Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-08-31 #locky email phishing campaign "jhBHTYl" / "Fax, Image, IMG, my photo, Photo, photos"
- Email sample
- - email body is empty
- - sender varies from email to email, but its domain is faked to be the same as recepient's
- - subject is one of: Fax, Image, IMG, my photo, Photo, photos
- - attached file "IMG_31082016_[random number].zip" contains file "[random chars].wsf" containing JScript downloader
- Donwload sites (actual URLs have suffix ?<random>=<random>, but it does not have influence on donwload):
- http://adarutono1.x.fc2.com/jhBHTYl
- http://amii.50webs.com/jhBHTYl
- http://boxpate.de/jhBHTYl
- http://deemc.homepage.t-online.de/jhBHTYl
- http://dev-kev.com/jhBHTYl
- http://foto.hasimehrou.cz/jhBHTYl
- http://frumuseanudaniela.go.ro/jhBHTYl
- http://gregor-weiss.business.t-online.de/jhBHTYl
- http://iftikharchaudhry.50webs.com/jhBHTYl
- http://jvelizg.vtrbandaancha.net/jhBHTYl
- http://kakeekoda.web.fc2.com/jhBHTYl
- http://lanjaron.es.mialias.net/jhBHTYl
- http://lcc.vtrbandaancha.net/jhBHTYl
- http://mojejeze.republika.pl/jhBHTYl
- http://monkeeey.web.fc2.com/jhBHTYl
- http://quietvain.nobody.jp/jhBHTYl
- http://rakutenka.tuzikaze.com/jhBHTYl
- http://religiaspoko.republika.pl/jhBHTYl
- http://roadstercrew-nw.homepage.t-online.de/jhBHTYl
- http://rozalist.ru/jhBHTYl
- http://seikeiradioclub.web.fc2.com/jhBHTYl
- http://tvcm.com.br/jhBHTYl
- http://www.bals.nichost.ru/jhBHTYl
- http://www.birthmark.go.ro/jhBHTYl
- http://www.equipe4.net/jhBHTYl
- http://www.fabriziolovino.com/jhBHTYl
- http://www.greentechdesign.ca/jhBHTYl
- http://www.handyschmiede24.de/jhBHTYl
- http://www.madonnaceleste.com/jhBHTYl
- http://www.masamaru.net/jhBHTYl
- http://www.officinaomc.com/jhBHTYl
- http://www.poli-mec.it/jhBHTYl
- http://www.rossorelli.ru/jhBHTYl
- http://www.trzynastkajg.republika.pl/jhBHTYl
- http://www.yacht-market.eu/jhBHTYl
- Malware
- - encoded on download, SHA256 5b9d7be09884e65c9e9484fe87bd9511b1cdeb831063abff4e37df1dc14f393a, filesize 200704
- - decoded SHA256 9e814af0b41ef947c8822799d3bd37929c28c92d3562b8e4eda4cb2240986b98
- https://www.reverse.it/sample/4c919e457d6e69c96bb2e037c24d678d78f9cf70c6f5b74030684e09a63cd46b?environmentId=100
- https://www.reverse.it/sample/f71e81ce76b31a56923acd30d8444eee0af01d542bf975cbce603a9dada50d09?environmentId=100
- https://www.reverse.it/sample/255a3ac8806a0d8aa0b93bcdc6e9a41aade144968a69eaff64aa3b1cfebe1179?environmentId=100
- https://www.reverse.it/sample/044510cf9b3c0ac7c60df3a8717ed9d0f150112168d97c1cdbe63839d49fbeed?environmentId=100
- https://www.reverse.it/sample/957e0f2284f022d967f775cf1022d58a1acea8ac89e40c8979afcee1285638a6?environmentId=100
- C2:
- 188.127.249.32:80/data/info.php
- 95.85.19.195:80/data/info.php
- (cufrmjsomasgdciq.pw) 91.223.180.66:80/data/info.php
Add Comment
Please, Sign In to add comment