Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-04: #locky email phishing camapign "Please find attached invoice no: xxxxx"
- Sample email:
- ----------------------------------------------------------------------------------------------------------------
- From: <document@[REDACTED]>
- To: [REDACTED]
- Subject: Please find attached invoice no: 055967
- Date: Fri, 04 Nov 2016 17:15:09 +0200
- Attached is a Print Manager form.
- Format Portable Document Format File (PDF)
- ________________________________
- Disclaimer
- This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
- Attachment: "1B262d.zip"
- ----------------------------------------------------------------------------------------------------------------
- - sender email address is <document@[recepient's domain]>
- - subject is "Please find attached invoice no: <number>"
- - attached file "<random chars>.zip" contain file "<random chars>.wsf", a JScript downloader
- Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
- http://aeonmacon.net/5g4f3
- http://aeropress.com/5g4f3
- http://arxaggelos.com/5g4f3
- http://casaxavier.com.mx/5g4f3
- http://certop.hu/5g4f3
- http://dzwiekowe.com/5g4f3
- http://eribusiness.com/5g4f3
- http://fanassfoods.co.za/5g4f3
- http://fashioncheer.com/5g4f3
- http://flirtkurs.ch/5g4f3
- http://freemailguide.com/5g4f3
- http://frejasvej.dk/5g4f3
- http://fruitsfarm.ru/5g4f3
- http://frumiel.cl/5g4f3
- http://furniturefactory.lk/5g4f3
- http://g2cteknoloji.com/5g4f3
- http://g2el.com/5g4f3
- http://gakrueger.com/5g4f3
- http://ge3epmup.ru/5g4f3
- http://geisha38.ru/5g4f3
- http://geist.fr/5g4f3
- http://geomatrix.nl/5g4f3
- http://gerardfetter.com/5g4f3
- http://ghostdance.us/5g4f3
- http://globalem.asia/5g4f3
- http://globissys.co.id/5g4f3
- http://goedvanstart.nu/5g4f3
- http://gokmasan.com/5g4f3
- http://goldensad.ru/5g4f3
- http://googleadwords.pro/5g4f3
- http://gossipsjunction.com/5g4f3
- http://gourmetlimes.com/5g4f3
- http://gpsoft.pl/5g4f3
- http://groundfloorelevator.com/5g4f3
- http://gruppoeslabon.com.ph/5g4f3
- http://gusi.biz/5g4f3
- http://guusdam.nl/5g4f3
- http://hairflicksmodelphotography.co.uk/5g4f3
- http://happyhands.ru/5g4f3
- http://happymedia.vn/5g4f3
- http://hayber.com/5g4f3
- http://hgssyouth.com/5g4f3
- http://hjarne.dk/5g4f3
- http://hogsmeade.ru/5g4f3
- http://holmebjerg.dk/5g4f3
- http://jorgeyoud.com/5g4f3
- http://magical-connection.com/5g4f3
- http://m.geology.kg/5g4f3
- http://mospi.ru/5g4f3
- http://nsrcconsulting.com/5g4f3
- http://pillorydowncommercials.co.uk/5g4f3
- http://sport-grace.by/5g4f3
- http://termoskan.ru/5g4f3
- http://tw.wapv.net/5g4f3
- Malware:
- - encoded on download, SHA256 0bb46f3e70f1ad934a4a0c2a85104cb2503a37a42c9215fe18ebd104dc4447dc, MD5 5e4a1e97d8c870920920cd028e766979
- - decoded SHA256 63f9defc3e46e29f715337ec92353e2c78c4f14c96e92bd12da44b4ac2e25969, MD5 1821e1156bdb1ff66b5d2283921cfd79
- - executed by "rundll32.exe <dll_name>,GetLine"
- C2:
- POST http://109.234.35.230/message.php
- POST http://37.46.135.148/message.php
- POST http://51.255.107.37/message.php
- POST http://awnsxsiio.biz/message.php
- POST http://ayxhjrweqnktu.org/message.php
- POST http://cxhtcbgsjkennjnk.pl/message.php
- POST http://hgpgxefvqcb.info/message.php
- POST http://jwbtmkyfqwdrgrkf.su/message.php
- POST http://mdwwuwertgxif.ru/message.php
- POST http://prmluunkeehl.biz/message.php
- POST http://pwleoujlrrvpwehe.pl/message.php
- POST http://rkbwgccdcfmrpdgf.xyz/message.php
- POST http://tpqjqgmsmrkyvy.pw/message.php
- POST http://vkwuqidmfukvx.xyz/message.php
- POST http://vppiwvel.info/message.php
Add Comment
Please, Sign In to add comment