SHARE
TWEET

2016-12-21 Locky "scanned copy"

Racco42 Dec 22nd, 2016 (edited) 443 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-21: #locky email phishing campaign "scanned copy"
  2.  
  3. Email samples:
  4. -----------------------------------------------------------------------------------------------------------------------------
  5. From: "concetta ashbury" <concetta.ashbury@dag.gb.com>
  6. To: [REDACTED]
  7. Subject: scanned copy
  8. Date: Thu, 22 Dec 2016 12:30:54 +0530
  9.  
  10. Attachment: EPSON000000076.zip -> XAD4A9AF.vbs
  11. -----------------------------------------------------------------------------------------------------------------------------
  12. - sender varies between emails
  13. - subject is "scanned copy"
  14. - email body is empty
  15. - attached file "<HP|EPSON|CANON|BR>0000000<1-3 digits>.zip" contains file "<6-9 uppercase numbers and digits>.vbs"
  16.  
  17. Download sites:
  18. http://023pc.cn/result
  19. http://123good.cn/result
  20. http://17tattoo.com/result
  21. http://902f.com/result
  22. http://acp-dom.ru/result
  23. http://aguamineralsantacruz.com.br/result
  24. http://airportrentacar.ro/result
  25. http://allard-g.be/result
  26. http://alsrv.ca/result
  27. http://aqua-inter.com/result
  28. http://aspecta-aso.net/result
  29. http://audehd.com/result
  30. http://axmetrix.com/result
  31. http://bastacycling.com/result
  32. http://benelist.cz/result
  33. http://blackseo.ir/result
  34. http://boyni.ru/result
  35. http://canbal.net/result
  36. http://cdsp.pl/result
  37. http://cherry-pik.com/result
  38. http://chmk.ca/result
  39. http://cltserve.org/result
  40. http://conor.com.mx/result
  41. http://convergencevineyards.com/result
  42. http://crbl-bg.net/result
  43. http://culturepick.com/result
  44. http://cycollierville.com/result
  45. http://dartess.ru/result
  46. http://delreywindows.com/result
  47. http://demail.eu/result
  48. http://designerdogwear.com/result
  49. http://digital1.50webs.com/result
  50. http://directprotectsolutions.co.uk/result
  51. http://dobrinin.ru/result
  52. http://drwonder.org/result
  53. http://edit-imprimerie.com/result
  54. http://elfrasha.com/result
  55. http://e-vime.com/result
  56. http://faithfull.kdm.pl/result
  57. http://fastfine.ru/result
  58. http://ferkilestkd.com/result
  59. http://file-brochure.com/result
  60. http://franjaroja.emcali.net.co/result
  61. http://furniturlab.com/result
  62. http://gerkar.pl/result
  63. http://gps.50webs.com/result
  64. http://greensys.nayana.com/result
  65. http://gurkhaadventures.com/result
  66. http://halogen.dp.ua/result
  67. http://hanavanpools.com/result
  68. http://hiltrud.probst.cx/result
  69. http://hnzldc.com/result
  70. http://hongikmediaplus.com/result
  71. http://hootys.biz/result
  72. http://htocvt.org/result
  73. http://hzdadu.com/result
  74. http://jira.fastfine.ru/result
  75. http://oliverkuo.com.au/result
  76. http://phpwind.0592yt.com/result
  77. http://pliki-kirbyworld.50webs.com/result
  78. http://rosenblut4u.de/result
  79. http://shema.org.ua/result
  80. http://www.albertproduction.se/result
  81. http://www.bewustbv.nl/result
  82. http://www.consurshop.com/result
  83. http://www.cryoniq.com/result
  84. http://www.foyerstg.pro/result
  85. http://www.garrox.com/result
  86. http://www.globalchristiantrust.com/result
  87.  
  88. Malware:
  89. - encoded on download SHA256 a406a67e5620bbe79026546e3889375497611955ff5248e9bdfef857982f26ba, MD5 a4968bc9ee57ffec4109f9cb2d63e287
  90. - decoding (XOR) string: bO6Htv5FLi7KnnQThYEQbX57IV4Zt2yM
  91. - decoded SHA256 a1689ff89b47b415b5c444c195e037fb6fbe91871d6a68f82ff1accc467648aa, MD5 20428fa7f32b9fd93c3b8f9c9f2d259f
  92. - executed as "rundll32.exe %TEMP%\<filename>,large"
  93. - samples https://www.virustotal.com/file/a1689ff89b47b415b5c444c195e037fb6fbe91871d6a68f82ff1accc467648aa/analysis/1482396435/
  94. https://www.reverse.it/sample/d8758da1d4408465de8b8231e34bf7536e7ffc0c83a46013db4f728401d9be68?environmentId=100
  95.  
  96. C2:
  97. POST http://176.121.14.95/checkupdate
  98. POST http://193.201.225.124/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top