Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-22: #locky email phishing campaign "Documents Requested"
- Email sample:
- ----------------------------------------------------------------------------------------
- From: "Alyssa" <Alyssa889@[REDACTED]>
- To: [REDACTED]
- Subject: FW:Documents Requested
- Date: Tue, 22 Nov 2016 16:52:18 +0530
- Dear [REDACTED],
- Please find attached documents as requested.
- Best Regards,
- Alyssa
- Attachment: "new doc(425).zip"
- ----------------------------------------------------------------------------------------
- - sender varies; sender's display name is just one word (name) and email is <name><random number>@<recepient's domain>
- - subject is "Document Requested" in some cases prefixed with "FW:" or "Re:"
- - attached file name is "doc(<random number>).zip", "new doc(<random number>).zip" or "Untitled(<random number>).zip" contains file "<digits>-<upcase letters>-<digits>.wsf", a JScript downloader.
- Download sites (actual URLs contains suffix ?<random>=<random> which does not influence download):
- http://alamanconsulting.at/trec4x
- http://bowlysilk.net/trec4x
- http://emp.omidejelin.ir/trec4x
- http://interfacerh.ma/trec4x
- http://iptm.com.vn/trec4x
- http://jiaotai161.com/trec4x
- http://kashimayunohana.jp/trec4x
- http://kinafreyr.com/trec4x
- http://kozmologic.com/trec4x
- http://liceuminbak.com/trec4x
- http://magnayacht.com/trec4x
- http://mirofusion.com/trec4x
- http://mkoyunoglu.com/trec4x
- http://mmbeheer.nl/trec4x
- http://monowheels.ru/trec4x
- http://mybankofgold.com/trec4x
- http://nbaykalov.ru/trec4x
- http://netshot.co.uk/trec4x
- http://nieruchomosci.koszalin.pl/trec4x
- http://ninjah47.home.pl/trec4x
- http://notyou.ru/trec4x
- http://offerst.com/trec4x
- http://okidi.nl/trec4x
- http://omrolsztyn.neostrada.pl/trec4x
- http://omsktut.ru/trec4x
- http://oncotice.org/trec4x
- http://opengm.es/trec4x
- http://orcendre.com/trec4x
- http://oscartroya.com/trec4x
- http://ourfrontline.com/trec4x
- http://overcom.tv/trec4x
- http://ozka.ro/trec4x
- http://pathkids.com/trec4x
- http://paynterroofing.com/trec4x
- http://pcflame.com.au/trec4x
- http://pdaconference.com/trec4x
- http://pdo-mel.myjino.ru/trec4x
- http://pleinaxe.fr/trec4x
- http://pokerjive.com/trec4x
- http://portalmadureira.com/trec4x
- http://powersite.hostuju.cz/trec4x
- http://probudise.com/trec4x
- http://pumeksy.pl/trec4x
- http://pyrostar.sk/trec4x
- http://ralphkunze.de/trec4x
- http://razborka-vigonka.ru/trec4x
- http://rent-guarantee-insurance.co.uk/trec4x
- http://residencyradio.com/trec4x
- http://rosispitaniya.com/trec4x
- UPDATE:
- http://51bike.pinnc.com/trec4x
- http://keshuimei.com/trec4x
- http://noahapparel.com/trec4x
- http://nuntapun.com/trec4x
- http://nybeauty.com/trec4x
- http://paulinum.edu.rs/trec4x
- http://pgringette.ca/trec4x
- http://psdha.ir/trec4x
- http://radstedjazz.dk/trec4x
- http://roadrollerchina.com/trec4x
- UPDATE2:
- http://monsalwa.com/trec4x
- http://palekar.com/trec4x
- http://ramblahouse.com/trec4x
- UPDATE3:
- http://lisadeck.fr/trec4x
- http://oakscardclub.com/trec4x
- http://printaholics.co.uk/trec4x
- UPDATE4:
- http://pozychayko.com/trec4x
- Malware:
- - encoded on download, SHA256 c2f354539848ba98ade066ea2cfdca57f380aa104fc3388a531389a731f9b464, MD5 15f8c356799f70d6fe86c32e7e35a841
- - decoded SHA256 b8b79de0c2be90bbf4806016f7bf255f34402f5c9458f6b6c6f2e024798615f1, MD5 97a967e85391865ea9fdf943e182b05e
- - executed by "rundll32.exe %TEMP%\<dll_name>,getid"
- C2:
- POST http://94.242.55.81/information.cgi
- POST http://95.46.114.205/information.cgi
- POST http://iiyqwtjrio.xyz/information.cgi
- POST http://ixovpsbro.pw/information.cgi
- POST http://jaifrpylmhlxhp.pw/information.cgi
- POST http://jreajpvhvsymji.su/information.cgi
- POST http://mkybtybuj.work/information.cgi
- POST http://naqfjsvayt.pl/information.cgi
- POST http://noslubk.xyz/information.cgi
- POST http://qkbvkyi.click/information.cgi
- POST http://qtlemkqkmcogoq.pl/information.cgi
- POST http://vdsvtwbyhmqbef.info/information.cgi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement