SHARE
TWEET

2016-12-20 Locky "for printing"

Racco42 Dec 20th, 2016 (edited) 419 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-20: #locky email phishing campaign "for printing"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------------
  5. From: TAMMY MALTMAN <tammy.maltman@jmorris.net>
  6. To: [REDACTED]
  7. Date: Tue, 20 Dec 2016 16:15:08 +0530
  8. Subject: for printing
  9.  
  10. Hi,
  11.  
  12. For printing.
  13. Thank you so much.
  14. --
  15.  
  16. *TAMMY MALTMAN CristobalHRD/Admin Officer*
  17. *Moonbake Inc.14 Langka St., Golden Acres Talon 1*
  18. *Las Pi=C3=B1as City, Philippines 1630Tel. No.: 632 8004373, 632 8022645Telefax:
  19. 632 8022645*
  20.  
  21. *Mobile Number: +63932-845-9007Email Address: tammy.maltman@jmorris.net
  22. <tammy.maltman@jmorris.net>*
  23.  
  24. Attachment: Certificate_60447.xls
  25. ------------------------------------------------------------------------------------------------------------------
  26. - sender varies between emails
  27. - subject is "for printing"
  28. - attached file "Certificate_<4-8 digits>.xls" is a Microsft Excel 2007+ file containing macro that will download malware:
  29.  
  30. Download sites:
  31. http://artlab.co.il/hjv56
  32. http://avenueresto.com/hjv56
  33. http://bluelunar.net/hjv56
  34. http://charlenelouw.co.za/hjv56
  35. http://devzendo.org/hjv56
  36. http://eagleslearning.com/hjv56
  37. http://farbybialystok.pl/hjv56
  38. http://forstmog.de/hjv56
  39. http://fsamson.com/hjv56
  40. http://guide4health.info/hjv56
  41. http://hostalmilabi.com/hjv56
  42. http://householdanimals.50webs.com/hjv56
  43. http://imperialroofing.co.uk/hjv56
  44. http://inzt.net/hjv56
  45. http://ipt.se/hjv56
  46. http://jaba-translations.pt/hjv56
  47. http://jansen.com.ua/hjv56
  48. http://jayacoat-industries.com.my/hjv56
  49. http://kakamiao.com/hjv56
  50. http://kmwine.ge/hjv56
  51. http://kodivac.com/hjv56
  52. http://kungfumasterwang.com/hjv56
  53. http://ldagnes.pl/hjv56
  54. http://minilab.ca/hjv56
  55. http://mk-beauty.de/hjv56
  56. http://nanomedilac.com/hjv56
  57. http://nfia-china.com/hjv56
  58. http://no1archeryandsports.ca/hjv56
  59. http://owncloud.weber-rechtenbach.de/hjv56
  60. http://paplanindustries.com/hjv56
  61. http://pozsgaiingatlan.hu/hjv56
  62. http://residencegardenia.it/hjv56
  63. http://shouxinghg.com/hjv56
  64. http://stav-reporter.ru/hjv56
  65. http://tc12345.com/hjv56
  66. http://theservantsoflove.com/hjv56
  67. http://todoalojamiento.es/hjv56
  68. http://www.genesisbilling.net/hjv56
  69. http://www.grupoaex.es/hjv56
  70. http://www.inglesenveranoenjavea.com/hjv56
  71. http://www.junaida.com/hjv56
  72.  
  73. UPDATE:
  74. http://ashpeptide.com/hjv56
  75. http://cracoviamanor.com/hjv56
  76. http://ingemanns-autolakering.dk/hjv56
  77. http://klimatshop.sk/hjv56
  78. http://phayamengrai.chiangrai.doae.go.th/hjv56
  79. http://stuifmeelenstamper.be/hjv56
  80. http://webplatter.com/hjv56
  81. http://www.rencontreparis.org/hjv56
  82. http://www.tenji-guide.com/hjv56
  83.  
  84. UPDATE:
  85. http://adminca.se/hjv56
  86. http://alaliengineering.net/hjv56
  87. http://isriir.com/hjv56
  88. http://jimprudom.com/hjv56
  89. http://noosnegah.com/hjv56
  90. http://revolutionarymom.com/hjv56
  91. http://tanz-trommeln.at/hjv56
  92. http://www.judo-hattingen.de/hjv56
  93. http://yorkshire-pm.com/hjv56
  94.  
  95. UPDATE:
  96. http://carloszubiaga.com/hjv56
  97. http://corlouis.com/hjv56
  98. http://gages-56.com/hjv56
  99. http://kayju.com/hjv56
  100. http://knightsure.co.uk/hjv56
  101. http://macoinservicios.com/hjv56
  102. http://namecardcenter.net/hjv56
  103. http://www.azrodandclassic.com/hjv56
  104. http://www.langeoog-meerleben.de/hjv56
  105.  
  106. Malware:
  107. - encoded on download, SHA256 3e813c9aef93c3ee00c89f99ee3e67314417b3d492c175a0633c0bb61cd03bef, MD5 20bac7aa46a9d2f0f19e54ed36a9b0fd
  108. - decoded SHA256 3f474165756cfb12f459379420447e397e966fc4b665c1ec90d894772926f893, MD5 c46d07a05d498cf4178d3092ee62aa07
  109. - executed by "rundll32.exe %TEMP%\<filename>.vip,vape"
  110. - sample: https://www.virustotal.com/file/3f474165756cfb12f459379420447e397e966fc4b665c1ec90d894772926f893/analysis/1482233488/
  111.  
  112. C2:
  113. POST http://176.121.14.95/checkupdate
  114. POST http://188.127.239.48/checkupdate
  115. POST http://193.201.225.124/checkupdate
  116. POST http://91.203.5.144/checkupdate
  117. POST http://91.223.180.3/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top