SHARE
TWEET

2016-12-21 Locky "scanned copy"

Racco42 Dec 22nd, 2016 (edited) 305 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-21: #locky email phishing campaign "scanned copy"
  2.  
  3. Email samples:
  4. -----------------------------------------------------------------------------------------------------------------------------
  5. From: "concetta ashbury" <concetta.ashbury@dag.gb.com>
  6. To: [REDACTED]
  7. Subject: scanned copy
  8. Date: Thu, 22 Dec 2016 12:30:54 +0530
  9.  
  10. Attachment: EPSON000000076.zip -> XAD4A9AF.vbs
  11. -----------------------------------------------------------------------------------------------------------------------------
  12. - sender varies between emails
  13. - subject is "scanned copy"
  14. - email body is empty
  15. - attached file "<HP|EPSON|CANON|BR>0000000<1-3 digits>.zip" contains file "<6-9 uppercase numbers and digits>.vbs"
  16.  
  17. Download sites:
  18. http://023pc.cn/result
  19. http://123good.cn/result
  20. http://17tattoo.com/result
  21. http://902f.com/result
  22. http://acp-dom.ru/result
  23. http://aguamineralsantacruz.com.br/result
  24. http://airportrentacar.ro/result
  25. http://allard-g.be/result
  26. http://alsrv.ca/result
  27. http://aqua-inter.com/result
  28. http://aspecta-aso.net/result
  29. http://audehd.com/result
  30. http://axmetrix.com/result
  31. http://bastacycling.com/result
  32. http://benelist.cz/result
  33. http://blackseo.ir/result
  34. http://boyni.ru/result
  35. http://canbal.net/result
  36. http://cdsp.pl/result
  37. http://cherry-pik.com/result
  38. http://chmk.ca/result
  39. http://cltserve.org/result
  40. http://conor.com.mx/result
  41. http://convergencevineyards.com/result
  42. http://crbl-bg.net/result
  43. http://culturepick.com/result
  44. http://cycollierville.com/result
  45. http://dartess.ru/result
  46. http://delreywindows.com/result
  47. http://demail.eu/result
  48. http://designerdogwear.com/result
  49. http://digital1.50webs.com/result
  50. http://directprotectsolutions.co.uk/result
  51. http://dobrinin.ru/result
  52. http://drwonder.org/result
  53. http://edit-imprimerie.com/result
  54. http://elfrasha.com/result
  55. http://e-vime.com/result
  56. http://faithfull.kdm.pl/result
  57. http://fastfine.ru/result
  58. http://ferkilestkd.com/result
  59. http://file-brochure.com/result
  60. http://franjaroja.emcali.net.co/result
  61. http://furniturlab.com/result
  62. http://gerkar.pl/result
  63. http://gps.50webs.com/result
  64. http://greensys.nayana.com/result
  65. http://gurkhaadventures.com/result
  66. http://halogen.dp.ua/result
  67. http://hanavanpools.com/result
  68. http://hiltrud.probst.cx/result
  69. http://hnzldc.com/result
  70. http://hongikmediaplus.com/result
  71. http://hootys.biz/result
  72. http://htocvt.org/result
  73. http://hzdadu.com/result
  74. http://jira.fastfine.ru/result
  75. http://oliverkuo.com.au/result
  76. http://phpwind.0592yt.com/result
  77. http://pliki-kirbyworld.50webs.com/result
  78. http://rosenblut4u.de/result
  79. http://shema.org.ua/result
  80. http://www.albertproduction.se/result
  81. http://www.bewustbv.nl/result
  82. http://www.consurshop.com/result
  83. http://www.cryoniq.com/result
  84. http://www.foyerstg.pro/result
  85. http://www.garrox.com/result
  86. http://www.globalchristiantrust.com/result
  87.  
  88. Malware:
  89. - encoded on download SHA256 a406a67e5620bbe79026546e3889375497611955ff5248e9bdfef857982f26ba, MD5 a4968bc9ee57ffec4109f9cb2d63e287
  90. - decoding (XOR) string: bO6Htv5FLi7KnnQThYEQbX57IV4Zt2yM
  91. - decoded SHA256 a1689ff89b47b415b5c444c195e037fb6fbe91871d6a68f82ff1accc467648aa, MD5 20428fa7f32b9fd93c3b8f9c9f2d259f
  92. - executed as "rundll32.exe %TEMP%\<filename>,large"
  93. - samples https://www.virustotal.com/file/a1689ff89b47b415b5c444c195e037fb6fbe91871d6a68f82ff1accc467648aa/analysis/1482396435/
  94. https://www.reverse.it/sample/d8758da1d4408465de8b8231e34bf7536e7ffc0c83a46013db4f728401d9be68?environmentId=100
  95.  
  96. C2:
  97. POST http://176.121.14.95/checkupdate
  98. POST http://193.201.225.124/checkupdate
RAW Paste Data
Top