Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-22 #locky email phishing campaign "Please note"
- Email sample:
- ---------------------------------------------------------------------------------------------------------------
- From: "Zane Wilcox" <Wilcox.Zane@green-prevention.com>
- To: [REDACTED]
- Subject: Please note
- Date: Wed, 23 Nov 2016 00:39:23 +0700
- Dear [REDACTED]
- Your tax bill debt due date is today. Please fulfill the debt.
- All the information and payment instructions can be found in the attached document.
- Best Wishes,
- Zane Wilcox
- Tax Collector
- Te.: (534) 494-26-81
- Attachment: tax_[REDACTED].zip
- ---------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "Please note"
- - attached file "tax_<recipient name>.zip" contains file "<random upper chars and digits>.js", a Jscript downloader
- Download sites:
- http://9diao.cn/orejf0ynfc
- http://buddrag.net/czwov
- http://buddrag.net/dfhvea
- http://buddrag.net/rpo0yea
- http://chinadj.org/fby7wyrgd
- http://coilgalvalumemurah.com/fzrvcr4
- http://coilgalvalumemurah.com/wz8qk
- http://cx2ip140.x-y.net/jtqtnq9r
- http://editoramanancial.com/qa9acs7dhp
- http://enalab.com/chrnqnlu5
- http://flexflex.nl/oh82yx3lk
- http://fluke435.com/jnoc78v7
- http://fonteaulente.com/kzmle
- http://frederic-moreno.pl/wqz8vqgnv
- http://frvr.com.ar/pcdxr7thd
- http://fulon.com/jcweyo1ly1
- http://fungasoap.net/uezm455f
- http://funkybytes.fr/zkgfgyu
- http://futuregroup.cz/qhzqqi8ov
- http://fuzon.be/j8yzebw25
- http://g9bangkok.com/5mc03zwxir
- http://ganetek.com/gdjz2p
- http://gannanhome.com/ypwyqk
- http://garenaqua.com/0r8lo0wq
- http://gatelink.com.my/2iiizo
- http://gaznordest.ro/pkq732q
- http://gcpartyhire.com.au/phbn94p
- http://giasungoaingu.net/stg2fdb6
- http://gilpat.com/mcocadipxk
- http://glutax-ori.com/cmpffbp
- http://gnnet.co.kr/9mnpz
- http://goldensail.ru/t4hl9mmv
- http://golden-y.com/ekihdxq5yf
- http://gold-insurance.com/jshh0ac0
- http://golfmajor.eu/j2ipf6
- http://gostaythere.com/mbuy1
- http://gosto.cn/pq7we
- http://gotm.ru/ejbxutnj
- http://govorokhm.ru/huz9ex2sd8
- http://gxhedu.net/vbbc0zlax
- http://haboe.com.ua/qbmcirsqoj
- http://hallucigenia.info/ssotk
- http://hamroinvestments.com/kb2gvuxo
- http://hddtk.com/zgvi1mf436
- http://hdspycamera.ro/kcjow
- http://hermeticoclub.com/oplluugz4f
- http://hero-ny.org/epdneamss
- http://hiperonline.net/du0lc
- http://hoangluong.com/hek6ue
- http://hobbis.cz/uhfeii
- http://inetcon.de/klorgo5
- http://inzt.net/ypwyqk
- http://limnseck.com/syqdl
- http://limnseck.com/to432
- http://limnseck.com/yaw3klf5
- http://limnseck.com/zqfjbxzfto
- http://mgpu.gomel.by/ui9ronmx
- http://monowheels.ru/sqwghtw1
- http://notgeile-amateure.com/6ecwxzqz
- http://outercerci.net/edsdokp
- http://outercerci.net/fx5q7
- http://outercerci.net/m63zr4
- http://outercerci.net/pdaketz3uk
- http://puntiporch.net/jnjonirht
- http://puntiporch.net/kkeai
- http://puntiporch.net/r9ugx
- http://puntiporch.net/tzvhayijkz
- http://teemicky.com/dhn9k4v5yb
- http://teemicky.com/gbmvtz
- http://teemicky.com/jelowc
- http://teemicky.com/l5tdvnso
- http://test.h2604508.stratoserver.net/laieikwin
- Malware:
- - encoded on download
- 11529688b559f019a01c49f3de697a34386da691a5b14f20662515c4929559b2 http___9diao.cn_orejf0ynfc
- ba60002bfc3fca40e78a2a78bc0662c8c89cbbdaf31a5fb224941fd109472322 http___chinadj.org_fby7wyrgd
- 302cdd99b919c820a6601c75e90d01f57ce28ea00fb63651c12b89d4dadabf27 http___coilgalvalumemurah.com_fzrvcr4
- 1a4a79039119507ab1806c0deb0bdde8c93a6afc6ffaac672fa8d7897b4bbab0 http___coilgalvalumemurah.com_wz8qk [5]
- cffda04a8e183ab51f5f513278967bb75b987b1a61c38e2127a70f375a3add94 http___cx2ip140.x-y.net_jtqtnq9r
- ea738d2c5a712b45e7d9d6d9bba4077c343592bc105cdfa7526640a4434997f5 http___editoramanancial.com_qa9acs7dhp
- 81dae5d2991d57fe2fd6b245146afe23c9d6dd53fef0d1690c20ddc62f44eaf9 http___enalab.com_chrnqnlu5
- 424b4bb7446cf89f549815673c0cb64ac29309bc8895875c938e51a22af37038 http___flexflex.nl_oh82yx3lk [3]
- fc74e2fcbea599297f53be370c1a233599005d6d33665b1ebb834f41a11227ee http___fluke435.com_jnoc78v7
- 27ca250aec4d0064e95475b52ce139f3deaaeb9431349b5a08b2bfed3fae70b2 http___fonteaulente.com_kzmle
- f16e51cc13da38793f41c1ca5790579d20242f157e3448967040a10c4a09427e http___frederic-moreno.pl_wqz8vqgnv [2]
- 6d1fbda98ccc8e473537536736db996ad4abef7b371091bf892e878922ba11a6 http___frvr.com.ar_pcdxr7thd
- bb1b70b1e8c6bc899a0aa9da106ca9118acf10b7313b07264307ff9bfc95264e http___fulon.com_jcweyo1ly1
- 368fbd7a4c825b4c0ae7a599958b395e0ad929b25f6af7438db3ca7e905e9abd http___funkybytes.fr_zkgfgyu
- 8fb8e6394862a29abf08cd9ccc5804de6b4aa56080a697203d540e612ab84fed http___futuregroup.cz_qhzqqi8ov
- 70b1632e18348f911ffdeb596b0aa241de714286d790ab14056164e99a35e30d http___fuzon.be_j8yzebw25
- a53823f88cd7069839abafa374ce5e6c35d3eb60e944391e015b737f7b017e10 http___g9bangkok.com_5mc03zwxir
- fda3bd526e7e0ae30610354ea3fe4e2b05be4e233bbe0ea484ff19d5d2d17267 http___ganetek.com_gdjz2p
- 1ebb4055fa978a2a1708b27768dc985ff39c314ecacfbc3f475e9656806a8fbb http___gannanhome.com_ypwyqk [4]
- e147af8722e8436701799157dbc6dd3744814ccb773bcfbde8c3adf06e7a7067 http___garenaqua.com_0r8lo0wq
- c7eaad2b01f53c8f226fece7bdad61bb682deb82a45da7da1e600f1049e60a0b http___gatelink.com.my_2iiizo
- 53db880865dc34d21221675eadd0479676ab965b9e1c0167cc83724706efccdd http___gaznordest.ro_pkq732q
- fe215f19d2d7a077df03c4835224bbba7106f587226333e4a2bdaf6f10136f93 http___gcpartyhire.com.au_phbn94p
- 512482a17baa04c1d9212433756d15d1a9c2b1ed580ac98d271ca8b106f809f6 http___giasungoaingu.net_stg2fdb6
- 26118094f33671cf28f13b7cde17a58b84e7c7e1df18df54153ce2f7590b6530 http___gilpat.com_mcocadipxk
- 7451bb46fb6f05beca3ddeb46c0b6b547a5931ccd8abf2688dc51685e5100f7c http___glutax-ori.com_cmpffbp
- 0fb68a655ea320f9cf86f3eabd6864a9eecb32faef86815d11197943a854bb25 http___gnnet.co.kr_9mnpz
- c2af122863a79e471be4635642ae4619275b755a4d0d2a444bf0b27569e41d85 http___goldensail.ru_t4hl9mmv
- a2561c5b49e4c7398165edb71d1ac8a4488a02410b81427055be5717d6ba6875 http___golden-y.com_ekihdxq5yf [1]
- b2da2251e77de0b7319c2f393fd7320b759fc17b227562f51bde5af1e8e1a04b http___gold-insurance.com_jshh0ac0
- b3708dae0351682d07501433ec91d606a1230a4fdc1af830767cded980725779 http___golfmajor.eu_j2ipf6
- 026b4ab90f756624708c8449d270f88d8a1f538dde2c55aa4282822a1ce3e973 http___gostaythere.com_mbuy1
- 066ec5ace87bf441ef7ffceffb7375260b582851e79c904769ea6d596f0cf155 http___gosto.cn_pq7we
- 8fc7579cf776403e1a3904d0f5d998753c9f09bae8753d533064b7f89c64e7e2 http___gotm.ru_ejbxutnj
- 3cff80a8e60c939367e95917175c17c478f8be93695132ed36681a9098273049 http___govorokhm.ru_huz9ex2sd8
- cf70a3a6d80f8756a70bc5f7ef53a93ddddf883c8f1da70e11e277521b33c456 http___haboe.com.ua_qbmcirsqoj
- 698804522909834ec429715ab7744ba9f56de79a1069772d88718ed37a1395b8 http___hallucigenia.info_ssotk [6]
- d63a3fa57761e10538e08dcfe3017e6c7053a6205203baec33b48af1331e96eb http___hdspycamera.ro_kcjow
- 9f23002e9051094412c259409bd88c1ce400646a57d58a294e68d79341953a09 http___hermeticoclub.com_oplluugz4f
- c806fea8bbbfccd8d3d3ff580afb86f3996405a5c2fb291d69e2dfd85bb2e433 http___hero-ny.org_epdneamss
- b6b9ec564b15232889bdf74e531022048f42eafbbc7ef25a5d5c56317c7cc618 http___hiperonline.net_du0lc
- 1a9cab03b1a250704189c16a25e2d6c68739b934084b23d946412710ef0f7fff http___hoangluong.com_hek6ue
- 4e15f12856b06841803e559adceeacadd697ff67302f4aa0a99b4f08d348fc95 http___inetcon.de_klorgo5
- 1ebb4055fa978a2a1708b27768dc985ff39c314ecacfbc3f475e9656806a8fbb http___inzt.net_ypwyqk
- 2c37a25c3ed1c160813caa71552a1d7da1b5407a3d3f1107fc66851c4a1f9ad1 http___mgpu.gomel.by_ui9ronmx
- 62a2c041e3b2988fc663fff99f553d7f7d7391893dc43989c26f8120a6bd0dad http___monowheels.ru_sqwghtw1
- 21fd999fa0def6aa875ee8ce682a769b670478961b55e67b794efed29766ce4e http___notgeile-amateure.com_6ecwxzqz
- e01d7a9504edc27cffa3d912c0acf3fdf1de9837bc609a5632b064618fa86dd6 http___test.h2604508.stratoserver.net_laieikwin
- - decoded
- 29414757b3482c3a85cb2fbc35fdba43a3406dca995c5a8201a864f74d89ddbe [1]
- d3faa5044420e70d4ca633c42edd0c988aa906edba935fbc3d21bd70ccb4625a [2]
- 0fe2e4d93041695cbc2d585f9cd9bbeb93fe75be9558df963ba6dc5532e2b2dc [3]
- aeed8144080e45a4994ffa08fcb7430ce730081ff3e2bb1da7422f1f10dbcf91 [4]
- 1f863d2abf7a4ccef4b855856ac7910b6b581dde8294b14ee0500deba22722e9 [5]
- 9951eef68c1734132499a627978f2066ac81b45c2e6b935d36da4032b2c9464c [6]
- - executed by "rundll32.exe %TEMP%\<dll_name>,hJvPRXDWYR"
- C2:
- POST http://195.123.209.8/information.cgi
- POST http://213.32.66.16/information.cgi
- POST http://95.213.186.93/information.cgi
- POST http://aarmkgw.ru/information.cgi
- POST http://dhmpxbtaby.pl/information.cgi
- POST http://doakqyc.biz/information.cgi
- POST http://dpmtlqndkq.pl/information.cgi
- POST http://ghaapfjehrjuuwex.pl/information.cgi
- POST http://gjwfccqk.info/information.cgi
- POST http://ikbjdclqadoai.xyz/information.cgi
- POST http://jvbbuowmklejsiqsf.org/information.cgi
- POST http://kerfsbsrsdiqlobox.click/information.cgi
- POST http://qwboftw.su/information.cgi
- POST http://wajbybkasd.su/information.cgi
- POST http://wifjrnhmhcnplta.click/information.cgi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement