SHARE
TWEET

2016-12-05 Locky "05122016xxxxxx"

Racco42 Dec 5th, 2016 (edited) 144 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-05 Locky email phishing campaign "05122016xxxxxxxx"
  2.  
  3. Sample email:
  4. ----------------------------------------------------------------------------------------------------------------------
  5. From: Socorro wearing <Socorro.wearing181@in-master.ru>
  6. To: [REDACTED]
  7. Subject: 051220160723551593
  8. Date: Mon, 05 Dec 2016 07:23:55 +0430
  9.  
  10. Attachment: 051220160723551593.zip -> 201612042153174772571709.vbs
  11. ----------------------------------------------------------------------------------------------------------------------
  12. - sender varies between emails
  13. - subject is "<04 or 05>122016<random digits>"
  14. - email body is empty
  15. - attached file "<04 or 05>122016<random digits>.zip" (same as subject) contains file "201612<04 or 05><15 or 16 digits>.vbs", a VBScript downloader
  16.  
  17. Download sites:
  18. http://admin3.rtaf.mi.th/8765r
  19. http://buhoutserts.ru/8765r
  20. http://chanet.jp/8765r
  21. http://guardian-angels-diva.de/8765r
  22. http://haibeiwuliu.com/8765r
  23. http://hzxihe.com/8765r
  24. http://linghangcj.com/8765r
  25. http://markettv.ro/8765r
  26. http://maycongtrinhduylong.com/8765r
  27. http://natashacollis.com/8765r
  28. http://ruifengweb.com/8765r
  29. http://rulebraker.ru/8765r
  30. http://szwanrong.com/8765r
  31. http://temai1.com/8765r
  32. http://travelinsider.com.au/8765r
  33. http://tx318.com/8765r
  34. http://ucbus.net/8765r
  35. http://u-niwon.com/8765r
  36. http://valuationssa.com.au/8765r
  37. http://vipseal.de/8765r
  38. http://viscarci.com/8765r
  39. http://wdcd999.com/8765r
  40. http://wiky.net/8765r
  41. http://windshieldrepairvancouver.ca/8765r
  42. http://wiselysoft.com/8765r
  43. http://wishingwellhosting.com.au/8765r
  44. http://wszystkodokuchni.pl/8765r
  45. http://wudiai.com/8765r
  46. http://xlr8services.com/8765r
  47. http://xn--pasaer-spb.pl/8765r
  48. http://youspeak.pt/8765r
  49. http://zhiyuw.com/8765r
  50. http://zwljfc.com/8765r
  51.  
  52. Malware:
  53. - encoded on download, SHA256 6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e, MD5 529789f27eb971ff822989a5247474ce
  54. - decoded SHA256 17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf, MD5 5edfc64e72dd2b591a2aa6549353beba
  55. - execute by "rundll32.exe %TEMP%\<filename>.343,mix"
  56.  
  57. C2:
  58. POST http://195.19.192.99/information.cgi
  59. POST http://91.142.90.61/information.cgi
  60. POST http://eabfhwl.ru/information.cgi
  61. POST http://olyedawaki.pl/information.cgi
  62. POST http://owvtbqledaraqq.su/information.cgi
  63. POST http://qtuanjdpx.info/information.cgi
  64. POST http://uwiyklntlxpxj.work/information.cgi
  65. POST http://uxwfukfqxhydqawmf.su/information.cgi
RAW Paste Data
Top