Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-12 #locky email phishing campaign "Please find attached invoice no xxxxx"
- Email sample:
- ---------------------------------------------------------------------------------------------
- From: <document@kingdomhomesrealty.com>
- To: [REDACTED]
- Subject: Please find attached invoice no: 1636918
- Date: Mon, 12 Sep 2016 15:12:40 +0530
- Attached is a Print Manager form.
- Format =3D Portable Document Format File (PDF)
- ________________________________
- Disclaimer
- This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
- Attachment: pm4B0A43B7.zip
- ---------------------------------------------------------------------------------------------
- - Sender address is "document@<random domain>"
- - Subject is "Please find attached invoice no: <random number>"
- - Attachment name "pm<random hexa chars>.zip" contains file "<random chars>.wsf" a JScript downloader
- Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
- http://abcdraw.biz/8fh34f3
- http://adasurgical.com/8fh34f3
- http://agileprojects.ro/8fh34f3
- http://annurmaheshphotography.in/8fh34f3
- http://ativa3.tempsite.ws/8fh34f3
- http://aycilinsaat.com/8fh34f3
- http://bangbang55.com/8fh34f3
- http://biogreentech.in/8fh34f3
- http://cardimax.com.ph/8fh34f3
- http://cbautocare.com.au/8fh34f3
- http://clickroses.com/8fh34f3
- http://craskart.com/8fh34f3
- http://dashingleather.com/8fh34f3
- http://demo.hubliclick.in/8fh34f3
- http://eaglecorp.nl/8fh34f3
- http://files.mostafaahmadi.ir/8fh34f3
- http://gift2belgaum.com/8fh34f3
- http://goldenladywedding.com/8fh34f3
- http://gunturnayeebrahminemployees.com/8fh34f3
- http://herosoft.biz/8fh34f3
- http://hostit.co.in/8fh34f3
- http://iandiinternational.com/8fh34f3
- http://jmetalloysllp.com/8fh34f3
- http://mimiphotography.com.au/8fh34f3
- http://mylespollard.com.au/8fh34f3
- http://nimantha.16mb.com/8fh34f3
- http://npinfosoft.16mb.com/8fh34f3
- http://onlinepurohit.com/8fh34f3
- http://perfectfixuae.com/8fh34f3
- http://platformarchitects.com.au/8fh34f3
- http://platforms-root-technologies.com/8fh34f3
- http://pmlojistik.com/8fh34f3
- http://samssara.com/8fh34f3
- http://sasmgs.org/8fh34f3
- http://scpolytechnic.com/8fh34f3
- http://site1382371826.provisorio.ws/8fh34f3
- http://sowhatresearch.com.au/8fh34f3
- http://syamasahithi.com/8fh34f3
- http://synergywaterproofing.com.au/8fh34f3
- http://thepodiatrycentre.com.au/8fh34f3
- http://Ungelie.com/8fh34f3
- http://utsavi.net/8fh34f3
- http://vajrammatrimony.com/8fh34f3
- http://wamasoftware.com/8fh34f3
- http://www.alfajerdecor.com/8fh34f3
- http://www.ausaf.pk/8fh34f3
- http://www.jmetalloysllp.com/8fh34f3
- http://www.mehrabtech.ae/8fh34f3
- http://www.pstimes.com/8fh34f3
- http://www.villakeratea.it/8fh34f3
- http://yesiloglugrup.com/8fh34f3
- UPDATE
- http://adss30.net/8fh34f3
- http://allcateringservices.in/7g6bubt7v
- http://anatoliamaket.com/7g6bubt7v
- http://biogreentech.in/7g6bubt7v
- http://citycollection.com.tr/7g6bubt7v
- http://clickhubli.com/8fh34f3
- http://cloudrepublic.com.au/7g6bubt7v
- http://dashingleather.com/7g6bubt7v
- http://flexfitent.com/7g6bubt7v
- http://jmetalloysllp.com/7g6bubt7v
- http://kitsgnt.com/8fh34f3
- http://livewebsol.com/7g6bubt7v
- http://mysoregiftsflowers.com/8fh34f3
- http://nysekolintsika.mg/8fh34f3
- http://partyeazy.com/8fh34f3
- http://safiazsports.com/7g6bubt7v
- http://supperuploadtestspeed.ws/7g6bubt7v
- http://thepodiatrycentre.com.au/7g6bubt7v
- http://www.alfajerdecor.com/7g6bubt7v
- http://www.jmetalloysllp.com/7g6bubt7v
- http://www.mehrabtech.ae/7g6bubt7v
- http://www.pstimes.com/7g6bubt7v
- http://www.rajashekharkubasad.com/8fh34f3
- Malware:
- - encoded on download, SHA256 9aab0aad08ec9b196179bb1b194d37760799d08e089c388f6fb65df9b89a7b97, filesize 81920 bytes
- - decoded SHA256 1e278e78a4261ebd65d2fc9b2d477bb8c19e15a22aea669947b531859cd12216
- https://www.reverse.it/sample/69bbca6819987f751269dec8b8019a04e63c0d59cdc3c9c344cff0d8a0313835?environmentId=100
- https://www.reverse.it/sample/151a35b7e546a56a717bf11c48ee19b705ef035d55e7444056d617b7f52ae928?environmentId=100
- https://www.reverse.it/sample/9fc210ac919ba861819cb45f14f2ba5c58dc624d01ff2fb1a63de91d26ada074?environmentId=100
- https://www.reverse.it/sample/063c0da1b3f06e1c6714ac94b782f1b7e82189ebea42e33cf9d753cb53959bfe?environmentId=100
- Locky itself seems to be downloaded from http://shagunproperty.com/1.dll
- https://www.reverse.it/sample/89e156f42cd465a1af2d927aa59a0d65789b2321ae1a45a0485801a6535a9fe7?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement