Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-10-31: #locky email phishing camapign "Document No. NNNNNNN"
- Email sample:
- ---------------------------------------------------------------------------------------------------------------
- From: "DOMINIC FITZSIMONS" <accounts@[REDACTED]>
- To: [REDACTED]
- Subject: Document No 0817323945263
- Date: Mon, 31 Oct 2016 15:51:40 +0430
- Thanks for using electronic billing
- Please find your document attached
- Regards
- DOMINIC FITZSIMONS
- Attached: "File 0817323945263.zip"
- ---------------------------------------------------------------------------------------------------------------
- - sender name varied between emails, but sender email is always "accounts@<recipient domain>"
- - subject is "Document No <random numbers>"
- - attached file "(Document|Doc|File|Document No) <number>.zip" contains file <2 letters><4 numbers>-<4 numbers>.wsf", a JScript downloader
- Download sites (actual URLs contain suffix ?<random>=<random>):
- http://3922group.net/g7cberv
- http://abraszczecin.pl/g7cberv
- http://afh-indy.org/g7cberv
- http://ajaraheritage.ge/g7cberv
- http://alifaruk.com/g7cberv
- http://arabian-link.com/g7cberv
- http://artanatrade.com/g7cberv
- http://artemon.gr/g7cberv
- http://atelier13.ro/g7cberv
- http://bandenland.be/g7cberv
- http://bemassive.nl/g7cberv
- http://bertedu.com/g7cberv
- http://bestroyalart.com/g7cberv
- http://bobyfrancisandpradeep.com/g7cberv
- http://bolat-zhol.kz/g7cberv
- http://buynolvadexonlineshop.com/g7cberv
- http://carama.info/g7cberv
- http://caseycarrental.com/g7cberv
- http://ceil.hk/g7cberv
- http://cetinakademi.com/g7cberv
- http://charistia.info/g7cberv
- http://crossroadsmgmt.com/g7cberv
- http://ctrlalt.de/g7cberv
- http://dbtsites.com/g7cberv
- http://decoracionbebes.com/g7cberv
- http://detectodecolombia.com/g7cberv
- http://devinkellerart.com/g7cberv
- http://ditjenp2p.info/g7cberv
- http://drevenefasady.eu/g7cberv
- http://ekotracks.com/g7cberv
- http://emg.su/g7cberv
- http://en.fitgrp.com/g7cberv
- http://enliveshow.com/g7cberv
- http://fortuneprixgroup.com/g7cberv
- http://freehosted.netai.net/g7cberv
- http://grupotalents.com/g7cberv
- http://halimbamdad.ir/g7cberv
- http://haydistributing.com/g7cberv
- http://hundeschulegoerg.de/g7cberv
- http://inventionsteel.com/g7cberv
- http://ipmart.co.in/g7cberv
- http://jianshu100.com/g7cberv
- http://jnzbookkeeping.com/g7cberv
- http://kavehconsultancy.co/g7cberv
- http://liftaccessory.com/g7cberv
- http://lux-luster.com/g7cberv
- http://monoadage.net/g7cberv
- http://nbjzpx.com/g7cberv
- http://net2008.com/g7cberv
- http://nixvector.com/g7cberv
- http://oakridge-realty.com/g7cberv
- http://oualili.org/g7cberv
- http://pandoracharm.ru/g7cberv
- http://panel.steelpars.com/g7cberv
- http://paulasalamanca.com/g7cberv
- http://peskara.com/g7cberv
- http://pidaco.com/g7cberv
- http://reviewprimer.com/g7cberv
- http://ri-vyoo.com/g7cberv
- http://rkanswers.com/g7cberv
- http://rktest.net/g7cberv
- http://rndled.com/g7cberv
- http://unoldontal.com/g7cberv
- http://www.a2zportals.com/g7cberv
- http://www.shavash.ir/g7cberv
- http://www.webframez.com/g7cberv
- http://zist-konkur.ir/g7cberv
- UPDATED:
- http://bwdianji.com/g7cberv
- http://drpneu.ro/g7cberv
- http://gopa1.ru/g7cberv
- UPDATED:
- http://doolotto.com/g7cberv
- http://dor29.ru/g7cberv
- http://trustcarts.com/g7cberv
- http://xn--72c6awi9b2bj7ixcg4c.com/g7cberv
- UPDATED:
- http://1y9y.com/g7cberv
- http://andrewclark.com.au/g7cberv
- http://ashbury.bg/g7cberv
- http://blogmepro.com/g7cberv
- http://dobromoda.ru/g7cberv
- http://lzeshine.com/g7cberv
- http://newdawnexperience.com/g7cberv
- http://webframez.com/g7cberv
- Malware:
- - encoded on download, SHA256s
- - ab8f5f68bfcdfb992a9dd588d20664e7594d346af481ade880698057fd3e326f [1]
- - ca62c681001855ffafbd825aa0c72dcd72f862045c475cb03776a6aa24b717df
- - 66a3cbfc97ac1ec27264d7a63a3d928098f7e0a1762c7199e5926358db119f4c
- - decoded
- - 90dbb959c99f85a72dbdf815c6a58c178fc792c557be1e0bbd169e04419c2326 [1]
- C2:
- POST http://146.120.89.98/linuxsucks.php
- POST http://91.107.107.241/linuxsucks.php
- POST http://95.163.107.41/linuxsucks.php
- POST http://qmpjahywogpyioerf.biz/linuxsucks.php
- POST http://vkvxbveyfeccnuyvu.ru/linuxsucks.php
- POST http://svyicrhibs.ru/linuxsucks.php
- POST http://awmgrjflvvh.info/linuxsucks.php
Add Comment
Please, Sign In to add comment