Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-19: #locky email phishing campaign "Tracking Sheet"
- Email sample:
- -----------------------------------------------------------------------------------------------------------------------
- From: "luisa wallinger" <luisa.wallinger@overheadthealbatross.com>
- To: [REDACTED]
- Subject: Tracking Sheet
- Date: Tue, 20 Dec 2016 05:37:07 +0700
- Dear all
- please find attached sheet
- Thanks
- Attachment: Sheet 20-12-2016-9254.zip -> 24905681401.jse
- -----------------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "Tracking Sheet"
- - attached file "Sheet 20-12-2016-<4-6 digits>.zip" contains file "<11-12 digits>.jse", a JScript downloader (downloader is not encrypted as .jse would suggest, just plain .js)
- Download sites (actual URL contains suffix ?<random>=<random> which does not influence download):
- http://alavatotal.com/byt4g3
- http://autonoom.org/byt4g3
- http://boyni.ru/byt4g3
- http://bummeln-um-die-welt.de/byt4g3
- http://canbal.net/byt4g3
- http://chmedonline.com/byt4g3
- http://conor.com.mx/byt4g3
- http://designerdogwear.com/byt4g3
- http://digital1.50webs.com/byt4g3
- http://drareum.com/byt4g3
- http://dream-road.jp/byt4g3
- http://drzalai.hu/byt4g3
- http://elfrasha.com/byt4g3
- http://followme.si/byt4g3
- http://forhealthatividadesfisicas.com/byt4g3
- http://hanavanpools.com/byt4g3
- http://hiveapps.co/byt4g3
- http://jira.fastfine.ru/byt4g3
- http://lib.yoll.net/byt4g3
- http://lombardimobili.it/byt4g3
- http://www.celoinvest.eu/byt4g3
- http://www.galerie-idees.fr/byt4g3
- http://www.garrox.com/byt4g3
- http://www.heartofchina.org/byt4g3
- UPDATED:
- http://apocrif.ru/byt4g3
- http://cltserve.org/byt4g3
- http://cosita.awardspace.info/byt4g3
- http://crownfinancialsolutions.org/byt4g3
- http://culturepick.com/byt4g3
- http://cusushi.com/byt4g3
- http://dobrinin.ru/byt4g3
- http://dspace.us/byt4g3
- http://ecocredowoning.nl/byt4g3
- http://furniturlab.com/byt4g3
- http://galaxy-cosmetics.com/byt4g3
- http://gozovipsite.50webs.com/byt4g3
- http://hansfilz.de/byt4g3
- http://hennesseywelding.com/byt4g3
- http://www.dvdpostal.net/byt4g3
- http://www.falconriver.com/byt4g3
- UPDATED:
- http://acp-dom.ru/byt4g3
- http://buzzardsroost.com/byt4g3
- http://bybeephoto.com/byt4g3
- http://cdsp.pl/byt4g3
- http://cherry-pik.com/byt4g3
- http://chinepromotions.com/byt4g3
- http://chmk.ca/byt4g3
- http://dechihuahuas.be/byt4g3
- http://deltaclub.org/byt4g3
- http://demail.eu/byt4g3
- http://directprotectsolutions.co.uk/byt4g3
- http://ellsley.com/byt4g3
- http://faithfull.kdm.pl/byt4g3
- http://gerkar.pl/byt4g3
- http://hongikmediaplus.com/byt4g3
- http://hootys.biz/byt4g3
- http://htocvt.org/byt4g3
- http://nui.tokyo/byt4g3
- http://rosenblut4u.de/byt4g3
- http://shema.org.ua/byt4g3
- http://www.bewustbv.nl/byt4g3
- http://www.cryoniq.com/byt4g3
- Malware:
- - encoded on download SHA256 8a328f1550262db73c43be692e1a73ff06110dbaa39dbd90d95969c26cfa42ae, MD5 3fa1c27cbfda98a0ffb4171c3d25e40e
- - decoded SHA256 893fb7f67a397efcea2235dfd3ecc5d6b90fd6b151186e1440ee228b7dd6c7be, MD5 599713d3b9ad1607bd70f227e204fc84
- - executed by "rundll32.exe %TEMP%\<dll_name>.dll,novo"
- - sample https://www.virustotal.com/file/893fb7f67a397efcea2235dfd3ecc5d6b90fd6b151186e1440ee228b7dd6c7be/analysis/1482188508/
- C2:
- POST http://176.121.14.95/checkupdate
- POST http://188.127.239.48/checkupdate
- POST http://193.201.225.124/checkupdate
- POST http://91.203.5.144/checkupdate
- POST http://91.223.180.3/checkupdate
Add Comment
Please, Sign In to add comment