daily pastebin goal
39%
SHARE
TWEET

2016-11-01 Locky "DSCFxxxx.pdf"

Racco42 Nov 2nd, 2016 287 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-11-01: #locky email phishing camapign "DSCFxxxx.pdf"
  2.  
  3. Email sample:
  4. --------------------------------------------------------------------------------------------------------------
  5. From: DOLORES COULING <dolores.6768@freepokerbank.com>
  6. To: [REDACTED]
  7. Subject: DSCF7053.pdf
  8. Date: Tue, 01 Nov 2016 17:12:34 -0500
  9.  
  10. Attachment: DSCF7053.zip
  11. --------------------------------------------------------------------------------------------------------------
  12. - sender varies between emails
  13. - subject is "DSCF<4 numbers>.pdf"
  14. - body of the email is empty
  15. - attached file "DSCF<4 numbers>.zip" contains file "DSCF<4 numbers>.wsf", a JScript downloader
  16.  
  17. Download sites (actual URLs contain suffix ?<random>=<random> which does not influence the download:
  18. http://abgr.ru/76vvyt
  19. http://abrahams.ch/76vvyt
  20. http://adasulamasistemleri.com/76vvyt
  21. http://agenciamonroy.com/76vvyt
  22. http://alkfor.ru/76vvyt
  23. http://allebanken.net/76vvyt
  24. http://anime-one.com/76vvyt
  25. http://arnaudgranata.com/76vvyt
  26. http://atdi.in.th/76vvyt
  27. http://atforum.pl/76vvyt
  28. http://autoabs.lt/76vvyt
  29. http://automaler.ru/76vvyt
  30. http://ayulduz.biz/76vvyt
  31. http://baraonda.gr/76vvyt
  32. http://bassguitartips.com/76vvyt
  33. http://battleduck.ch/76vvyt
  34. http://bdvdo.net/76vvyt
  35. http://beautyexpress.com.au/76vvyt
  36. http://bechsautomobiler.dk/76vvyt
  37. http://bestline.cz/76vvyt
  38. http://bha-group.eu/76vvyt
  39. http://birthdaystoday.net/76vvyt
  40. http://bogaziciradyo.com/76vvyt
  41. http://bst.tw/76vvyt
  42. http://bvn.lt/76vvyt
  43. http://cabanaionela.ro/76vvyt
  44. http://carmenortigosa.com/76vvyt
  45. http://chandrphen.com/76vvyt
  46. http://cheappaintball.net/76vvyt
  47. http://cheedellahousing.com/76vvyt
  48. http://christen-in-nuernberg.de/76vvyt
  49. http://christmas-metal-meeting.de/76vvyt
  50. http://classicnet.ir/76vvyt
  51. http://coachatelier.nl/76vvyt
  52. http://codoltaku.com/76vvyt
  53. http://coinobras.com/76vvyt
  54. http://consardproiectare.ro/76vvyt
  55. http://corinnenewton.ca/76vvyt
  56. http://cpm.coop/76vvyt
  57. http://cyclingpromotion.com.au/76vvyt
  58. http://deborahshallcross.com/76vvyt
  59. http://decactus.cl/76vvyt
  60. http://desertkingwaterproofing.com/76vvyt
  61. http://diandiandx.com/76vvyt
  62. http://dwcell.com/76vvyt
  63. http://ecomission.com.au/76vvyt
  64. http://eldamennska.is/76vvyt
  65. http://el-sklep.com/76vvyt
  66. http://enkobud.dp.ua/76vvyt
  67. http://eskopb.com/76vvyt
  68. http://eurotrading.com.ua/76vvyt
  69. http://fazilusta.com/76vvyt
  70. http://fibrotek.com/76vvyt
  71. http://ikrawane.net/76vvyt
  72. http://ws.osenilo.com/76vvyt
  73. http://xiguacity.com/76vvyt
  74.  
  75. Malware:
  76. - encoded on download, SHA256 fc7bcf028e10273d57c55034d2175f8074fa0b0dee7403a285c8da4b606d4a2b, filesize 323584
  77. - decoded SHA256 3c8d8c395eb152000e12532a2eca700214f59cd56aa91403858d25805df98d93, MD5 83767f75cdef5a5eeb8eb8d6a8e2e0f6
  78. - executed by "rundll32.exe <dll_name>,EnhancedStoragePasswordConfig"
  79. - samples:
  80. https://www.virustotal.com/en/file/3c8d8c395eb152000e12532a2eca700214f59cd56aa91403858d25805df98d93/analysis/
  81.  
  82. C2:
  83. POST http://194.28.87.26/linuxsucks.php
  84. POST http://194.1.239.152/linuxsucks.php
  85. POST http://51.255.107.20/linuxsucks.php
  86. POST http://gxfbwjvior.biz/linuxsucks.php
  87. POST http://gxfbwjvior.biz/linuxsucks.php
  88. POST http://evhblsxym.org/linuxsucks.php
  89. POST http://juykbsopyu.pw/linuxsucks.php
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top