Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-10-24 #locky email phishing camapign "Notification de facture Freebox"
- Campaign stats: 5 emails, 5 downloaders, 16 download sites, 1 malware sample
- Email sample:
- ---------------------------------------------------------------------------------------------------------------
- From: Free Haut Debit <hautdebit@freetelecom.fr>
- To: [REDACTED]
- Date: Mon, 24 Oct 2016 13:33:14 +0530
- Subject: [Free] Notification de facture Freebox (95854808)
- Bonjour,
- Vous trouverez en piece jointe votre facture Free Haut Debit.
- Le total de votre facture est de 75.09 Euros.
- Nous vous remercions de votre confiance.
- L'equipe Free
- Attachment: Facture_Free_201610_6292582_95854808.zip
- ---------------------------------------------------------------------------------------------------------------
- - sender is "Free Haut Debit <hautdebit@freetelecom.fr>"
- - subject is "[Free] Notification de facture Freebox (<random number>)
- - attached file "Facture_Free_201610_<random number>_<random number>.zip contains file "Facture_Free_201610_<random number>_<random number>.wsf", a JScript downloader
- Download sites (actual URLs contains suffix ?<random>=<random> which does not influence download):
- http://103.27.52.92/t67bg
- http://bpscforum.com/t67bg
- http://codezigns.com/t67bg
- http://dcorpconstructions.com.au/t67bg
- http://filesdiamond.com/t67bg
- http://megapowercash.com/t67bg
- http://nanrangy.net/t67bg
- http://omnibusiness-solutions.com/t67bg
- http://rewoza.smartsme.tv/t67bg
- http://saioffset.com/t67bg
- http://socialandmovieapps.com/t67bg
- http://sowkinah.com/t67bg
- http://tvctraffic.com/t67bg
- http://www.smartporua.com/t67bg
- http://zasm.info/t67bg
- http://zocaloalminuto.com/t67bg
- UPDATE (from elsewhere):
- http://donaldlococoarchitects.com/t67bg
- http://gezgininpusulasi.com/t67bg
- http://infosolz.com/t67bg
- http://nhachonglu.org/t67bg
- http://sustainabletompkins.org/t67bg
- http://www.icp.edu.pk/t67bg
- Malware:
- - encoded on download, SHA256 30f4a891edfad01f51041e51c52d109d42f1acf92cf991c4c69de2e27f4cbc86, filesize 278528 bytes
- - decoded SHA256 c23facdb56953fa3abd997a078e48f833a310c11ba1c5f14016961b9b78f575d
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
- - samples:
- https://www.reverse.it/sample/1377f7d219d268afaf58efde796ffb0d10b6f730b3f51e6bcf75197fa0888d65?environmentId=100
- https://www.reverse.it/sample/523ae1b5ab5883d4b731a1580967236a9733584b17d3cc1fc95bf557d6b7c34e?environmentId=100
- https://www.reverse.it/sample/36718c8272cb3d4f3b2e435aec42bbae6be1302da29af3a77f9e9144efd0657f?environmentId=100
- https://www.reverse.it/sample/a2e227cf1bcb374f9285b778b736c44ffc880bc66754001549fec97c82042c15?environmentId=100
- https://www.reverse.it/sample/e03997be9b15e8fdb887b8e21a37e7af73d616d043ee34656b1ff7deaf24f3e2?environmentId=100
- https://www.reverse.it/sample/2f9bfe3a5c5a8e0b3e11133a0f08202f9045df166f3eedfedfcc45da8cff57db?environmentId=100
- https://www.reverse.it/sample/3f2d4f21d095716c75766272bf98b29aefbb83d0ec75b71905854c6212f9d8fe?environmentId=100
- C2:
- POST 185.102.136.77:80/linuxsucks.php
- POST 91.200.14.124:80/linuxsucks.php
- POST 109.234.35.215:80/linuxsucks.php
- POST bwcfinnt.work:80/linuxsucks.php [208.100.26.234]
Add Comment
Please, Sign In to add comment