SHARE
TWEET

2016-12-20 Locky "Scan"

Racco42 Dec 20th, 2016 (edited) 221 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-20: #locky email phishing campaign "Scan"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------------------
  5. From: "chasity beldowski" <chasity.beldowski@magicfoto24.pl>
  6. To: [REDACTED]
  7. Subject: [SUSPICIOUS MESSAGE] Scan
  8. Date: Tue, 20 Dec 2016 19:45:43 +0300
  9.  
  10. Regards,
  11.  
  12. CHASITY BELDOWSKI
  13. Business Development
  14. Mobile No.  +91 5554217728
  15. Phone No. 021 35669 720
  16.  
  17. Lumax Industries Ltd.
  18. 608. Chakan - Talegaon Road
  19. Mahalunge - Chakan Pune 410501 India
  20.  
  21. Attachment: 843218509b7c2ed.zip -> be27dc4c28efb26ee81c6fbc33a3fbe1.wsf
  22. -----------------------------------------------------------------------------------------------------------------------------
  23. - sender varies between emails
  24. - subject is "Scan"
  25. - attached file "<10-16 random hexa characters>.zip" contains file "<32 random lowercase chars>.wsf", a JScript downloader
  26.  
  27. Download sites:
  28. - the download sites overlaps with "for printing" campaign, but the sample had changed in time
  29. http://alaliengineering.net/hjv56
  30. http://aministudio.com/hjv56
  31. http://artlab.co.il/hjv56
  32. http://bluelunar.net/hjv56
  33. http://carloszubiaga.com/hjv56
  34. http://charlenelouw.co.za/hjv56
  35. http://corlouis.com/hjv56
  36. http://cracoviamanor.com/hjv56
  37. http://devzendo.org/hjv56
  38. http://dwdesigns.us/hjv56
  39. http://friedensschlag.de/hjv56
  40. http://fsamson.com/hjv56
  41. http://greatgoods2.bravepages.com/hjv56
  42. http://guide4health.info/hjv56
  43. http://hostalmilabi.com/hjv56
  44. http://hostingjoomla.be/hjv56
  45. http://householdanimals.50webs.com/hjv56
  46. http://hzcoobl.com/hjv56
  47. http://imperialroofing.co.uk/hjv56
  48. http://inzt.net/hjv56
  49. http://ipt.se/hjv56
  50. http://isriir.com/hjv56
  51. http://jaba-translations.pt/hjv56
  52. http://jansen.com.ua/hjv56
  53. http://jayacoat-industries.com.my/hjv56
  54. http://jimprudom.com/hjv56
  55. http://jzcolorful.com/hjv56
  56. http://kakamiao.com/hjv56
  57. http://kayju.com/hjv56
  58. http://kenix.debugnet.com/hjv56
  59. http://keralavoter.com/hjv56
  60. http://kmwine.ge/hjv56
  61. http://ldagnes.pl/hjv56
  62. http://macoinservicios.com/hjv56
  63. http://mass-appeal.com/hjv56
  64. http://minilab.ca/hjv56
  65. http://mk-beauty.de/hjv56
  66. http://namecardcenter.net/hjv56
  67. http://nfia-china.com/hjv56
  68. http://ogustine.com/hjv56
  69. http://owncloud.weber-rechtenbach.de/hjv56
  70. http://phayamengrai.chiangrai.doae.go.th/hjv56
  71. http://pozsgaiingatlan.hu/hjv56
  72. http://residencegardenia.it/hjv56
  73. http://revolutionarymom.com/hjv56
  74. http://seolandia.pl/hjv56
  75. http://shouxinghg.com/hjv56
  76. http://stuifmeelenstamper.be/hjv56
  77. http://tc12345.com/hjv56
  78. http://theservantsoflove.com/hjv56
  79. http://todoalojamiento.es/hjv56
  80. http://ventureorchestra.com/hjv56
  81. http://webplatter.com/hjv56
  82. http://www.azrodandclassic.com/hjv56
  83. http://www.genesisbilling.net/hjv56
  84. http://www.grupoaex.es/hjv56
  85. http://www.langeoog-meerleben.de/hjv56
  86. http://www.tenji-guide.com/hjv56
  87. http://yorkshire-pm.com/hjv56
  88.  
  89. Malware
  90. - encoded: SHA256 f7fa2e9a0fc039666b98b2176a3544c6c597ec951640d12c22ef7aa5d5c40797, MD5 b435d0006a4fc1701852c0969b258b56
  91. - decoded: SHA256 53a9fedfab0d20d64916f1a03620e2be255c5d8ec334370999f0dd03ca7a7624, MD5 997bea2edabbceb9df6fdd564dc0f143
  92. - decoding (XOR) key is "e81G9Dsvrh0NR2qGWZSk1CSTNyqr8I2f"
  93. - executed by "rundll32.exe %TEMP%\pYmpJfsNiM1.dll,vape"
  94. - sample https://www.virustotal.com/en/file/53a9fedfab0d20d64916f1a03620e2be255c5d8ec334370999f0dd03ca7a7624/analysis/
  95.  
  96. C2:
  97. POST http://176.121.14.95/checkupdate
  98. POST http://188.127.239.48/checkupdate
  99. POST http://193.201.225.124/checkupdate
  100. POST http://91.203.5.144/checkupdate
  101. POST http://91.223.180.3/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top