Racco42

2017-05-26 Jaff "Scanned Image from..."

May 26th, 2017
756
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-05-26: #jaff email phishing campaign "Scanned Image from a Xerox WorkCentre"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------
  5. From: "copier@[REDACTED]" <copier@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Scanned Image from a Xerox WorkCentre
  8.  
  9. You have a received a new image from Xerox WorkCentre.
  10.  
  11. Sent by: copier@[REDACTED]
  12. Number of Images: 2
  13. Attachment File Type: PDF
  14.  
  15. WorkCentre Pro Location: Machine location not set
  16. Device Name: copier@[REDACTED]
  17.  
  18. Attached file is scanned image in PDF format.
  19.  
  20. Attachment: Scan_0069_1694379267.zip
  21. ---------------------------------------------------------------------------------------------------------------
  22. - Sender: (copier|scanner|xerox|canon|MFD)@<recipient's domain>
  23. - Subject: "Scanned Image from a Xerox WorkCentre"
  24. - Attachment Scan_<3-4 numbers>_<10 numbers>.zip contains file <9 numbers>.zip which contains file <9 numbers>.wsf, a JScript downloader
  25.  
  26. Download sites (the URL contains suffix ?<random>=<random> which does not influence download):
  27. http://better57toiuydof.net/af/6gfh33
  28. http://dsopro.com/6gfh33
  29. http://easy2.cn/6gfh33
  30. http://eisenerzgrube.de/6gfh33
  31. http://eselink.com.my/6gfh33
  32. http://e-snhv.com/6gfh33
  33. http://fabriquekorea.com/6gfh33
  34. http://jinqiaonkyy.com/6gfh33
  35. http://orhangazitur.com/6gfh33
  36. http://paradigmenergycorp.com/6gfh33
  37. http://poltec.com.au/6gfh33
  38. http://praktikum-marketing.de/6gfh33
  39. http://pw-shop.com/6gfh33
  40. http://tasfirin-ustasi.net/6gfh33
  41. http://thanprints.com/6gfh33
  42. http://trade-unite.ru/6gfh33
  43. http://vigs.mx/6gfh33
  44. http://www.buchenried.de/6gfh33
  45. http://youtoolgrabeertorse.org/af/6gfh33
  46.  
  47. Malware:
  48. - encoded on download SHA256 68c7b7d97fada3f558a54260491ffe1ce77add158f8a91c2599432f13718b807, MD5 aace687d16706b05aa49c9b7fff7572b
  49. - decode by XORing the file with oACQkDYkveevPExWGku00eNvCy0LSnCn
  50. - decoded SHA256 375ba5457b0a8e0328f38e942dc16fa07e03e2b39571392c0f10f93031158d6f, MD5 6708cc80916e838a9bbed09c91854230
  51.  
  52. C2:
  53. http://comboratiogferrdto.com/a5/
RAW Paste Data