Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-08-29 #locky phishing email campaign "Please find attached invoice no. XXXX"
- Email sample (sender domain is faked to be same as recipient's):
- -------------------------------------------------------------------------------------------
- From: <document@[REDACTED]>
- To: [REDACTED]
- Subject: Please find attached invoice no: 571126296
- Attached is a Print Manager form.
- Format =3D Portable Document Format File (PDF)
- ________________________________
- Disclaimer
- This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
- -------------------------------------------------------------------------------------------
- Attached file: [random characters].zip, contains [random characters].wsf; a WSF file containing JScript downloader
- Downloads (actual URL has ?<random>=<random> suffix, which does not seem to have influence on download):
- http://69.61.11.216/78yhuinFYs
- http://abcbureautique.abc.perso.neuf.fr/78yhuinFYs
- http://ach-dziennik.cba.pl/78yhuinFYs
- http://bypetra.de/78yhuinFYs
- http://club.konjiki.jp/78yhuinFYs
- http://conserpa.vtrbandaancha.net/78yhuinFYs
- http://daedalus.dommel.be/78yhuinFYs
- http://dussartconsulting.com/78yhuinFYs
- http://greentechdesign.ca/78yhuinFYs
- http://iesjaumei.edu.gva.es/78yhuinFYs
- http://immobilien1000.de/78yhuinFYs
- http://jamesm.co.uk/78yhuinFYs
- http://job.atspace.org/78yhuinFYs
- http://lokum1985.republika.pl/78yhuinFYs
- http://rodewelshcobs.com/78yhuinFYs
- http://sektori.pp.fi/78yhuinFYs
- http://spaceinn.co.jp/78yhuinFYs
- http://tpllaw.com/78yhuinFYs
- http://vicariassicurazioni.it/78yhuinFYs
- http://www.agenziadini.it/78yhuinFYs
- http://www.agriturismoigirasoli.it/78yhuinFYs
- http://www.bluedizioni.com/78yhuinFYs
- http://www.caminettilcd.it/78yhuinFYs
- http://www.carloabati.com/78yhuinFYs
- http://www.coozpn.cba.pl/78yhuinFYs
- http://www.csm94.org/78yhuinFYs
- http://www.culturalheritagemanagement.org/78yhuinFYs
- http://www.dialektika.extra.hu/78yhuinFYs
- http://www.dondana.com/78yhuinFYs
- http://www.epikal.go.ro/78yhuinFYs
- http://www.fenit.net/78yhuinFYs
- http://www.imaginarium.home.ro/78yhuinFYs
- http://www.jan-wallner.de/78yhuinFYs
- http://www.kurtoskalacs.go.ro/78yhuinFYs
- http://www.lagottoromagnolo.be/78yhuinFYs
- http://www.leprimodels.it/78yhuinFYs
- http://www.mussystems.net/78yhuinFYs
- http://www.planet-intv.com/78yhuinFYs
- http://www.qualityacoustic.comcastbiz.net/78yhuinFYs
- http://www.saumi.jazztel.es/78yhuinFYs
- http://www.ussanlorenzo.it/78yhuinFYs
- http://www.vanhoenacker.net/78yhuinFYs
- http://www.webcam-bild.de/78yhuinFYs
- http://xelagon.50webs.org/78yhuinFYs
- Malware encoded, SHA256: e6b487f67e4d5547bbe07ef0d70191a6b73edb9b2a5cc6878871e3682be74d2a, filesize 143360 bytes:
- https://www.reverse.it/sample/72dd283c23ac0649d879a0751e37498562272a144fa08ab0d247b06286db5bce?environmentId=100
- https://www.reverse.it/sample/c8175b878ff92995c364d51b771d5ef8037bd712042fad5561a1d4fdfb7df239?environmentId=100
- https://www.reverse.it/sample/47efc9f74cefc1ffe68611e242dd433f2567c77f0299bbba7d5e62f670017284?environmentId=100
- https://www.reverse.it/sample/da0525772a22a5be84910a1196167f6e3748438c18fa521d0bc3446a3d664abf?environmentId=100
- https://www.reverse.it/sample/60bcaa984714e6e3a70ce4f553d6457ed7b84032a3b9b63d960cf2eac38c4525?environmentId=100
- C2s:
- 51.255.107.30:80/data/info.php
- 195.64.154.114:80/data/info.php
- (trxswbwxhr.xyz)91.226.92.208:80/data/info.php
Add Comment
Please, Sign In to add comment