API tools faq
paste
Advertisement
Racco42

Locky "Please find attached invoice no:"

Racco42
Sep 1st, 2016
1,584
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.95 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-01 #locky email phishing campaign "Please find attached invoice no: X"
  2.  
  3. Email sample (sender address is document@<sender's domain> )
  4. ---------------------------------------------------------------------------------------------------------------------------------
  5. From: <document@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Please find attached invoice no: 6787196687
  8.  
  9. Attached is a Print Manager form.
  10. Format = Portable Document Format File (PDF) ________________________________
  11.  
  12. Disclaimer
  13.  
  14. This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended reipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
  15. ---------------------------------------------------------------------------------------------------------------------------------
  16. Attached file "<random chars>.zip" contains file "<random chars>.wsf" containing JScript downloader
  17.  
  18. Download sites (the actual URLs contain ?<random>=<random> suffix, but it does not have influence on download):
  19. http://158.195.68.10/87hcrn33g
  20. http://branchjp.web.fc2.com/87hcrn33g
  21. http://chal4.co.uk/87hcrn33g
  22. http://dashman.web.fc2.com/87hcrn33g
  23. http://dcqoutlet.es/87hcrn33g
  24. http://forum.sandalcraft.cba.pl/87hcrn33g
  25. http://hotcarshhhs6632.com/js/87hcrn33g
  26. http://hotelimperium.go.ro/87hcrn33g
  27. http://imperium.nazory.cz/87hcrn33g
  28. http://kawasima0506.web.fc2.com/87hcrn33g
  29. http://kissfm.rdsor.ro/87hcrn33g
  30. http://ksiega.solidworks.cba.pl/87hcrn33g
  31. http://nevrincea.50webs.com/87hcrn33g
  32. http://olivier.coroenne.perso.sfr.fr/87hcrn33g
  33. http://postaldigitalrs.com.br/87hcrn33g
  34. http://pp4_09_10_2s.republika.pl/87hcrn33g
  35. http://reklamnibannery.wz.cz/87hcrn33g
  36. http://rhanwid.com/87hcrn33g
  37. http://sac360.web.fc2.com/87hcrn33g
  38. http://school3.50webs.com/87hcrn33g
  39. http://wccf.huuryuu.com/87hcrn33g
  40. http://www.archiviestoria.it/87hcrn33g
  41. http://www.cmg-ingegneria.it/87hcrn33g
  42. http://www.coseincredibili.it/87hcrn33g
  43. http://www.courtesyweb.it/87hcrn33g
  44. http://www.dallaglio-nordin.com/87hcrn33g
  45. http://www.galaturs.com.ua/87hcrn33g
  46. http://www.gebrvanorsouw.nl/87hcrn33g
  47. http://www.gunaldy.com/87hcrn33g
  48. http://www.idiomestarradellas.com/87hcrn33g
  49. http://www.infoteria.cba.pl/87hcrn33g
  50. http://www.motortecnica.org/87hcrn33g
  51. http://www.termoalbiate.com/87hcrn33g
  52. http://www.valerypro.com/87hcrn33g
  53. http://zui9reica.web.fc2.com/87hcrn33g
  54.  
  55. Same downloads / malware as in "Confirmation" campaigh http://pastebin.com/W2fkQx9S
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!