API tools faq
paste
Racco42

2016-11-07 Locky "[Scan] 2016-1107"

Racco42
Nov 8th, 2016
1,512
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.87 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-07: #locky email phishing campaign "[Scan] 2016-1107 hh:mm:ss"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------
  5. From: "KRISTINA FERRANT" <kristina.ferrant.182@furtacor.com.br>
  6. To: [REDACTED]
  7. Subject: [Scan] 2016-1108 04:52:51
  8. Date: Tue, 08 Nov 2016 04:52:51 +0530
  9.  
  10. --
  11. Sent with Genius Scan for iOS.
  12.  
  13. Attached: "2016-1108 04-52-51.zip"
  14. -----------------------------------------------------------------------------------------------------------
  15. - sender varies between emails
  16. - subject is "[Scan] 2016-110(7|8) <hh:mm:ss>"
  17. - attached file "2016-110(7|8) <hh-mm-ss>.zip" contains file "<3 letters><5 or 6 digits>-<4 digits>.wsf", a JScript downloader
  18.  
  19. Download sites (actual URLs contain suffix ?<random>=<random> which does not influence download):
  20. http://84com.com/98ynhce
  21. http://9diao.cn/98ynhce
  22. http://altiarre.com/98ynhce
  23. http://androiddownload.parminsoft.ir/98ynhce
  24. http://art116.be/98ynhce
  25. http://barconovo.com.br/98ynhce
  26. http://bursacicekmagazasi.com/98ynhce
  27. http://chinadj.org/98ynhce
  28. http://cloud.mfc-ps.de/98ynhce
  29. http://cozyculmy.com/98ynhce
  30. http://editoramanancial.com/98ynhce
  31. http://enalab.com/98ynhce
  32. http://erotiquencounters.com/98ynhce
  33. http://fjsxsp.cn/98ynhce
  34. http://flexflex.nl/98ynhce
  35. http://fluke435.com/98ynhce
  36. http://foetschl.at/98ynhce
  37. http://folklorehotel.com/98ynhce
  38. http://forevergarmindo.com/98ynhce
  39. http://forexplus.org/98ynhce
  40. http://fotok.hu/98ynhce
  41. http://fotolovec.kvalitne.cz/98ynhce
  42. http://freedomwithin.org/98ynhce
  43. http://freeme.6te.net/98ynhce
  44. http://frvr.com.ar/98ynhce
  45. http://fulon.com/98ynhce
  46. http://fultonstreetcenter.org/98ynhce
  47. http://furious.pl/98ynhce
  48. http://futuregroup.cz/98ynhce
  49. http://fuzon.be/98ynhce
  50. http://g9bangkok.com/98ynhce
  51. http://ganetek.com/98ynhce
  52. http://garenaqua.com/98ynhce
  53. http://gatelink.com.my/98ynhce
  54. http://gaznordest.ro/98ynhce
  55. http://gcpartyhire.com.au/98ynhce
  56. http://gelukspoppetje.nl/98ynhce
  57. http://genevavip.ch/98ynhce
  58. http://georisk.cn/98ynhce
  59. http://gilpat.com/98ynhce
  60. http://girlstravelling.com/98ynhce
  61. http://globshop.eu/98ynhce
  62. http://glutax-ori.com/98ynhce
  63. http://gnnet.co.kr/98ynhce
  64. http://golden-y.com/98ynhce
  65. http://gold-insurance.com/98ynhce
  66. http://golfmajor.eu/98ynhce
  67. http://gostaythere.com/98ynhce
  68. http://gosto.cn/98ynhce
  69. http://gotm.ru/98ynhce
  70. http://govorokhm.ru/98ynhce
  71. http://gssp.pl/98ynhce
  72. http://gto-cro.com/98ynhce
  73. http://gtodo.com.ar/98ynhce
  74. http://gumorca.com/98ynhce
  75. http://gumuscorap.com/98ynhce
  76. http://gxaiq.com/98ynhce
  77. http://hallucigenia.info/98ynhce
  78. http://hamroinvestments.com/98ynhce
  79. http://hdspycamera.ro/98ynhce
  80. http://hermeticoclub.com/98ynhce
  81. http://hero-ny.org/98ynhce
  82. http://hi-ke.de/98ynhce
  83. http://hikingfoot.com/98ynhce
  84. http://hiperonline.net/98ynhce
  85. http://hoangluong.com/98ynhce
  86. http://inetcon.de/98ynhce
  87. http://nikolatesla.jp/98ynhce
  88. http://notgeile-amateure.com/98ynhce
  89. http://phoenix-24.de/98ynhce
  90. http://test.h2604508.stratoserver.net/98ynhce
  91. http://veltepelew.net/98ynhce
  92.  
  93. Malware:
  94. - encoded on download, SHA256 7082e5e8b0b6135101604686c079123b2777f8ca159796d08b0aa115893ba112, MD 5e84e40890ce7655d42b2076075783c78
  95. - decoded SHA256 94da93f36182f5d8da8cb3e9b45bbfe23ef5e0a21cef07a0d917bfae3be7324a, MD5 c9365de8c97831e84f77172b43d8a37c
  96. - executed by "rundll32.exe %TEMP%/<dll_name>,makefile"
  97.  
  98. C2:
  99. POST http://176.103.56.120/message.php
  100. POST http://81.177.27.222/message.php
  101. POST http://bnmqkgdlotrwqym.work/message.php
  102. POST http://dmynnrrvse.org/message.php
  103. POST http://gccaoqb.xyz/message.php
  104. POST http://jcbbccd.pl/message.php
  105. POST http://ksrcvmvfbc.org/message.php
  106. POST http://mwyryuxoyhxlk.work/message.php
  107. POST http://ornrkiokjkkqymw.org/message.php
  108. POST http://rqrxrivxjt.pl/message.php
  109. POST http://ummprtrxunm.xyz/message.php
  110. POST http://wmcrfvhf.org/message.php
  111. POST http://wmstntaae.su/message.php
  112. POST http://xdriwlpllshhngyc.xyz/message.php
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!