SHARE
TWEET

2016-12-14 Locky "Amount Payable"

Racco42 Dec 14th, 2016 206 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-14: #locky email phishing campaign "Amount Payable"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------------
  5. From: "Normand Landry" <Landry.Normand@quakenet.ro>
  6. To: [REDACTED]
  7. Subject: Amount Payable
  8. Date: Thu, 15 Dec 2016 00:57:21 +0430
  9.  
  10. Dear [REDACTED],
  11. The amount payable has come to $38.29. All details are in the attachment.
  12. Please open the file when possible.
  13.  
  14. -
  15. Best Regards,
  16. Normand Landry
  17.  
  18. Attachment: doc_1788897.zip -> ~_A5TNJ_~.js
  19. ---------------------------------------------------------------------------------------------------------------------
  20. - sender varies between emails
  21. - subject is "Amount Payable"
  22. - attached file "doc_<7 digits>.zip" contains file "~_<5-7 uppercase chars and digits>_~.js", a JScritp downloader
  23.  
  24. Download sites:
  25. http://0668.com/k5bhgn
  26. http://250sb.com./jynvmx
  27. http://addwords.com.tr/aah6qmhv
  28. http://anti-dust.ru/7k6cp
  29. http://asdream.pl/gbbs1c
  30. http://atio.li/exjik
  31. http://bappeda.dharmasrayakab.go.id/dlhalychp
  32. http://braindouble.com/uycx51ix
  33. http://buhoutserts.ru/ufdazc6vv
  34. http://casino-okinawa.com/ejguf
  35. http://catherineduret.ch/5qpqi5ezp
  36. http://chinaxw.org/xw1ju7y6zc
  37. http://chungcuvinhomemydinh.com/6dvjasf
  38. http://crolic88.myjino.ru/1ddig
  39. http://demo.shispare.com/bvsjq
  40. http://environment.ae/0od5hn
  41. http://forbrent.com/h9kqgq
  42. http://fyd123.cn/kib6h2d9ga
  43. http://groupeelectrogeneservice.com/eefpeywf9z
  44. http://hedefosgb.com/dpyzsb6u
  45. http://hlonline.kentucky.com/i7z78
  46. http://innercityarts.squaremdesign.com/dyo1w7
  47. http://jianhu365.com/z9puqdj2eu
  48. http://malamut.org/gizb2zq
  49. http://obaloco.com.br/67mfj
  50. http://peopleprofit.in/pyihdg
  51. http://roman64.humlak.cz/7bnisgf
  52. http://rulebraker.ru/zsw4cnf9o
  53. http://scaune.qmagazin.ro/5hktu4h
  54. http://slankmethode.nl/4zzq1am
  55. http://subys.com/mjguriv80
  56. http://szwanrong.com/x5qxzpjsi
  57. http://tecnomundo.uy/a8rnlgzv
  58. http://test1.giaiphaponline.org/0ytdjs1
  59. http://test.sousouyo.com/feaetpnuee
  60. http://theamericanwake.com/xw1ju7y6zc
  61. http://travelinsider.com.au/mwaefb4b
  62. http://trietlong.net/heyus
  63. http://tx318.com/kqe4ca
  64. http://ucbus.net/usdxqqt6
  65. http://u-niwon.com/kmjg6j9ske
  66. http://vaaren.dk/ogcz6ys0d
  67. http://viscarci.com/wyqs6353
  68. http://walkonwheels.net.au/qmd1uu
  69. http://wdcd999.com/lm5z2snyqn
  70. http://web-shuttle.in/eeo9oc
  71. http://windshieldrepairvancouver.ca/qcp8k7
  72. http://wiselysoft.com/qcymgbug7
  73. http://wszystkodokuchni.pl/sl5yko7
  74. http://wudiai.com/mc3hnwd
  75. http://www.espansioneimmobiliare.com/akktnck
  76. http://www.myboatplans.net/6d7ukeco6
  77. http://wx.utaidu.com/1eybujbru
  78. http://xlr8services.com/n970foumf
  79. http://xn--k1affefe.xn--p1ai/8wzzjk24u
  80. http://youspeak.pt/liowrtxs
  81. http://yukngobrol.com/h7sfu
  82. http://zhiyuw.com/qfbdcvrul
  83. http://zwljfc.com/ld1pvjozu
  84. http://zzzort10xtest123.com/nin5k3bwo
  85.  
  86. Malware:
  87. - encoded on download
  88. 60380d4f3e5e392d7af27bc85324d7363dd644dfce4059bff832bb3dff17ff21  http___0668.com_k5bhgn
  89. 137687d668b7b4b8039f0b373f92c7b84b5c49f14c64d2f9982737b7cdcc1db7  http___250sb.com._jynvmx
  90. 65941d887fb447f13b551c295b784374fd834fabafbf7266ceea19b8ff6e8331  http___addwords.com.tr_aah6qmhv
  91. 1333357356f93875d1831193aa25fb1ff4bd6c0f04b9c1b971ef7a30cddf50b6  http___anti-dust.ru_7k6cp
  92. 3fbff9869e61846c60b500090daa34dcdedcef59940d50b7e94efad20f4af24e  http___asdream.pl_gbbs1c
  93. 5c51485c89adcc9d3e174021495b459e3e635e7935c3a4943fee691fa28f1495  http___atio.li_exjik [1]
  94. 74e94c4b500b9ad64afed2db0614c4d74c819f70f42d17db7bb44d383427fb02  http___bappeda.dharmasrayakab.go.id_dlhalychp
  95. 31c0582fe008bd0c689c5416b51dea3da31c9f19557d47cad2a2a73bb7c67389  http___braindouble.com_uycx51ix
  96. f4a1f90ba4c2f8c17591293d5cb23487e352292c4fe0670f323d33c64ffa0b43  http___buhoutserts.ru_ufdazc6vv
  97. ca367a9dc60404345f4378e16748bfc9eb9f6f3b5bdc9d3193b7ba4d6b1b4b71  http___casino-okinawa.com_ejguf
  98. 6c27687cc69afbca322a0f553af13a259ee0cd962bc43a570d9b42558775cf54  http___catherineduret.ch_5qpqi5ezp
  99. 5abf81af30ac919aa98d6451ad464bd1889f6923d038bfe0e3c806bd7aa8890c  http___chungcuvinhomemydinh.com_6dvjasf
  100. 51d8b0e56378efdf337697aababb3d2860411aa207124251989974e48fdb6974  http___crolic88.myjino.ru_1ddig
  101. f6dd414b3baac81d6c76b19a437a8d881b9ae316f2894c9a350841f587d983fb  http___demo.shispare.com_bvsjq
  102. 65803aaa66bc6a101729b223c9c6d35561bb2eb04ac109b72253645a330cfba2  http___environment.ae_0od5hn
  103. f88b7dd4a3bc6ffa0acbb484d1f8a9a0487c46d2900a47580f50349cd1e2c588  http___forbrent.com_h9kqgq [2]
  104. eef9ad652b13df46397bf0ebbf48058d5e3fe5ac05d8a0b1e9a1341133740260  http___fyd123.cn_kib6h2d9ga
  105. 24e0ce5b7e72f05e41c122c2743af3baa828ca0542af734607ab6bd11b6e1487  http___groupeelectrogeneservice.com_eefpeywf9z
  106. 63dfe370502acd3b78fc48c0ce11bf9d8e35b2fab53f949214a96e734bb34a68  http___hedefosgb.com_dpyzsb6u
  107. 94e1b546c26c96550df3d95b5efbbf420382e31537999b2014771597afc60fd1  http___hlonline.kentucky.com_i7z78
  108. 45a4f3987d25ff1d00fedd3310dc755c555149b9a0595178ccd546002157a23e  http___innercityarts.squaremdesign.com_dyo1w7
  109. cfaa1aee8b07a41975bc9e53bb863f3b058bcde0de9bcc217067673fcc27dbc0  http___malamut.org_gizb2zq
  110. 7260fd1b41a23694c54866b0053c46d4a0412d42c75839117f5b8ddd707217ad  http___obaloco.com.br_67mfj
  111. 53104b5ea46bad10353f24f312aac4facfaea2381dba48297592bb3df0e18c55  http___peopleprofit.in_pyihdg
  112. 8fb7d12dd09f3dda073ece619a5d7f82c96d5d04598919afe65fdae0dd7b208c  http___roman64.humlak.cz_7bnisgf
  113. 1552dbbe4dc744872eca7fb0e35b256c18ca576d50c23b38a93f5adfe40e2db0  http___rulebraker.ru_zsw4cnf9o
  114. 38e159af864c3625b86ae8b01119318c193e1fecf94bd5533d735fa85d3e1fec  http___scaune.qmagazin.ro_5hktu4h
  115. f425067875dfa1ef54d3e8519e9a20a7368b31fb5458eef17b74ce41c236b3db  http___slankmethode.nl_4zzq1am
  116. 17d7054854256b0793bf6aa6700546a043e972191bba20145946a6902d1c9007  http___subys.com_mjguriv80
  117. 0df5f4a1e05ad5b4289c45bd08ab5645519e10c9ccd82b00e10312fa15258b11  http___szwanrong.com_x5qxzpjsi
  118. e9719d8d73558beefb8d5a706d2c05169cea4e98aecea19df43c8d2f0023f384  http___tecnomundo.uy_a8rnlgzv
  119. 218fd633ecd4b10003690aac020245b23f7670d143dc508d84abf95c2da60077  http___test1.giaiphaponline.org_0ytdjs1
  120. f96ba5acf26cdb1abd679b7f66d4aec67e2c64dc9d15eea0e822c16385aa7155  http___test.sousouyo.com_feaetpnuee [5]
  121. cfaa1aee8b07a41975bc9e53bb863f3b058bcde0de9bcc217067673fcc27dbc0  http___theamericanwake.com_xw1ju7y6zc
  122. 99b654d39413500f0255c6bd900251462847a8d0bc0eff5ad699efda157607d8  http___travelinsider.com.au_mwaefb4b
  123. 0ae9b763c4332641b021705d38b5db32088abe19ef0bfdef360e9df50c396ea2  http___trietlong.net_heyus
  124. 37f5ce8fcb00a1152835efdaac775d33cf5e51eba909fc6a0b363f25bb4d84db  http___tx318.com_kqe4ca
  125. 15573792ae1923c24ac9ea35b81d39670ae0d002f74ca12ab59a8025318b0db6  http___ucbus.net_usdxqqt6 [3]
  126. e421ff2290f3660bd93bc353852719377cf94a8558779fb3b3307d9855251743  http___u-niwon.com_kmjg6j9ske
  127. fac51ac31cbe2cabc4a1aead779c328ebc6929e286b1e8dfb0928afaca3fee88  http___viscarci.com_wyqs6353
  128. 7942fb56210c40a5335a1d27a7b71adfff2faa10cd0e15d3b6b94092f450fc40  http___wdcd999.com_lm5z2snyqn
  129. 9c56960f149aaaa338846b2044bcb33bc410a1c07e4c6fae305b4f530744b5dc  http___web-shuttle.in_eeo9oc
  130. 4b628c53cc41568c3404342ed95b9f2ee0757536ce0cf4ce8bc840829552c22e  http___windshieldrepairvancouver.ca_qcp8k7
  131. 5487e861fc020735a22fa2270413ac0ecd67312d64ab6e3f4fe049247c37c05d  http___wiselysoft.com_qcymgbug7
  132. 0b962425f88cb33bb6f1f749b6c51445f4355e2977dbe09d14e0793c2460eaa7  http___wszystkodokuchni.pl_sl5yko7 [4]
  133. 4977658adcd5be63bf67d4467703596a7440419539c781d13ac0c2907e9b4aff  http___wudiai.com_mc3hnwd
  134. 5efbd6851f53e4dc744b3c2668190604da054cc032cdc9a8c374c6da485d6cd4  http___www.espansioneimmobiliare.com_akktnck
  135. 61e1f8f7de66c5c47bfa650a32350ddb1e6e9d276f2ab4000fbed8ab040af6f3  http___www.myboatplans.net_6d7ukeco6
  136. 653cec019e34af43b585f53fd2314c7c1be5665f839a24b83cf9aa77d168c00c  http___wx.utaidu.com_1eybujbru
  137. c079b2076b743b9330f516d6b3ad70d4f6814a75fadc9193eb8831b80f5cd195  http___xlr8services.com_n970foumf
  138. 77002e17bf31f497f8b3af7eba5784189b3d8ac17544716c896b8b6524051a57  http___xn--k1affefe.xn--p1ai_8wzzjk24u
  139. 09f320f6075ef76a0b4872e4c254d0a7232166a45d68d9343c052a44ae895b3e  http___yukngobrol.com_h7sfu
  140. 86c7448570c0de7abdfcaaea5fb629e33ea92243c4e29ff40e6c945d2a866d54  http___zhiyuw.com_qfbdcvrul
  141. 492331c3a61cc62aaa474ef138c3cd061c1d24c3cee4df15d94c5e31c290079b  http___zwljfc.com_ld1pvjozu
  142. e421ff2290f3660bd93bc353852719377cf94a8558779fb3b3307d9855251743  http___zzzort10xtest123.com_nin5k3bwo
  143. - decoded
  144. 266aac2adca47cd8c39fa190faf70e32dd1a2752eee22ada4b7fe1a0c80366e3 [1]
  145. d44ff3a846a7e5333f6c53e62225760023ffc0629f6dca2adc2256ab2d232854 [2]
  146. 4140fa2ea07aab513f2ecd8ccd99a079105ae39e3c2b0cccd225a5354a75c999 [3]
  147. 3ad4d594c184f832277dafdee24a3a3a6e8911fb58f0c2b6afdd8cf33549b59b [4]
  148. d188b1e1ad3bac313944e30b2ef8e562dced670830e443dc2057bd377494a3ab [5]
  149. - executed by "rundll32.exe %TEMP%\<filename>.ZK,S6jdvsfFR"
  150. - samples:
  151. https://www.virustotal.com/file/266aac2adca47cd8c39fa190faf70e32dd1a2752eee22ada4b7fe1a0c80366e3/analysis/1481756885/
  152. https://www.virustotal.com/file/d44ff3a846a7e5333f6c53e62225760023ffc0629f6dca2adc2256ab2d232854/analysis/1481756895/
  153. https://www.virustotal.com/file/4140fa2ea07aab513f2ecd8ccd99a079105ae39e3c2b0cccd225a5354a75c999/analysis/1481756920/
  154. https://www.virustotal.com/file/3ad4d594c184f832277dafdee24a3a3a6e8911fb58f0c2b6afdd8cf33549b59b/analysis/1481756940/
  155. https://www.virustotal.com/file/d188b1e1ad3bac313944e30b2ef8e562dced670830e443dc2057bd377494a3ab/analysis/1481756962/
  156.  
  157. C2:
  158. POST http://185.129.148.56/checkupdate
  159. POST http://185.17.120.166/checkupdate
  160. POST http://86.110.117.155/checkupdate
RAW Paste Data
Top