API tools faq
paste
Racco42

2016-11-04 Locky "Please find attached invoice"

Racco42
Nov 4th, 2016
1,482
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.10 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-04: #locky email phishing camapign "Please find attached invoice no: xxxxx"
  2.  
  3. Sample email:
  4. ----------------------------------------------------------------------------------------------------------------
  5. From: <document@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Please find attached invoice no: 055967
  8. Date: Fri, 04 Nov 2016 17:15:09 +0200
  9.  
  10.  
  11. Attached is a Print Manager form.
  12. Format Portable Document Format File (PDF)
  13. ________________________________
  14.  
  15. Disclaimer
  16.  
  17. This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
  18.  
  19. Attachment: "1B262d.zip"
  20. ----------------------------------------------------------------------------------------------------------------
  21. - sender email address is <document@[recepient's domain]>
  22. - subject is "Please find attached invoice no: <number>"
  23. - attached file "<random chars>.zip" contain file "<random chars>.wsf", a JScript downloader
  24.  
  25. Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
  26. http://aeonmacon.net/5g4f3
  27. http://aeropress.com/5g4f3
  28. http://arxaggelos.com/5g4f3
  29. http://casaxavier.com.mx/5g4f3
  30. http://certop.hu/5g4f3
  31. http://dzwiekowe.com/5g4f3
  32. http://eribusiness.com/5g4f3
  33. http://fanassfoods.co.za/5g4f3
  34. http://fashioncheer.com/5g4f3
  35. http://flirtkurs.ch/5g4f3
  36. http://freemailguide.com/5g4f3
  37. http://frejasvej.dk/5g4f3
  38. http://fruitsfarm.ru/5g4f3
  39. http://frumiel.cl/5g4f3
  40. http://furniturefactory.lk/5g4f3
  41. http://g2cteknoloji.com/5g4f3
  42. http://g2el.com/5g4f3
  43. http://gakrueger.com/5g4f3
  44. http://ge3epmup.ru/5g4f3
  45. http://geisha38.ru/5g4f3
  46. http://geist.fr/5g4f3
  47. http://geomatrix.nl/5g4f3
  48. http://gerardfetter.com/5g4f3
  49. http://ghostdance.us/5g4f3
  50. http://globalem.asia/5g4f3
  51. http://globissys.co.id/5g4f3
  52. http://goedvanstart.nu/5g4f3
  53. http://gokmasan.com/5g4f3
  54. http://goldensad.ru/5g4f3
  55. http://googleadwords.pro/5g4f3
  56. http://gossipsjunction.com/5g4f3
  57. http://gourmetlimes.com/5g4f3
  58. http://gpsoft.pl/5g4f3
  59. http://groundfloorelevator.com/5g4f3
  60. http://gruppoeslabon.com.ph/5g4f3
  61. http://gusi.biz/5g4f3
  62. http://guusdam.nl/5g4f3
  63. http://hairflicksmodelphotography.co.uk/5g4f3
  64. http://happyhands.ru/5g4f3
  65. http://happymedia.vn/5g4f3
  66. http://hayber.com/5g4f3
  67. http://hgssyouth.com/5g4f3
  68. http://hjarne.dk/5g4f3
  69. http://hogsmeade.ru/5g4f3
  70. http://holmebjerg.dk/5g4f3
  71. http://jorgeyoud.com/5g4f3
  72. http://magical-connection.com/5g4f3
  73. http://m.geology.kg/5g4f3
  74. http://mospi.ru/5g4f3
  75. http://nsrcconsulting.com/5g4f3
  76. http://pillorydowncommercials.co.uk/5g4f3
  77. http://sport-grace.by/5g4f3
  78. http://termoskan.ru/5g4f3
  79. http://tw.wapv.net/5g4f3
  80.  
  81. Malware:
  82. - encoded on download, SHA256 0bb46f3e70f1ad934a4a0c2a85104cb2503a37a42c9215fe18ebd104dc4447dc, MD5 5e4a1e97d8c870920920cd028e766979
  83. - decoded SHA256 63f9defc3e46e29f715337ec92353e2c78c4f14c96e92bd12da44b4ac2e25969, MD5 1821e1156bdb1ff66b5d2283921cfd79
  84. - executed by "rundll32.exe <dll_name>,GetLine"
  85.  
  86. C2:
  87. POST http://109.234.35.230/message.php
  88. POST http://37.46.135.148/message.php
  89. POST http://51.255.107.37/message.php
  90. POST http://awnsxsiio.biz/message.php
  91. POST http://ayxhjrweqnktu.org/message.php
  92. POST http://cxhtcbgsjkennjnk.pl/message.php
  93. POST http://hgpgxefvqcb.info/message.php
  94. POST http://jwbtmkyfqwdrgrkf.su/message.php
  95. POST http://mdwwuwertgxif.ru/message.php
  96. POST http://prmluunkeehl.biz/message.php
  97. POST http://pwleoujlrrvpwehe.pl/message.php
  98. POST http://rkbwgccdcfmrpdgf.xyz/message.php
  99. POST http://tpqjqgmsmrkyvy.pw/message.php
  100. POST http://vkwuqidmfukvx.xyz/message.php
  101. POST http://vppiwvel.info/message.php
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!