Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-10-27 #locky email phish campaign "Receipt NNN-NNNNN"
- Email sample:
- ---------------------------------------------------------------------------------------------------------
- From: bridgette.rushworth@gmail.com
- To: [REDACTED]
- Subject: Receipt 6970-463
- Date: Thu, 27 Oct 2016 20:26:49 +0430
- Attached: Receipt 6970-463.zip
- ---------------------------------------------------------------------------------------------------------
- - sender varies between emails, but the domain is always @gmail.com
- - subject is "Receipt <numbers>-<numbers>
- - body of the email is empty
- - attached file "Receipt <numbers>-<numbers>" contains file "Receipt <numbers>-<numbers>.wsf", a JScript downloader
- Download sites (actual URLs have suffix ?<random>=<random> which does not influence the download):
- http://139.162.29.193/g67eihnrv
- http://1water.com.au/g67eihnrv
- http://adenadataediting.com/g67eihnrv
- http://aghadiinfotechforclient.com/g67eihnrv
- http://agile-scrum-training.com/g67eihnrv
- http://ampleabroad.com/g67eihnrv
- http://anandlab.com/g67eihnrv
- http://axzio.com/g67eihnrv
- http://badvaruhus.se/g67eihnrv
- http://banatlebanon.com/g67eihnrv
- http://banknifty.com/g67eihnrv
- http://bmbuildingpteltd.com/g67eihnrv
- http://cambostudio.com/g67eihnrv
- http://cardimax.com.ph/g67eihnrv
- http://cfolio.uk/g67eihnrv
- http://cibr.in/g67eihnrv
- http://conceptkitchens.co.uk/g67eihnrv
- http://ctc.crru.ac.th/g67eihnrv
- http://cttcleaning.com/g67eihnrv
- http://davaomarbled.com/g67eihnrv
- http://dev.searchthruster.com/g67eihnrv
- http://dmlevents.com/g67eihnrv
- http://dollsdelight.com/g67eihnrv
- http://dreamruntech.com/g67eihnrv
- http://drhairchandigarh.in/g67eihnrv
- http://drrahulgoyal.com/g67eihnrv
- http://dryilmazyildirim.com/g67eihnrv
- http://dssstaging.net/g67eihnrv
- http://emkadogalgaz.com.tr/g67eihnrv
- http://eurofranq.com/g67eihnrv
- http://eventsaigon.com/g67eihnrv
- http://fliermagas.net/g67eihnrv
- http://flyingbtc.com/g67eihnrv
- http://ftp-reklama.gpd24.pl/g67eihnrv
- http://fullservicetech.com/g67eihnrv
- http://goldseparator.com/g67eihnrv
- http://hansdavisgroup.com/g67eihnrv
- http://hoopwizard.com/g67eihnrv
- http://imlearningsystems.com/g67eihnrv
- http://infomazza.com/g67eihnrv
- http://intomim.com/g67eihnrv
- http://intralab.co.id/g67eihnrv
- http://intrekmedya.com/g67eihnrv
- http://italics.in/g67eihnrv
- http://jackpotfutures.com/g67eihnrv
- http://joshturansky.com/g67eihnrv
- http://jus2chat.com/g67eihnrv
- http://kakapublicity.com/g67eihnrv
- http://kalkashimlataxiservice.in/g67eihnrv
- http://kamerreklam.com.tr/g67eihnrv
- http://kaushikjanmejay.com/g67eihnrv
- http://kenshop18.com/g67eihnrv
- http://koiatm.com/g67eihnrv
- http://kursuskomputer.web.id/g67eihnrv
- http://librahost.com/g67eihnrv
- http://livingfreehomeramps.com/g67eihnrv
- http://marina-beach-resort-goa.com/g67eihnrv
- http://mgregency.com/g67eihnrv
- http://mileshilton-barber.com/g67eihnrv
- http://millennium-nekretnine.com/g67eihnrv
- http://mygreenlivingideas.com/g67eihnrv
- http://olivierimmobiliare.com/g67eihnrv
- http://paihotel.in/g67eihnrv
- http://projanmobarta.com/g67eihnrv
- http://projects.seawindsolution.com/g67eihnrv
- http://prototypingjob.com/g67eihnrv
- http://pubbligrafica360.it/g67eihnrv
- http://riverlifechurch.tv/g67eihnrv
- http://sampletemplates.net/g67eihnrv
- http://saurabh-kachhadiya.comyr.com/g67eihnrv
- http://scpolytechnic.com/g67eihnrv
- http://sheela.diet/g67eihnrv
- http://sonlightministries.com/g67eihnrv
- http://sparezz.com/g67eihnrv
- http://srisaioilfield.com/g67eihnrv
- http://statelesspeopleinbangladesh.net/g67eihnrv
- http://stinsonservices.com/g67eihnrv
- http://sukienhoanggia.com/g67eihnrv
- http://taipei-lottery.com/g67eihnrv
- http://tasveeranarts.in/g67eihnrv
- http://teachlanguage.net/g67eihnrv
- http://themeonhai.com/g67eihnrv
- http://tutorialcodeigniter.16mb.com/g67eihnrv
- http://twoj-sennik.pl/g67eihnrv
- http://ui.worklab.in/g67eihnrv
- http://uniquebulldogpuppies.com/g67eihnrv
- http://uniquecoders.in/g67eihnrv
- http://vkwelaarts.co.za/g67eihnrv
- http://voirdress.com/g67eihnrv
- http://webihawks.com/g67eihnrv
- http://www.3shadz.com/g67eihnrv
- http://www.acclaimenvironmental.co.uk/g67eihnrv
- http://www.afsartorshiz.com/g67eihnrv
- http://www.agrasentechnical.com/g67eihnrv
- http://www.camko-motor.com/g67eihnrv
- http://www.epmedia.it/g67eihnrv
- http://www.hayatesabz.ir/g67eihnrv
- http://www.kimabites.com/g67eihnrv
- http://www.multiplefinance.co.uk/g67eihnrv
- http://www.poddarprofessional.com/g67eihnrv
- http://www.risto10.it/g67eihnrv
- http://www.vibrantlove.co.uk/g67eihnrv
- http://zinger.nl/g67eihnrv
- Malware:
- - encoded on download, SHA256 6b7e2fab55586851bfcd8c6653a89321502ffbc6e73cdd015bf54f9c41bcbcee, filesize 176128 bytes
- - decoded SHA256 021765c87962d63139b33213a72051b44c6b0b7223da76b97ce9cb22c50f63bc
- - executed by "rundll32.exe %TEMP%\<dll_name>,EnhancedStoragePasswordConfig"
- - samples
- https://www.reverse.it/sample/d5de5a4bba9aeefb0e211b196fb1d23c4b51fe91c3a2280a6c7629b1aa0660b5?environmentId=100
- https://www.reverse.it/sample/86a15d2eb4a619c437594c85340a9bbf9ffcdebf2726e196152928bb4abdb1be?environmentId=100
- https://www.reverse.it/sample/bc150fd9a4332786fdc129406c7774aa4d0689dd6ca6ac66daa5804782d4c107?environmentId=100
- C2:
- POST 91.201.202.12:80/linuxsucks.php
- POST 213.159.214.86:80/linuxsucks.php
- POST 83.217.11.193:80/linuxsucks.php
- POST ewrxmvrrhkvd.ru:80/linuxsucks.php [192.42.116.41]
- Other DNS requests:
- juiweirqvt.su
- qggdljlijbygeutc.click
- uxpxpirusm.xyz
- pqrifsjpryygmip.pw
- fpeuwdde.xyz
- wbaskcsxiffiax.info
- yppsuvfjmnsbi.org
- kcydflvipqsvqxw.work
- pqpmswodyqlbbjmwm.pl
- gyhbiuo.ru
- mdecrwmtscal.su
Add Comment
Please, Sign In to add comment