API tools faq
paste
Advertisement
Racco42

2016-11-08 Locky "Your Amazon order has dispatched"

Racco42
Nov 9th, 2016
3,058
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.23 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-08 #locky email phishing campaign "Your Amazon order has dispatched"
  2. - the downloaders, URLs and malware are the same as for "Fax transmission" campign http://pastebin.com/Uzmft3Lp
  3.  
  4. Email sample:
  5. ---------------------------------------------------------------------------------------------------
  6. From: "Amazon Inc" <auto-shipping21@amazon.com>
  7. To: [REDACTED]
  8. Subject: [SUSPICIOUS MESSAGE] Your Amazon.com order has dispatched (#927-6424906-7525554)
  9. Date: Tue, 8 Nov 2016 23:57:54 +0100 (CET)
  10.  
  11. Dear Customer,
  12.  
  13. Greetings from Amazon.com,
  14.  
  15. We are writing to let you know that the following item has been sent using Royal Mail.
  16.  
  17. For more information about delivery estimates and any open orders, please visit: http://www.amazon.com/your-account
  18.  
  19. Your order #927-6424906-7525554 (received November 8, 2016)
  20.  
  21.  
  22. Your right to cancel:
  23. At Amazon.com we want you to be delighted every time you shop with us. O=3D
  24. ccasionally though, we know you may want to return items. Read more about o=3D
  25. ur Returns Policy at: http://www.amazon.com/returns-policy/
  26.  
  27. Further, under the United Kingdom's Distance Selling Regulations, you have =3D
  28. the right to cancel the contract for the purchase of any of these items wit=3D
  29. hin a period of 7 working days, beginning with the day after the day on whi=3D
  30. ch the item is delivered. This applies to all of our products. However, we =3D
  31. regret that we cannot accept cancellations of contracts for the purchase of=3D
  32. video, DVD, audio, video games and software products where the item has be=3D
  33. en unsealed. Please note that we are unable to accept cancellation of, or r=3D
  34. eturns for, digital items once downloading has commenced. Otherwise, we can=3D
  35. accept returns of complete product, which is unused and in an "as new" con=3D
  36. dition.
  37.  
  38. Our Returns Support Centre will guide you through our Returns Policy and, w=3D
  39. here relevant, provide you with a printable personalised return label. Ple=3D
  40. ase go to http://www.amazon.com/returns-support to use our Returns Suppor=3D
  41. t Centre.
  42.  
  43. To cancel this contract, please pack the relevant item securely, attach you=3D
  44. r personalised return label and send it to us with the delivery slip so tha=3D
  45. t we receive it within 7 working days after the day of the date that the it=3D
  46. em was delivered to you or, in the case of large items delivered by our spe=3D
  47. cialist couriers, contact Amazon.com customer services using the link bel=3D
  48. ow within 7 working days after the date that the item was delivered to you =3D
  49. to discuss the return.
  50.  
  51. https://www.amazon.com/gp/css/returns/homepage.html
  52.  
  53. For your protection, where you are returning an item to us, we recommend th=3D
  54. at you use a recorded-delivery service. Please note that you will be respon=3D
  55. sible for the costs of returning the goods to us unless we delivered the it=3D
  56. em to you in error or the item is faulty. If we do not receive the item bac=3D
  57. k from you, we may arrange for collection of the item from your residence a=3D
  58. t your cost. You should be aware that, once we begin the delivery process, =3D
  59. you will not be able to cancel any contract you have with us for services c=3D
  60. arried out by us (e.g. gift wrapping).
  61.  
  62. Please also note that you will be responsible for the costs of collection i=3D
  63. n the event that our specialist courier service collect a large item from y=3D
  64. ou to return to us.
  65.  
  66. As soon as we receive notice of your cancellation of this order, we will re=3D
  67. fund the relevant part of the purchase price for that item.=3D20
  68.  
  69. Should you have any questions, feel free to visit our online Help Desk at:=3D
  70. =3D20
  71. http://www.amazon.com/help
  72.  
  73. If you've explored the above links but still need to get in touch with us, =3D
  74. you will find more contact details at the online Help Desk.=3D20
  75.  
  76. Note: this e-mail was sent from a notification-only e-mail address that can=3D
  77. not accept incoming e-mail. Please do not reply to this message.=3D20
  78.  
  79. Thank you for shopping at Amazon.com
  80.  
  81. -------------------------------------------------
  82. Amazon EU S.=3DC3=3DA0.r.L.
  83. c/o Marston Gate
  84. Ridgmont, BEDFORD MK43 0XP
  85. United Kingdom
  86. -------------------------------------------------
  87.  
  88. Attachment: ORDER-927-6424906-7525554.zip
  89. ---------------------------------------------------------------------------------------------------
  90. - sender is "Amazon Inc" or "Amazon.com", autoshipping<digits>@amazon.com
  91. - subject is "Your Amazon.com order has dispatched (#<3 digits>-<7 digits>-<7 digits>)"
  92. - attached file "ORDER-<3 digits>-<7 digits>-<7 digits>.zip" contain file "F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.js", a JScript downloader
  93.  
  94. Download sites (actual URLs have ?<random>=<random> which does not influence the download):
  95. http://chewysissy.net/7845gf
  96. http://gadgetdealz.net/7845gf
  97. http://heatsavingsystems.com/7845gf
  98. http://helpcomm.com/7845gf
  99. http://hnzhengzhou.com/7845gf
  100. http://hud3.net/7845gf
  101. http://hunt-magazine.com/7845gf
  102. http://hz9m.com/7845gf
  103. http://immobilienbegleitung.de/7845gf
  104. http://i-solutions.cz/7845gf
  105. http://ivocal.fr/7845gf
  106. http://jgtour.wz.cz/7845gf
  107. http://jlxzy.net/7845gf
  108. http://jrockish.bravepages.com/7845gf
  109. http://karacanalbum.com/7845gf
  110. http://kleansys.com/7845gf
  111. http://kolumbia.free.bg/7845gf
  112. http://kurdinfo.ru/7845gf
  113. http://markscheffel.de/7845gf
  114. http://masterimob.ro/7845gf
  115. http://matemshkola.ru/7845gf
  116. http://mavicicek.com/7845gf
  117. http://meshok.com.ua/7845gf
  118. http://mokinukai.lt/7845gf
  119. http://monkey-drum.com/7845gf
  120. http://musicrecruiting.com/7845gf
  121. http://myhtar.ru/7845gf
  122. http://myxos.be/7845gf
  123. http://teazexebec.com/7845gf
  124.  
  125. Malware:
  126. - encoded on download SHA256 b5164a2f4ea1c7a2d338f47b7b391cfda6f8be6a7a2e3e3d9fc070dda863fdc5, MD5 d2888f6c40e32714a65f23df32a6930d
  127. - decoded SHA256 57a0f81246a70462028c1adf1b5d8f02580845084e12a5edf3652bb2d9b2077d, MD5 ad6fb318002df4ffc80795cc31d529b4
  128. - executed by "rundll32.exe %Temp%\<dll_name>,nipple"
  129.  
  130. C2:
  131. POST http://85.143.212.23/message.php
  132. POST http://158.69.223.5/message.php
  133. POST http://qyxrdhfuufn.biz/message.php
  134. POST http://npgmteapwbncfch.xyz/message.php
  135. POST http://gfytvimwwi.pl/message.php
  136. POST http://xuotcothbuhat.pw/message.php
  137. POST http://lanubxgujiclwvbvw.work/message.php
  138. POST http://xuotcothbuhat.pw/message.php
  139. POST http://rktjbvxjbihrqdlvh.info/message.php
  140. POST http://xuotcothbuhat.pw/message.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!