  101. http://projectprocurement.com.au/7fg3g
  102. http://psagegenabsturz.de/7fg3g
  103. http://radiantstars.org/7fg3g
  104. http://rentadeplantaselectricas.com/7fg3g
  105. http://revistart.net/7fg3g
  106. http://robekadevelopment.com/7fg3g
  107. http://roommanageronline.com/7fg3g
  108. http://santtorre.com/7fg3g
  109. http://shreemahalaxmiagro.com/7fg3g
  110. http://site4.pulusajans.com/7fg3g
  111. http://skartusnea.net/7fg3g
  112. http://sne.bydgoszcz.pl/7fg3g
  113. http://socialcampaigns.co.in/7fg3g
  114. http://swarbandh.com/7fg3g
  115. http://tcmrecipe.com/7fg3g
  116. http://thingsandsuch.co.uk/7fg3g
  117. http://thungchang.go.th/7fg3g
  118. http://tradium.com.mx/7fg3g
  119. http://travellersstop.com/7fg3g
  120. http://turningpointdigital.com/7fg3g
  121. http://uscpl.net/7fg3g
  122. http://velociter.in/7fg3g
  123. http://vibrantdeal.com/7fg3g
  124. http://vintageprintable.com/7fg3g
  125. http://visbymaklarna.se/7fg3g
  126. http://vitasave.ca/7fg3g
  127. http://walkprint.com/7fg3g
  128. http://winawoof.com/7fg3g
  129. http://wordpress-developer.us/7fg3g
  130. http://www.designdepot.in/7fg3g
  131. http://www.kamakhyaits.com/7fg3g
  132. http://www.modwraps.com/7fg3g
  133. http://yellowbox.co.za/7fg3g
  134. http://yikson.com/7fg3g
  135. http://zarasresort.com/7fg3g
  136. http://zizicamarda.com/7fg3g
  137.  
  138.  
  139. Malware:
  140. - encoded on download, SHA256 19da9df3cde90416e64b9cee88df360cceb4dde4731d5bed9794f396d3322a24, filesize 237568 bytes
  141. - executed by "rundll32.exe %TEMP%\<dll_name>,EnhancedStoragePasswordConfig"
  142. - samples:
  143. https://www.reverse.it/sample/aeb6a2842628ffa6688fb7bde305ab00f4dc9e874f8d70865cc47545a0204839?environmentId=100
  144. https://www.reverse.it/sample/7575a384da1a464249cad3ac2cecc19e6435006ef5cd8a254cdbd490fa02ec0e?environmentId=100
  145. https://www.reverse.it/sample/6d8647d863c97b0347de9f08ff59499e077f010c8366d06abbae2610a66e1427?environmentId=100
  146. https://www.reverse.it/sample/2aa1228400c0e71cda456e1c31668dec8eadf3938819509d318e1cb2077d7088?environmentId=100
  147. https://www.reverse.it/sample/a71005d497d227e95968b3cd10f6172aca5d53782a9957b4662445fda5e2fe93?environmentId=100
  148. https://www.reverse.it/sample/d426eec3089c6193623f60df1b8f5d454a48a0648fdc85b331ae4397b2aa747b?environmentId=100
  149. https://www.reverse.it/sample/046605902ae8466d90948d54ac571295a359f8a2dc70fbdbd29d87c03d1196d4?environmentId=100
  150.  
  151. C2:
  152. POST 91.107.107.241:80/linuxsucks.php
  153. POST 46.148.26.99:80/linuxsucks.php
  154. POST uxpxpirusm.xyz:80/linuxsucks.php [192.42.116.41]
  155. POST qggdljlijbygeutc.click:80/linuxsucks.php [192.42.116.41]
  156. POST pqrifsjpryygmip.pw:80/linuxsucks.php [192.42.116.41]
  157. POST wbaskcsxiffiax.info:80/linuxsucks.php [69.195.129.70]
  158. POST fpeuwdde.xyz:80/linuxsucks.php [192.42.116.41]
Add Comment
Please, Sign In to add comment