API tools faq
paste
Racco42

2016-10-27 Locky "Receipt"

Racco42
Oct 27th, 2016
1,582
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.46 KB | None | 0 0
raw download clone embed print report
  1. 2016-10-27 #locky email phish campaign "Receipt NNN-NNNNN"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------
  5. From: bridgette.rushworth@gmail.com
  6. To: [REDACTED]
  7. Subject: Receipt 6970-463
  8. Date: Thu, 27 Oct 2016 20:26:49 +0430
  9.  
  10. Attached: Receipt 6970-463.zip
  11. ---------------------------------------------------------------------------------------------------------
  12. - sender varies between emails, but the domain is always @gmail.com
  13. - subject is "Receipt <numbers>-<numbers>
  14. - body of the email is empty
  15. - attached file "Receipt <numbers>-<numbers>" contains file "Receipt <numbers>-<numbers>.wsf", a JScript downloader
  16.  
  17. Download sites (actual URLs have suffix ?<random>=<random> which does not influence the download):
  18. http://139.162.29.193/g67eihnrv
  19. http://1water.com.au/g67eihnrv
  20. http://adenadataediting.com/g67eihnrv
  21. http://aghadiinfotechforclient.com/g67eihnrv
  22. http://agile-scrum-training.com/g67eihnrv
  23. http://ampleabroad.com/g67eihnrv
  24. http://anandlab.com/g67eihnrv
  25. http://axzio.com/g67eihnrv
  26. http://badvaruhus.se/g67eihnrv
  27. http://banatlebanon.com/g67eihnrv
  28. http://banknifty.com/g67eihnrv
  29. http://bmbuildingpteltd.com/g67eihnrv
  30. http://cambostudio.com/g67eihnrv
  31. http://cardimax.com.ph/g67eihnrv
  32. http://cfolio.uk/g67eihnrv
  33. http://cibr.in/g67eihnrv
  34. http://conceptkitchens.co.uk/g67eihnrv
  35. http://ctc.crru.ac.th/g67eihnrv
  36. http://cttcleaning.com/g67eihnrv
  37. http://davaomarbled.com/g67eihnrv
  38. http://dev.searchthruster.com/g67eihnrv
  39. http://dmlevents.com/g67eihnrv
  40. http://dollsdelight.com/g67eihnrv
  41. http://dreamruntech.com/g67eihnrv
  42. http://drhairchandigarh.in/g67eihnrv
  43. http://drrahulgoyal.com/g67eihnrv
  44. http://dryilmazyildirim.com/g67eihnrv
  45. http://dssstaging.net/g67eihnrv
  46. http://emkadogalgaz.com.tr/g67eihnrv
  47. http://eurofranq.com/g67eihnrv
  48. http://eventsaigon.com/g67eihnrv
  49. http://fliermagas.net/g67eihnrv
  50. http://flyingbtc.com/g67eihnrv
  51. http://ftp-reklama.gpd24.pl/g67eihnrv
  52. http://fullservicetech.com/g67eihnrv
  53. http://goldseparator.com/g67eihnrv
  54. http://hansdavisgroup.com/g67eihnrv
  55. http://hoopwizard.com/g67eihnrv
  56. http://imlearningsystems.com/g67eihnrv
  57. http://infomazza.com/g67eihnrv
  58. http://intomim.com/g67eihnrv
  59. http://intralab.co.id/g67eihnrv
  60. http://intrekmedya.com/g67eihnrv
  61. http://italics.in/g67eihnrv
  62. http://jackpotfutures.com/g67eihnrv
  63. http://joshturansky.com/g67eihnrv
  64. http://jus2chat.com/g67eihnrv
  65. http://kakapublicity.com/g67eihnrv
  66. http://kalkashimlataxiservice.in/g67eihnrv
  67. http://kamerreklam.com.tr/g67eihnrv
  68. http://kaushikjanmejay.com/g67eihnrv
  69. http://kenshop18.com/g67eihnrv
  70. http://koiatm.com/g67eihnrv
  71. http://kursuskomputer.web.id/g67eihnrv
  72. http://librahost.com/g67eihnrv
  73. http://livingfreehomeramps.com/g67eihnrv
  74. http://marina-beach-resort-goa.com/g67eihnrv
  75. http://mgregency.com/g67eihnrv
  76. http://mileshilton-barber.com/g67eihnrv
  77. http://millennium-nekretnine.com/g67eihnrv
  78. http://mygreenlivingideas.com/g67eihnrv
  79. http://olivierimmobiliare.com/g67eihnrv
  80. http://paihotel.in/g67eihnrv
  81. http://projanmobarta.com/g67eihnrv
  82. http://projects.seawindsolution.com/g67eihnrv
  83. http://prototypingjob.com/g67eihnrv
  84. http://pubbligrafica360.it/g67eihnrv
  85. http://riverlifechurch.tv/g67eihnrv
  86. http://sampletemplates.net/g67eihnrv
  87. http://saurabh-kachhadiya.comyr.com/g67eihnrv
  88. http://scpolytechnic.com/g67eihnrv
  89. http://sheela.diet/g67eihnrv
  90. http://sonlightministries.com/g67eihnrv
  91. http://sparezz.com/g67eihnrv
  92. http://srisaioilfield.com/g67eihnrv
  93. http://statelesspeopleinbangladesh.net/g67eihnrv
  94. http://stinsonservices.com/g67eihnrv
  95. http://sukienhoanggia.com/g67eihnrv
  96. http://taipei-lottery.com/g67eihnrv
  97. http://tasveeranarts.in/g67eihnrv
  98. http://teachlanguage.net/g67eihnrv
  99. http://themeonhai.com/g67eihnrv
  100. http://tutorialcodeigniter.16mb.com/g67eihnrv
  101. http://twoj-sennik.pl/g67eihnrv
  102. http://ui.worklab.in/g67eihnrv
  103. http://uniquebulldogpuppies.com/g67eihnrv
  104. http://uniquecoders.in/g67eihnrv
  105. http://vkwelaarts.co.za/g67eihnrv
  106. http://voirdress.com/g67eihnrv
  107. http://webihawks.com/g67eihnrv
  108. http://www.3shadz.com/g67eihnrv
  109. http://www.acclaimenvironmental.co.uk/g67eihnrv
  110. http://www.afsartorshiz.com/g67eihnrv
  111. http://www.agrasentechnical.com/g67eihnrv
  112. http://www.camko-motor.com/g67eihnrv
  113. http://www.epmedia.it/g67eihnrv
  114. http://www.hayatesabz.ir/g67eihnrv
  115. http://www.kimabites.com/g67eihnrv
  116. http://www.multiplefinance.co.uk/g67eihnrv
  117. http://www.poddarprofessional.com/g67eihnrv
  118. http://www.risto10.it/g67eihnrv
  119. http://www.vibrantlove.co.uk/g67eihnrv
  120. http://zinger.nl/g67eihnrv
  121.  
  122. Malware:
  123. - encoded on download, SHA256 6b7e2fab55586851bfcd8c6653a89321502ffbc6e73cdd015bf54f9c41bcbcee, filesize 176128 bytes
  124. - decoded SHA256 021765c87962d63139b33213a72051b44c6b0b7223da76b97ce9cb22c50f63bc
  125. - executed by "rundll32.exe %TEMP%\<dll_name>,EnhancedStoragePasswordConfig"
  126. - samples
  127. https://www.reverse.it/sample/d5de5a4bba9aeefb0e211b196fb1d23c4b51fe91c3a2280a6c7629b1aa0660b5?environmentId=100
  128. https://www.reverse.it/sample/86a15d2eb4a619c437594c85340a9bbf9ffcdebf2726e196152928bb4abdb1be?environmentId=100
  129. https://www.reverse.it/sample/bc150fd9a4332786fdc129406c7774aa4d0689dd6ca6ac66daa5804782d4c107?environmentId=100
  130.  
  131. C2:
  132. POST 91.201.202.12:80/linuxsucks.php
  133. POST 213.159.214.86:80/linuxsucks.php
  134. POST 83.217.11.193:80/linuxsucks.php
  135. POST ewrxmvrrhkvd.ru:80/linuxsucks.php [192.42.116.41]
  136.  
  137. Other DNS requests:
  138. juiweirqvt.su
  139. qggdljlijbygeutc.click
  140. uxpxpirusm.xyz
  141. pqrifsjpryygmip.pw
  142. fpeuwdde.xyz
  143. wbaskcsxiffiax.info
  144. yppsuvfjmnsbi.org
  145. kcydflvipqsvqxw.work
  146. pqpmswodyqlbbjmwm.pl
  147. gyhbiuo.ru
  148. mdecrwmtscal.su
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!