BUSHIDOTOKEN

Maersk themed LokiBot campaign

Sep 7th, 2020 (edited)
59
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Maersk themed maldocs campaign analysis
  2.  
  3. https://www.vmray.com/analyses/929ceb063b55/report/overview.html
  4.  
  5. https://www.virustotal.com/gui/file/929ceb063b55f9465e778935e71f53af382ddb47d694437176047049fdf40b1c/detection
  6.  
  7. Exploits CVE-2017-11882 Microsoft Equation Editor exploit
  8.  
  9. "Shipping Doc Maersk Kleven V949E.xlsx"
  10.  
  11. MD5 98fb49fd4ffe055f690b44e4a2453de5
  12. MD5 e6dd0d868d1e7997c84b5b2d820fe01e
  13. MD5 a84fca10e2e7b05975695c2165a0b877
  14. MD5 2d52c24638feb09d76185139b3d97cd8
  15.  
  16. hxxp://wsdychinese2onlyywalkaloneinlifev24nql[.]duckdns[.]org/chnsfrnd2/winlog.exe
  17. hxxp://chinese2stdyonlyywalkaloneinlifev18tfd[.]duckdns[.]org/chnsfrnd2/winlog.exe
  18. hxxp://chinese2onlyywalkaloneinlifevwsdytrw15[.]duckdns[.]org/chnsfrnd2/winlog.exe
  19. hxxp://chinese2onlyywalkaloneinlifevwsdy17nfa[.]duckdns[.]org/chnsfrnd2/winlog.exe
  20. hxxp://chinese2onlyywalkaloneinlifevwsdytrw15[.]duckdns[.]org/chnsfrnd2/winlog.exe
  21. hxxp://stdychinese2onlyywalkaloneinlifev14fas[.]duckdns[.]org/chnsfrnd2/winlog.exe
  22. hxxp://sndychinese2messiisbarcelonagoatbyhigh[.]duckdns[.]org/chnsfrnd2/winlog.exe
  23. hxxp://4sndychinese2onlyywalkaloneinlifea1ptc[.]duckdns[.]org/chnsfrnd2/winlog.exe
  24. hxxp://5chinese2onlyywalkaloneinlifeasndyjps[.]duckdns[.]org/chnsfrnd2/winlog.exe
  25. hxxp://6wsdychinese2profesionalandhealthanalpn[.]duckdns[.]org/chnsfrnd2/winlog.exe
  26.  
  27. stdychinesehigncomeiscausedbythepan13tqa[.]duckdns[.]org/chnsfrnd3/winlog.exe
  28. chinese5higncomeiscausedbythepandekjp.duckdns.org/chnsfrnd3/winlog.exe
  29.  
  30. hxxp://kung25stdycommunicationtariffsupliertyq[.]duckdns[.]org/kungdoc/winlog.exe
  31. hxxp://kung20communicationtariffsuplierlimited[.]duckdns[.]org/kungdoc/winlog.exe
  32. hxxp://wsdykungcommunicationtarisupliermg48fqp[.]duckdns[.]org/kungdoc/winlog.exe
  33. hxxp://wsdykung38communicationtarisupliermgapc[.]duckdns[.]org/kungdoc/winlog.exe
  34.  
  35. kungsb2unlimitedseverfortsdy4epidemicrgb[.]duckdns[.]org/kung2doc/winlog.exe
  36.  
  37. ppkpsuresub1intercontinentalsuitishere[.]duckdns[.]org/ppks1doc/winlog.exe
  38.  
  39. WinLog.exe
  40.  
  41. MD5 70977d72b5112b1980c85ba570daaa39
  42. MD5 fe2b2c2da5ee0185edb25136099da861
  43. MD5 f28c78cf8ff6553163f6e3b9ae269cab
  44. MD5 9cbce590bea6c411e7cc899b96c0e350
  45. MD5 da3e68b01cfe78bc6e60ee22f93dd098
  46.  
  47. Relations:
  48. wsdychinese2onlyywalkaloneinlifev24nql[.]duckdns[.]org
  49. 5chinese2profesionalandhealthanalsndymj[.]duckdns[.]org
  50. 4sndychinese2onlyywalkaloneinlifea1ptc[.]duckdns[.]org
  51.  
  52. wsdykungcommunicationtarisupliermg48fqp.duckdns.org
  53. kungcommunicationstdytarisupliermg47alp.duckdns.org
  54. kungwsdycommunicationtarisupliermg43rax.duckdns.org
  55. stdykungcommunicationtarisupliermg42ytw.duckdns.org
  56. kungwsdycommunicationtarisupliermg41ghd.duckdns.org
  57. wsdykung38communicationtarisupliermgapc.duckdns.org
  58. wsdykung37communicationtarisupliermgcxa.duckdns.org
  59. kungsndycommunicationtarisupliermg36sdw.duckdns.org
  60. kung34communicationtarisupliermgpmnwsdy.duckdns.org
  61. kung33communicationtarisupliermgsndykqm.duckdns.org
  62. wsdykungcommunicationtarisupliermg32uti.duckdns.org
  63. 31kungcommunicationtaristdysupliermgjky.duckdns.org
  64. kungwsdycommunicationtariffsuplier30mgh.duckdns.org
  65. sndykung29communicationtariffsupliergfd.duckdns.org
  66. kungsndycommunicationtariffsuplier27abj.duckdns.org
  67. kung26wsdycommunicationtariffsuplierqqw.duckdns.org
  68. kung25stdycommunicationtariffsupliertyq.duckdns.org
  69. stdykungcommunicationtariffsuplierliv23.duckdns.org
  70. 22kungcommunicationtariffsuplierlimthdy.duckdns.org
  71. kung21communicationtariffsuplierlimibvd.duckdns.org
  72. kung20communicationtariffsuplierlimited.duckdns.org
  73.  
  74. b2bseller[.]ga
  75. hxxp://b2bseller[.]ga/choolee/gate.php
  76.  
  77. joovy[.]ga
  78. hxxp://joovy[.]ga/choolee/gate.php
  79.  
  80. 103.140.251.164
  81. 103.140.251.213
  82. 5.53.124.203
  83. 5.101.51.207
  84.  
  85.  
  86. 80.249.146.179
  87. parisgranhotels[.]ga
  88. joovy[.]ga
  89. coltec[.]ga
  90. remzclot[.]ga
  91.  
  92.  
  93. Rock-firm Purchase Order 260820.xlsx
  94. Rock-firm PO250820.xlsx
  95. Maldoc - https://app.any.run/tasks/7da52eaf-4f65-43ba-9e2c-0e7cd7d876eb/
  96.  
  97. MD5 08132e5d7f19a2b1dc65fb76ab767c60
  98. MD5 3d7efd2ee8f58af4d28036e7b8164752
  99.  
  100. Exploits CVE-2017-11882
  101.  
  102. BH_Technology_Purchase_Order_1625121.xlsx
  103. Exploits CVE-2017-11882
  104. https://www.virustotal.com/gui/file/01e1a260de22c52c508b28eedf32aca8ed9f45e5570e4e1419d234bb08f596fb/details
  105.  
  106. MD5 a3fa4c2083e0714e2cb9617a5f1d5ae8
  107.  
RAW Paste Data