Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-07: #locky email phishing campaign "[Scan] 2016-1107 hh:mm:ss"
- Email sample:
- -----------------------------------------------------------------------------------------------------------
- From: "KRISTINA FERRANT" <kristina.ferrant.182@furtacor.com.br>
- To: [REDACTED]
- Subject: [Scan] 2016-1108 04:52:51
- Date: Tue, 08 Nov 2016 04:52:51 +0530
- --
- Sent with Genius Scan for iOS.
- Attached: "2016-1108 04-52-51.zip"
- -----------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "[Scan] 2016-110(7|8) <hh:mm:ss>"
- - attached file "2016-110(7|8) <hh-mm-ss>.zip" contains file "<3 letters><5 or 6 digits>-<4 digits>.wsf", a JScript downloader
- Download sites (actual URLs contain suffix ?<random>=<random> which does not influence download):
- http://84com.com/98ynhce
- http://9diao.cn/98ynhce
- http://altiarre.com/98ynhce
- http://androiddownload.parminsoft.ir/98ynhce
- http://art116.be/98ynhce
- http://barconovo.com.br/98ynhce
- http://bursacicekmagazasi.com/98ynhce
- http://chinadj.org/98ynhce
- http://cloud.mfc-ps.de/98ynhce
- http://cozyculmy.com/98ynhce
- http://editoramanancial.com/98ynhce
- http://enalab.com/98ynhce
- http://erotiquencounters.com/98ynhce
- http://fjsxsp.cn/98ynhce
- http://flexflex.nl/98ynhce
- http://fluke435.com/98ynhce
- http://foetschl.at/98ynhce
- http://folklorehotel.com/98ynhce
- http://forevergarmindo.com/98ynhce
- http://forexplus.org/98ynhce
- http://fotok.hu/98ynhce
- http://fotolovec.kvalitne.cz/98ynhce
- http://freedomwithin.org/98ynhce
- http://freeme.6te.net/98ynhce
- http://frvr.com.ar/98ynhce
- http://fulon.com/98ynhce
- http://fultonstreetcenter.org/98ynhce
- http://furious.pl/98ynhce
- http://futuregroup.cz/98ynhce
- http://fuzon.be/98ynhce
- http://g9bangkok.com/98ynhce
- http://ganetek.com/98ynhce
- http://garenaqua.com/98ynhce
- http://gatelink.com.my/98ynhce
- http://gaznordest.ro/98ynhce
- http://gcpartyhire.com.au/98ynhce
- http://gelukspoppetje.nl/98ynhce
- http://genevavip.ch/98ynhce
- http://georisk.cn/98ynhce
- http://gilpat.com/98ynhce
- http://girlstravelling.com/98ynhce
- http://globshop.eu/98ynhce
- http://glutax-ori.com/98ynhce
- http://gnnet.co.kr/98ynhce
- http://golden-y.com/98ynhce
- http://gold-insurance.com/98ynhce
- http://golfmajor.eu/98ynhce
- http://gostaythere.com/98ynhce
- http://gosto.cn/98ynhce
- http://gotm.ru/98ynhce
- http://govorokhm.ru/98ynhce
- http://gssp.pl/98ynhce
- http://gto-cro.com/98ynhce
- http://gtodo.com.ar/98ynhce
- http://gumorca.com/98ynhce
- http://gumuscorap.com/98ynhce
- http://gxaiq.com/98ynhce
- http://hallucigenia.info/98ynhce
- http://hamroinvestments.com/98ynhce
- http://hdspycamera.ro/98ynhce
- http://hermeticoclub.com/98ynhce
- http://hero-ny.org/98ynhce
- http://hi-ke.de/98ynhce
- http://hikingfoot.com/98ynhce
- http://hiperonline.net/98ynhce
- http://hoangluong.com/98ynhce
- http://inetcon.de/98ynhce
- http://nikolatesla.jp/98ynhce
- http://notgeile-amateure.com/98ynhce
- http://phoenix-24.de/98ynhce
- http://test.h2604508.stratoserver.net/98ynhce
- http://veltepelew.net/98ynhce
- Malware:
- - encoded on download, SHA256 7082e5e8b0b6135101604686c079123b2777f8ca159796d08b0aa115893ba112, MD 5e84e40890ce7655d42b2076075783c78
- - decoded SHA256 94da93f36182f5d8da8cb3e9b45bbfe23ef5e0a21cef07a0d917bfae3be7324a, MD5 c9365de8c97831e84f77172b43d8a37c
- - executed by "rundll32.exe %TEMP%/<dll_name>,makefile"
- C2:
- POST http://176.103.56.120/message.php
- POST http://81.177.27.222/message.php
- POST http://bnmqkgdlotrwqym.work/message.php
- POST http://dmynnrrvse.org/message.php
- POST http://gccaoqb.xyz/message.php
- POST http://jcbbccd.pl/message.php
- POST http://ksrcvmvfbc.org/message.php
- POST http://mwyryuxoyhxlk.work/message.php
- POST http://ornrkiokjkkqymw.org/message.php
- POST http://rqrxrivxjt.pl/message.php
- POST http://ummprtrxunm.xyz/message.php
- POST http://wmcrfvhf.org/message.php
- POST http://wmstntaae.su/message.php
- POST http://xdriwlpllshhngyc.xyz/message.php
Add Comment
Please, Sign In to add comment