SHARE
TWEET

2016-12-16 Locky "Subscription Details"

Racco42 Dec 16th, 2016 473 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-16: #locky email phishing campaign "Subscription Details"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------------
  5. From: "Jannie Mclean" <Mclean.Jannie@emailland.worldonline.co.uk>
  6. To: [REDACTED]
  7. Subject: Subscription Details
  8. Date: Fri, 16 Dec 2016 18:11:51 +0700
  9.  
  10. Dear [REDACTED], thank for you for subscribing to our service!
  11. All payment and ID details are in the attachment.
  12.  
  13. Attachment: user5532298.zip -> ~_0BN7RGB_~.js
  14. -------------------------------------------------------------------------------------------------------------------
  15. - sender varies between emails
  16. - subject is "Subscription Details"
  17. - attached file "user<7 digits>.zip" contains file "~_<5-7 uppercase chars and digits>_~.js", a JScript downloader
  18.  
  19. Download sites:
  20. http://2picme.com/jxiatuol
  21. http://aacom.pl/rgk4aoc
  22. http://agyemang.com/9drunmpi
  23. http://analypia.com/21cm54hm
  24. http://banhang123.com/kscg7
  25. http://brighttrading.net/a7uszjh3o
  26. http://brookstonemanuals.com/ycabkjgdv
  27. http://calderon.com.mx/qwpnqxwkl
  28. http://dcareug.com/3ts0v
  29. http://easylation.com/wekocn6kmg
  30. http://ecnffa.za.pl/yslx59h
  31. http://facerecognition.com.ba/fjem4
  32. http://fiddlefire.net/hvkoxidq
  33. http://gallery.mohammadtarighi.ir/gdiclpgq
  34. http://gunungsari.co.id/9ssqssvnw
  35. http://image.ddianle.com/g56bmsie3h
  36. http://inside.dljtjt.com/0gufg
  37. http://inzt.net/rba6g3nnxq
  38. http://ivibohoc.url.ph/xqkoziuxvk
  39. http://kathymerrill.com/hqnfsc
  40. http://kh2.co.uk/5sibczx4gx
  41. http://kirulya.com/scfv1ofdh
  42. http://kserwis.pl/lozyg
  43. http://ktlelektro.cz/1jenzg25wy
  44. http://kurou.bokunenjin.com/undi59e
  45. http://medianisprint.com/woarfryxsw
  46. http://minis2.com/yrjwmun8
  47. http://mprotectcorp.com/opudc
  48. http://msveletiny.cz/ftcvd
  49. http://pcflame.com.au/ngihv
  50. http://perspektive-fuer-kinder.de/1e1dip
  51. http://promgazenergo34.ru/onlj99szd
  52. http://rdsc-seminar.com/jlb4fdxt
  53. http://rondurkin.com/c6w5pscmc
  54. http://s393640255.onlinehome.us/ygls8gycs
  55. http://seaf.ch/s7lyen4j
  56. http://shomesofa.com/jnobn54
  57. http://stoneofliberty.com/fvjhcy
  58. http://taladm.ru/myqqrzzndi
  59. http://v-english.com/gfnb3r
  60. http://vivvn.com/rafd5un
  61. http://webfutures.net/cuxdyilq
  62. http://weegee.fr/2d3xb74cif
  63. http://www.dazzle-events.be/qal8lxme
  64. http://www.enhansit.com/z2lgjv
  65. http://www.lauraleedonnelly.com/qjiwhmrx
  66. http://www.mywoc.ca/p29t8
  67. http://www.ninthdistrict.org/wkvmds
  68. http://www.servipisos.com.ar/sn2ugvyws
  69. http://www.sitivisibili.it/jckudg0
  70. http://www.stavros.ca/4woi2zlse
  71. http://www.stavros.ca/c1ehjm
  72. http://www.thepasobueno.com/usrcgntw
  73. http://www.tourist-car.ru/v0uiwotu
  74. http://www.zscio.com/uutfjime
  75. http://xiaojinsong.com/0igjg
  76. http://yellowstudio.pl/u7ky2cyi
  77.  
  78. Malware:
  79. - encoded on download
  80. 38bb8b18491c56b7f1273abd07898c91466506043bbc218d174121a4503cdd8f  http___2picme.com_jxiatuol
  81. c46833c1da432a21198e6ad39b570457a7bb1c5855bfd5867ff324dd609a9fc9  http___agyemang.com_9drunmpi
  82. 3f106de384b8c5c335169162fbb6964967c682b32b611f2626748ed04111ddf8  http___analypia.com_21cm54hm
  83. 6381dd3ee58c3fe718edb8daf372bb8f78a81bd6eead864f75a32f4055c2b508  http___banhang123.com_kscg7
  84. 70f77228a85a3b99320663ed5da81e8eeec875b5e7c1a81abcdbdf127f061a4e  http___brookstonemanuals.com_ycabkjgdv
  85. 563fd681f256b89937cbba86011768cba316aa53cf25e4465d6d6dd32fc5faa9  http___calderon.com.mx_qwpnqxwkl
  86. 52f8d69b3c6663e33d48fe28715a006a5a85616bca7223bd9a8fd6672a0d1afb  http___easylation.com_wekocn6kmg
  87. c79463ed7bb3dd3454cd0882b5ce874bbfc3cca4bc649d64a5a288169dac36c8  http___facerecognition.com.ba_fjem4
  88. 051d9c8d521b035d5c83a56a9c82efefadbf00bf06f15faba48953751da01bb1  http___fiddlefire.net_hvkoxidq
  89. 5a888b453d9391661e12bcd70d9ad9efb1313e68f3f8402ec6a203e2db1e0749  http___gallery.mohammadtarighi.ir_gdiclpgq
  90. 3ba8e6dee40995c20ea7ac5d1e955a6ebf753ee0e53847b73910ed1ee2d4a8ba  http___gunungsari.co.id_9ssqssvnw
  91. d00f6105bb4fd735b9b265c3b6cfad846284dd4841fda17720ad585d4596c802  http___image.ddianle.com_g56bmsie3h [4]
  92. 248170ffdc031a62635c35d05a049919cd8bab3838cf67cbe04053935927bf1d  http___inside.dljtjt.com_0gufg [6]
  93. cfb1874527f2bbeb708d9470e3ec586f1939d9c4f97f812fb0400db6c38da912  http___inzt.net_rba6g3nnxq
  94. 9fb164f44c9b78c8ba96e1af0084acfc714789ecc635e02fe4e5e937d07c1d44  http___kathymerrill.com_hqnfsc
  95. 21232fda5192f9802f7a3515e2ac806ff9335dfd71b90d35df84a141bcd41519  http___kh2.co.uk_5sibczx4gx
  96. 8409d004dcee3b2a569f84ed2eeb244a0dcbe32828a7a1416f7c80641714c73a  http___kirulya.com_scfv1ofdh
  97. 9d9cfdea6437efad02bbae08e20dbccaa8c4129a5110dc7aa0e8331060d651f1  http___kserwis.pl_lozyg
  98. 8b50ad3642efb7093eef3a8916fee6f901995ff89802d973ed0475cd0e1cd546  http___ktlelektro.cz_1jenzg25wy [3]
  99. e856a302261d293e750a54a9a323d79acb5befc32ac2e8a363c0242e01fa007f  http___kurou.bokunenjin.com_undi59e
  100. 8edcf8f62678e2dbfee243523d2df7259bb2a6fd813fa515d8bfc5d98062bd59  http___medianisprint.com_woarfryxsw
  101. 08e2628d0cf85e020e161ada7c0f0c009be4590940aef412f81641be0d7c609b  http___minis2.com_yrjwmun8
  102. 35df8a88fa8bd8343e97da1b396916695e6ee4a114fba26b13635ee3a1173952  http___mprotectcorp.com_opudc
  103. b0484548b5174a127b0f1efbc1080410016d774845f54084db1bfd36f6cde54e  http___pcflame.com.au_ngihv
  104. f3dc0e61590ff55d0c564bb181d6d2b0f27fe6702579e3dfcd10762ea7e03e61  http___perspektive-fuer-kinder.de_1e1dip
  105. 47e2289bf78b6f9ce653215f520cbea2b580d4a49dabdbc02d0264c3edadbde4  http___promgazenergo34.ru_onlj99szd
  106. a5fa1f5b7ac00bc6ad41797e3c878b987e3ef498adc7e288b6ed33bd4ab173a7  http___rdsc-seminar.com_jlb4fdxt
  107. 4156a19772b65efaf81ebf25b2db977389c04d0424a150e4e289544e46a94761  http___rondurkin.com_c6w5pscmc
  108. 2579861043d9a045327f987fad07d2ba9961bffe3ffcb6001ad1068e8c422b91  http___s393640255.onlinehome.us_ygls8gycs
  109. cfe25a30a3e387f50e3ff4b5e8ca33c15c5de85cc5ed1d4397cce4c0b829b19e  http___seaf.ch_s7lyen4j
  110. b62512a51c63a85b0b674d2800fb68579bfd2ff364ca4be6debdc3e581b3d6cd  http___shomesofa.com_jnobn54 [5]
  111. 36f2808090a679130dd9cf2c4e88bf7657f3a84f07eb8a1050d7242baf4f6a2d  http___stoneofliberty.com_fvjhcy [1]
  112. a1230526836ae5e88d4dc106838b9bd0657d7272082c7fe2db62ba238dc73266  http___taladm.ru_myqqrzzndi
  113. ec603e5b385baf25bcf9f766a7c294c19602c06d2d5cf63b064c0e53cefc3460  http___v-english.com_gfnb3r
  114. 10d8fd5cd80e4f290aab3061efc0966bd56241667d515015b9c69ca233b79c3c  http___vivvn.com_rafd5un
  115. bb9e9be4d33f5092a7faf967437293bac8478a38c91383514799a65ddeecbbed  http___webfutures.net_cuxdyilq
  116. dc73f63fc6075b3985190ab9633f662cfb92407f60e44c390ee54b9d74ef6d39  http___weegee.fr_2d3xb74cif
  117. c3b777cb817cf5785c589bd08432d8e466f92f8cb23c4cfcf7407f61fdf732cb  http___www.dazzle-events.be_qal8lxme
  118. 97b95e14bdd6890f2aeb9d730bcedc86e17aae181ad4039f07b00675a1569a0e  http___www.enhansit.com_z2lgjv
  119. e651644bb90c84d682f48a91d84617a99035d4e1d1dec477bb6fe50f244e8d0c  http___www.lauraleedonnelly.com_qjiwhmrx
  120. ce5fc1fe43fab3494c383d9374dc88ee9c86c06f90e6f0891feeb72b20f780d2  http___www.mywoc.ca_p29t8
  121. 2f519292cde78c075c5a0bd28d744a945669e5d42010a5473b00af1d79d2dcc0  http___www.ninthdistrict.org_wkvmds
  122. 4ba5fecd779e5fff8702a5ad1d4a4d89d107f7e7d7bfa7c89c73304e19224624  http___www.servipisos.com.ar_sn2ugvyws
  123. 12b377a9bd819105a51aa9aab5522e4a2ac802cc00bc811a25758b7bdfcea55d  http___www.stavros.ca_4woi2zlse
  124. 6c8dc070346dcdf5048987f3e346f8ca4fcdddde984a563abd25359216db792d  http___www.stavros.ca_c1ehjm [2]
  125. eb2dae77c46345f717d1534631a8b37172db39b1b933fa5a3d363874c107533f  http___www.thepasobueno.com_usrcgntw
  126. 895f09d1c6da4ff8b9786cfa8b999652f86292f9fc27d04bc7461d3f328da121  http___www.tourist-car.ru_v0uiwotu
  127. e5b7dc13c4d88299793b41ee20b3a787bffbeaa6eda5ea15281767edd3a8a444  http___www.zscio.com_uutfjime
  128. d5f3e4c0b7f98d07138ac60a7b6cb6b6427e19b08ab1a016e77b2878c6f0213d  http___xiaojinsong.com_0igjg
  129. a9d1604b2b2e8ec56695bb05a14609e7e4ff8540d932c81e72b083a743fb1583  http___yellowstudio.pl_u7ky2cyi
  130. - decoded
  131. d48c5242f2c264829ef2acf7b2dd9567125c0602baaf23b8c21a014e1c8247e6 [1]
  132. 1af3dfa7989e1081c99e6b2a676d0ada2808ca9758f2dbc6e1eadb76a5c80970 [2]
  133. 2dc5b81fd272de4b0c06ec725bda86320f5fa5558e5b9ff19b9c319627349ab0 [3]
  134. 1b4294dfd90a073ae4a1820db9127fc562448160a4a53b56db9abffb6a7ee3d6 [4]
  135. ae1ade6559d774dc9103ed9da3ac8d454bd6e612dd9b66711e39eec33bbda0d9 [5]
  136. 184d0e4a0d8e07ea9a7ea8323fbc5a121004619f0c3810ebb1314c5464a83af6 [6]
  137. - executed by "rundll32.exe %TEMP%\<filename>.ZK,ss4UauNfMNMcIepOTL3ZMr"
  138. - samples
  139. https://www.virustotal.com/file/d48c5242f2c264829ef2acf7b2dd9567125c0602baaf23b8c21a014e1c8247e6/analysis/1481890123/ [1]
  140. https://www.virustotal.com/file/1af3dfa7989e1081c99e6b2a676d0ada2808ca9758f2dbc6e1eadb76a5c80970/analysis/1481890141/ [2]
  141. https://www.virustotal.com/file/2dc5b81fd272de4b0c06ec725bda86320f5fa5558e5b9ff19b9c319627349ab0/analysis/1481890158/ [3]
  142. https://www.virustotal.com/file/1b4294dfd90a073ae4a1820db9127fc562448160a4a53b56db9abffb6a7ee3d6/analysis/1481890176/ [4]
  143. https://www.virustotal.com/file/ae1ade6559d774dc9103ed9da3ac8d454bd6e612dd9b66711e39eec33bbda0d9/analysis/1481890190/ [5]
  144. https://www.virustotal.com/file/184d0e4a0d8e07ea9a7ea8323fbc5a121004619f0c3810ebb1314c5464a83af6/analysis/1481890204/ [6]
  145.  
  146. C2:
  147. POST http://178.209.51.223/checkupdate
  148. POST http://37.235.50.119/checkupdate
  149. POST http://91.226.93.111/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top