Racco42

2016-11-03 Locky "Urgent payment request"

Nov 3rd, 2016
993
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-11-03: #locky email phishing camapaing "!! Urgent payment request"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------------------------
  5. From: terri.stanley@faroldovale.com
  6. To: [REDACTED]
  7. Subject: !! Urgent payment request
  8. Date: Thu, 03 Nov 2016 18:06:03 +0800
  9.  
  10. TERRI STANLEY
  11.  
  12. Telefon: +49 5055 / 51-8502
  13. Fax: +49 5055 / 5166-8502
  14. E-Mail: terri.stanley@faroldovale.com
  15.  
  16. Attachment: "2620800243-8943568474-201611180603-0680.zip"
  17. ----------------------------------------------------------------------------------------------------------
  18. - sender varies between emails
  19. - subject is "Urgent payment request" prefixed with 1-3 "!" and space
  20. - attached file "<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip" contain file "<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.js", A JScript downloader
  21.  
  22. Download sites (actual URLs contain suffix ?<random>=<random> which does not influence download):
  23. http://020zz.com/jhb6576
  24. http://0551gx.cn/jhb6576
  25. http://1kupon.com/jhb6576
  26. http://3-50-90.ru/jhb6576
  27. http://abclala.com/jhb6576
  28. http://adj3.pt/jhb6576
  29. http://aertsbonarius.nl/jhb6576
  30. http://africantickets.de/jhb6576
  31. http://aizheni.cn/jhb6576
  32. http://ajmontanaro.com/jhb6576
  33. http://ajooma.nl/jhb6576
  34. http://akram37.com/jhb6576
  35. http://albakrawe-uae.com/jhb6576
  36. http://alpermetalsanayi.com/jhb6576
  37. http://aquatica.at/jhb6576
  38. http://arbeiten.pl/jhb6576
  39. http://archmod.com/jhb6576
  40. http://asaproducoes.com/jhb6576
  41. http://autoparts-outlet.nl/jhb6576
  42. http://avenueresto.com/jhb6576
  43. http://badaprogres.es/jhb6576
  44. http://baseballtivy.com/jhb6576
  45. http://bbq-tech.com/jhb6576
  46. http://belaket.nl/jhb6576
  47. http://belusadba.ru/jhb6576
  48. http://berrysbarber.com/jhb6576
  49. http://bestoptic.eu/jhb6576
  50. http://bg-n.nl/jhb6576
  51. http://bipmwebs.com/jhb6576
  52. http://bradandmel.com/jhb6576
  53. http://britneyspears.website.pl/jhb6576
  54. http://caballerobustamante.com.pe/jhb6576
  55. http://cafedelrey.es/jhb6576
  56. http://carbonfiber.ro/jhb6576
  57. http://caribbeancopiers.com/jhb6576
  58. http://centinel.ca/jhb6576
  59. http://chinasymbolic.com/jhb6576
  60. http://christophflueck.ch/jhb6576
  61. http://cisie.pl/jhb6576
  62. http://ck.co.th/jhb6576
  63. http://clickjv.com/jhb6576
  64. http://clubchasseetpechedesamis.com/jhb6576
  65. http://comercialtrujillo.es/jhb6576
  66. http://competc.ca/jhb6576
  67. http://continents.com.hk/jhb6576
  68. http://cor-huizer.nl/jhb6576
  69. http://cosywall.pl/jhb6576
  70. http://crecrec.com/jhb6576
  71. http://cwv.cc/jhb6576
  72. http://dentastyle.ro/jhb6576
  73. http://dessde.com/jhb6576
  74. http://dietafine.cz/jhb6576
  75. http://dilovasicicek.com/jhb6576
  76. http://distributorsite.com/jhb6576
  77. http://dornovametoda.sk/jhb6576
  78. http://dosq.es/jhb6576
  79. http://drkitchen.ca/jhb6576
  80. http://dutchcotton.nl/jhb6576
  81. http://dwunion.com/jhb6576
  82. http://dx-team.org/jhb6576
  83. http://edcentre.nl/jhb6576
  84. http://edumarvm.com.ar/jhb6576
  85. http://electron-trade.ru/jhb6576
  86. http://elektronstore.it/jhb6576
  87. http://essenceofbeauty.ca/jhb6576
  88. http://evirtualteam.com/jhb6576
  89. http://e-ws.net/jhb6576
  90. http://faiz-e-mushtaq.com/jhb6576
  91. http://familieheigl.de/jhb6576
  92. http://farko.eu/jhb6576
  93. http://schuhdowdy.net/jhb6576
  94. http://teriisawa.com/jhb6576
  95.  
  96. UPDATED:
  97. http://avnbook.com/jhb6576
  98. http://ccilfov.ro/jhb6576
  99.  
  100. Malware
  101. - encoded on download SHA256 2d3bdad21984a3fb3a38d7b0ae6194d698333e6254a423ea724921ef7367ccb6, MD5 0dde5161009954ee77c9f12e693bc91c
  102. - decoded SHA256 0e6bd3de7ac49ff4438a592892e0bb8da9596be4ed8328459c239c6f3b4dec86, MD5 21a782f9b1089fe169279d5a56aa6719
  103. - executed by "rundll32.exe <dll_name>,text"
  104.  
  105. C2:
  106. POST http://109.234.34.227/message.php
  107. POST http://194.28.87.26/message.php
  108. POST http://93.170.123.119/message.php
  109. POST http://avqraxyq.pl/message.php
  110. POST http://disvfthejnadoufh.biz/message.php
  111. POST http://dspdepmduhduk.work/message.php
  112. POST http://fnsacxejerahf.info/message.php
  113. POST http://heihlcvfcexxxqvr.click/message.php
  114. POST http://lbflexv.click/message.php
  115. POST http://mbmeeayr.su/message.php
  116. POST http://qvepebtlksgxel.su/message.php
  117. POST http://thfafqhxyiwf.pl/message.php
  118. POST http://umfhhrwfws.ru/message.php
  119. POST http://xecemaekvltyv.xyz/message.php
  120. POST http://ydcdxki.work/message.php
RAW Paste Data