API tools faq
paste
Racco42

2016-10-31 Locky "Document No xxxxxx"

Racco42
Oct 31st, 2016
1,533
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.12 KB | None | 0 0
raw download clone embed print report
  1. 2016-10-31: #locky email phishing camapign "Document No. NNNNNNN"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------
  5. From: "DOMINIC FITZSIMONS" <accounts@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Document No 0817323945263
  8. Date: Mon, 31 Oct 2016 15:51:40 +0430
  9.  
  10. Thanks for using electronic billing
  11.  
  12. Please find your document attached
  13.  
  14. Regards
  15.  
  16. DOMINIC FITZSIMONS
  17.  
  18. Attached: "File 0817323945263.zip"
  19. ---------------------------------------------------------------------------------------------------------------
  20. - sender name varied between emails, but sender email is always "accounts@<recipient domain>"
  21. - subject is "Document No <random numbers>"
  22. - attached file "(Document|Doc|File|Document No) <number>.zip" contains file <2 letters><4 numbers>-<4 numbers>.wsf", a JScript downloader
  23.  
  24. Download sites (actual URLs contain suffix ?<random>=<random>):
  25. http://3922group.net/g7cberv
  26. http://abraszczecin.pl/g7cberv
  27. http://afh-indy.org/g7cberv
  28. http://ajaraheritage.ge/g7cberv
  29. http://alifaruk.com/g7cberv
  30. http://arabian-link.com/g7cberv
  31. http://artanatrade.com/g7cberv
  32. http://artemon.gr/g7cberv
  33. http://atelier13.ro/g7cberv
  34. http://bandenland.be/g7cberv
  35. http://bemassive.nl/g7cberv
  36. http://bertedu.com/g7cberv
  37. http://bestroyalart.com/g7cberv
  38. http://bobyfrancisandpradeep.com/g7cberv
  39. http://bolat-zhol.kz/g7cberv
  40. http://buynolvadexonlineshop.com/g7cberv
  41. http://carama.info/g7cberv
  42. http://caseycarrental.com/g7cberv
  43. http://ceil.hk/g7cberv
  44. http://cetinakademi.com/g7cberv
  45. http://charistia.info/g7cberv
  46. http://crossroadsmgmt.com/g7cberv
  47. http://ctrlalt.de/g7cberv
  48. http://dbtsites.com/g7cberv
  49. http://decoracionbebes.com/g7cberv
  50. http://detectodecolombia.com/g7cberv
  51. http://devinkellerart.com/g7cberv
  52. http://ditjenp2p.info/g7cberv
  53. http://drevenefasady.eu/g7cberv
  54. http://ekotracks.com/g7cberv
  55. http://emg.su/g7cberv
  56. http://en.fitgrp.com/g7cberv
  57. http://enliveshow.com/g7cberv
  58. http://fortuneprixgroup.com/g7cberv
  59. http://freehosted.netai.net/g7cberv
  60. http://grupotalents.com/g7cberv
  61. http://halimbamdad.ir/g7cberv
  62. http://haydistributing.com/g7cberv
  63. http://hundeschulegoerg.de/g7cberv
  64. http://inventionsteel.com/g7cberv
  65. http://ipmart.co.in/g7cberv
  66. http://jianshu100.com/g7cberv
  67. http://jnzbookkeeping.com/g7cberv
  68. http://kavehconsultancy.co/g7cberv
  69. http://liftaccessory.com/g7cberv
  70. http://lux-luster.com/g7cberv
  71. http://monoadage.net/g7cberv
  72. http://nbjzpx.com/g7cberv
  73. http://net2008.com/g7cberv
  74. http://nixvector.com/g7cberv
  75. http://oakridge-realty.com/g7cberv
  76. http://oualili.org/g7cberv
  77. http://pandoracharm.ru/g7cberv
  78. http://panel.steelpars.com/g7cberv
  79. http://paulasalamanca.com/g7cberv
  80. http://peskara.com/g7cberv
  81. http://pidaco.com/g7cberv
  82. http://reviewprimer.com/g7cberv
  83. http://ri-vyoo.com/g7cberv
  84. http://rkanswers.com/g7cberv
  85. http://rktest.net/g7cberv
  86. http://rndled.com/g7cberv
  87. http://unoldontal.com/g7cberv
  88. http://www.a2zportals.com/g7cberv
  89. http://www.shavash.ir/g7cberv
  90. http://www.webframez.com/g7cberv
  91. http://zist-konkur.ir/g7cberv
  92.  
  93. UPDATED:
  94. http://bwdianji.com/g7cberv
  95. http://drpneu.ro/g7cberv
  96. http://gopa1.ru/g7cberv
  97.  
  98. UPDATED:
  99. http://doolotto.com/g7cberv
  100. http://dor29.ru/g7cberv
  101. http://trustcarts.com/g7cberv
  102. http://xn--72c6awi9b2bj7ixcg4c.com/g7cberv
  103.  
  104. UPDATED:
  105. http://1y9y.com/g7cberv
  106. http://andrewclark.com.au/g7cberv
  107. http://ashbury.bg/g7cberv
  108. http://blogmepro.com/g7cberv
  109. http://dobromoda.ru/g7cberv
  110. http://lzeshine.com/g7cberv
  111. http://newdawnexperience.com/g7cberv
  112. http://webframez.com/g7cberv
  113.  
  114. Malware:
  115. - encoded on download, SHA256s
  116. - ab8f5f68bfcdfb992a9dd588d20664e7594d346af481ade880698057fd3e326f [1]
  117. - ca62c681001855ffafbd825aa0c72dcd72f862045c475cb03776a6aa24b717df
  118. - 66a3cbfc97ac1ec27264d7a63a3d928098f7e0a1762c7199e5926358db119f4c
  119. - decoded
  120. - 90dbb959c99f85a72dbdf815c6a58c178fc792c557be1e0bbd169e04419c2326 [1]
  121.  
  122. C2:
  123. POST http://146.120.89.98/linuxsucks.php
  124. POST http://91.107.107.241/linuxsucks.php
  125. POST http://95.163.107.41/linuxsucks.php
  126. POST http://qmpjahywogpyioerf.biz/linuxsucks.php
  127. POST http://vkvxbveyfeccnuyvu.ru/linuxsucks.php
  128. POST http://svyicrhibs.ru/linuxsucks.php
  129. POST http://awmgrjflvvh.info/linuxsucks.php
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!