SHARE
TWEET

2016-12-19 Locky "Tracking Sheet"

Racco42 Dec 19th, 2016 (edited) 207 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-19: #locky email phishing campaign "Tracking Sheet"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------------
  5. From: "luisa wallinger" <luisa.wallinger@overheadthealbatross.com>
  6. To: [REDACTED]
  7. Subject: Tracking Sheet
  8. Date: Tue, 20 Dec 2016 05:37:07 +0700
  9.  
  10. Dear all
  11.  
  12. please find attached sheet
  13.  
  14. Thanks
  15.  
  16. Attachment: Sheet 20-12-2016-9254.zip -> 24905681401.jse
  17. -----------------------------------------------------------------------------------------------------------------------
  18. - sender varies between emails
  19. - subject is "Tracking Sheet"
  20. - attached file "Sheet 20-12-2016-<4-6 digits>.zip" contains file "<11-12 digits>.jse", a JScript downloader (downloader is not encrypted as .jse would suggest, just plain .js)
  21.  
  22. Download sites (actual URL contains suffix ?<random>=<random> which does not influence download):
  23. http://alavatotal.com/byt4g3
  24. http://autonoom.org/byt4g3
  25. http://boyni.ru/byt4g3
  26. http://bummeln-um-die-welt.de/byt4g3
  27. http://canbal.net/byt4g3
  28. http://chmedonline.com/byt4g3
  29. http://conor.com.mx/byt4g3
  30. http://designerdogwear.com/byt4g3
  31. http://digital1.50webs.com/byt4g3
  32. http://drareum.com/byt4g3
  33. http://dream-road.jp/byt4g3
  34. http://drzalai.hu/byt4g3
  35. http://elfrasha.com/byt4g3
  36. http://followme.si/byt4g3
  37. http://forhealthatividadesfisicas.com/byt4g3
  38. http://hanavanpools.com/byt4g3
  39. http://hiveapps.co/byt4g3
  40. http://jira.fastfine.ru/byt4g3
  41. http://lib.yoll.net/byt4g3
  42. http://lombardimobili.it/byt4g3
  43. http://www.celoinvest.eu/byt4g3
  44. http://www.galerie-idees.fr/byt4g3
  45. http://www.garrox.com/byt4g3
  46. http://www.heartofchina.org/byt4g3
  47.  
  48. UPDATED:
  49. http://apocrif.ru/byt4g3
  50. http://cltserve.org/byt4g3
  51. http://cosita.awardspace.info/byt4g3
  52. http://crownfinancialsolutions.org/byt4g3
  53. http://culturepick.com/byt4g3
  54. http://cusushi.com/byt4g3
  55. http://dobrinin.ru/byt4g3
  56. http://dspace.us/byt4g3
  57. http://ecocredowoning.nl/byt4g3
  58. http://furniturlab.com/byt4g3
  59. http://galaxy-cosmetics.com/byt4g3
  60. http://gozovipsite.50webs.com/byt4g3
  61. http://hansfilz.de/byt4g3
  62. http://hennesseywelding.com/byt4g3
  63. http://www.dvdpostal.net/byt4g3
  64. http://www.falconriver.com/byt4g3
  65.  
  66. UPDATED:
  67. http://acp-dom.ru/byt4g3
  68. http://buzzardsroost.com/byt4g3
  69. http://bybeephoto.com/byt4g3
  70. http://cdsp.pl/byt4g3
  71. http://cherry-pik.com/byt4g3
  72. http://chinepromotions.com/byt4g3
  73. http://chmk.ca/byt4g3
  74. http://dechihuahuas.be/byt4g3
  75. http://deltaclub.org/byt4g3
  76. http://demail.eu/byt4g3
  77. http://directprotectsolutions.co.uk/byt4g3
  78. http://ellsley.com/byt4g3
  79. http://faithfull.kdm.pl/byt4g3
  80. http://gerkar.pl/byt4g3
  81. http://hongikmediaplus.com/byt4g3
  82. http://hootys.biz/byt4g3
  83. http://htocvt.org/byt4g3
  84. http://nui.tokyo/byt4g3
  85. http://rosenblut4u.de/byt4g3
  86. http://shema.org.ua/byt4g3
  87. http://www.bewustbv.nl/byt4g3
  88. http://www.cryoniq.com/byt4g3
  89.  
  90. Malware:
  91. - encoded on download SHA256 8a328f1550262db73c43be692e1a73ff06110dbaa39dbd90d95969c26cfa42ae, MD5 3fa1c27cbfda98a0ffb4171c3d25e40e
  92. - decoded SHA256 893fb7f67a397efcea2235dfd3ecc5d6b90fd6b151186e1440ee228b7dd6c7be, MD5 599713d3b9ad1607bd70f227e204fc84
  93. - executed by "rundll32.exe %TEMP%\<dll_name>.dll,novo"
  94. - sample https://www.virustotal.com/file/893fb7f67a397efcea2235dfd3ecc5d6b90fd6b151186e1440ee228b7dd6c7be/analysis/1482188508/
  95.  
  96. C2:
  97. POST http://176.121.14.95/checkupdate
  98. POST http://188.127.239.48/checkupdate
  99. POST http://193.201.225.124/checkupdate
  100. POST http://91.203.5.144/checkupdate
  101. POST http://91.223.180.3/checkupdate
RAW Paste Data
Top