SHARE
TWEET

2016-12-12 Locky "Attached, Copy, Emailing, File"

Racco42 Dec 12th, 2016 (edited) 303 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-12: #locky email phishing run "Attached, Copy, Emailing, File"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------------------------
  5. From: "Beulah" <Beulah356@packstation.de>
  6. To: [REDACTED]
  7. Subject: File: Receipt_40
  8. Date: Mon, 12 Dec 2016 21:39:49 +0700
  9.  
  10. Attachment: Receipt_40.zip -> Scan(757).jse
  11. ------------------------------------------------------------------------------------------------------------------------------
  12. - sender varies between emails, but sender domain is same as recipient's
  13. - subject is "<Attached|Copy|Emailing|File>: <Document|Receipt|Scan>_<1 or 2 digits>"
  14. - email body is empty
  15. - attached file "<Document|Scan|Receipt>_<1 or 2 digits>.zip" (same as second part of subject) contains file "Scan(<3 digits>).jse", a JScript downloader (the JScript is plaintext, not encoded as suffix suggests)
  16.  
  17. Download sites:
  18. http://103.27.52.92/874ghv3
  19. http://117.239.70.228/874ghv3
  20. http://216.104.188.249/874ghv3
  21. http://54.93.178.21/874ghv3
  22. http://69.162.74.116/874ghv3
  23. http://absxpintranet.in/874ghv3
  24. http://angelwap.ro/874ghv3
  25. http://autorijschoolpedro.nl/874ghv3
  26. http://belovephoto.com/874ghv3
  27. http://cardbuilderplus.com/874ghv3
  28. http://cynosurejobs.net/874ghv3
  29. http://democro.com/874ghv3
  30. http://dreamtheatre.co/874ghv3
  31. http://dronetech.no/874ghv3
  32. http://envisorusa.com/874ghv3
  33. http://freedommobility.com.au/874ghv3
  34. http://galtechprojects.com/874ghv3
  35. http://gateste.sanatate.us/874ghv3
  36. http://gezgininpusulasi.com/874ghv3
  37. http://greenresist.com/874ghv3
  38. http://gudangg.com/874ghv3
  39. http://hooli.com.au/874ghv3
  40. http://ibfnetwork.com/874ghv3
  41. http://konoikevina.com.vn/874ghv3
  42. http://mebdco.com/874ghv3
  43. http://megapowercash.com/874ghv3
  44. http://mer-pro.com/874ghv3
  45. http://miel-maroc.com/874ghv3
  46. http://mstest2.co.uk/874ghv3
  47. http://muhammadmafazine.com/874ghv3
  48. http://mynamepixs.com/874ghv3
  49. http://omnibusiness-solutions.com/874ghv3
  50. http://onedotm.com/874ghv3
  51. http://ratchadaphoto.com/874ghv3
  52. http://socialandmovieapps.com/874ghv3
  53. http://sunwayautoparts.com/874ghv3
  54. http://sustainabletompkins.org/874ghv3
  55. http://therapymarketinginstitute.com/874ghv3
  56. http://thetbank.com/874ghv3
  57. http://thetravelbug.org/874ghv3
  58. http://tifa-awards.net/874ghv3
  59. http://tutorarabia.com/874ghv3
  60. http://tvctraffic.com/874ghv3
  61. http://waterplusmaroc.com/874ghv3
  62. http://workandplaytherapy.com/874ghv3
  63. http://www.bfsa.gov.bd/874ghv3
  64. http://www.icp.edu.pk/874ghv3
  65. http://www.ifs-b.org/874ghv3
  66. http://www.primeknittexltd.com/874ghv3
  67. http://www.pspmrsmag.com/874ghv3
  68. http://www.pspmrsmtumpat.com/874ghv3
  69. http://www.refereccu.com/874ghv3
  70. http://www.russwat.org/874ghv3
  71. http://zasm.info/874ghv3
  72. http://zocaloalminuto.com/874ghv3
  73.  
  74. UPDATED:
  75. http://angorabric.org/874ghv3
  76. http://icclicks.com/874ghv3
  77. http://indiaclubdayton.org/874ghv3
  78. http://naacllc.com/874ghv3
  79. http://rewoza.smartsme.tv/874ghv3
  80.  
  81. UPDATED:
  82. http://3ainstrument.com/874ghv3
  83. http://aiahelps.com/874ghv3
  84. http://filesdiamond.com/874ghv3
  85. http://indigenouspromotions.com.au/874ghv3
  86. http://soulanimtech.com/874ghv3
  87. http://stmerchandise.net/874ghv3
  88. http://thaitooling.net/874ghv3
  89. http://wkreation.com/874ghv3
  90. http://www.paradisecity.pk/874ghv3
  91.  
  92. Malware:
  93. - encoded on download SHA256 5c112d02b8726e841bba19b9c7aabeff505f25bf833b83b4ccfd97bfd2e32207, MD5 822590912e835cfbcf80855aad3e67d1
  94. - decoded SHA256 77be68d55cc051d234dd24b9305e832ebc49bc8160ddc415919946f39fc0b265, MD5 399600fd83eee256ee6d404e3697adaa
  95. - executed by "rundll32.exe %TEMP%\<dll_name>,get_str"
  96. - sample https://www.virustotal.com/file/77be68d55cc051d234dd24b9305e832ebc49bc8160ddc415919946f39fc0b265/analysis/1481559253/
  97.  
  98. C2:
  99. POST http://176.121.14.95/checkupdate
  100. POST http://88.214.236.218/checkupdate
  101. POST http://91.219.31.14/checkupdate
RAW Paste Data
Top