API tools faq
paste
Racco42

2016-09-15 Locky "Booking confirmation"

Racco42
Sep 15th, 2016
1,566
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.32 KB | None | 0 0
raw download clone embed print report
  1. 22016-09-15 #locky phishing campaign "Booking confirmation"
  2. https://myonlinesecurity.co.uk/booking-confirmation-malspam-delivers-locky/
  3.  
  4. Email:
  5. -------------------------------------------------------------------------------------------------------
  6. From: "Dewey Valencia" <Valencia.14497@fibertel.com.ar>
  7. To: [REDACTED]
  8. Subject: Booking confirmation
  9. Date: Thu, 15 Sep 2016 15:49:09 -0300
  10.  
  11. Hi there [REDACTED], it's Dewey. I booked the ticket for you yesterday.
  12. See the attachment to confirm the booking.
  13.  
  14. King regards,
  15. Dewey Valencia
  16.  
  17. Attachment: "f732d7d994.zip"
  18. -------------------------------------------------------------------------------------------------------
  19. - sender address varies in format <name>.<number>@<domain>
  20. - subject is "Booking confirmation"
  21. - attachment <random hexa chars>.zip contains two files; one letter name (e.g. "a") of random size filled with 0s (just padding) and "Booking confirmation ~<random hexa chars>~.js" downloader
  22.  
  23. Download sites:
  24. http://gobantakao.com/0a64s
  25. http://gobantakao.com/3qm01xeb
  26. http://gobantakao.com/8vdtrq
  27. http://gobantakao.com/m15l0gez
  28. http://gobantakao.com/q6csqde
  29. http://ponggirr.net/3k3wyjp
  30. http://ponggirr.net/ccbbcu
  31. http://ponggirr.net/erowakv
  32. http://ponggirr.net/hbx7xs4f
  33. http://ponggirr.net/qs060j5
  34. http://satyrwelf.net/0ygdf9nf
  35. http://satyrwelf.net/27d4l09
  36. http://satyrwelf.net/96cbdy
  37. http://satyrwelf.net/igle880a
  38. http://satyrwelf.net/k9nz8
  39.  
  40. Malware:
  41. - encoded on download, filesize 191492 bytes (190980 bytes on http___satyrwelf.net_27d4l09)
  42. 0a6bbf2c70a46e1d7d27a3ae8a6539bb620a872f0d25459824d80f8a6935247b http___gobantakao.com_0a64s
  43. ec8a632e1c9941298a4f66f7d04fe3bdd2c2fd70c70227b0d6f9d6b484517a3e http___gobantakao.com_3qm01xeb
  44. 12c76fdfff7646af4b3c2fe15379213565359aa0534766aa6965924299293e05 http___gobantakao.com_8vdtrq
  45. 8c40beac7c4d12bf0d03961bd1e1cd0dc1b9938bf98517cef70073a3d981a5fd http___gobantakao.com_m15l0gez
  46. fbfcba8191a5e5eb624b27b02088ec83e1ccb57a0ed956b8176ccb70b98c285f http___gobantakao.com_q6csqde
  47. e913bbc81975c234648ab1490ed9faa7617eab8670acbeb51983fd570c0777e2 http___ponggirr.net_3k3wyjp
  48. ade133a2a04872c73a8d665b198b9fdcea227451a81c0d11df6ebd88a4a65b84 http___ponggirr.net_ccbbcu
  49. 35d5c9c06001f109799a41ac611a5f413891019ea0ea7a1c6ed2055c1854d06b http___ponggirr.net_erowakv
  50. 39f957b97291bf180aa5ad563ad38740365860e7ebf80ecd43089345a8f50343 http___ponggirr.net_hbx7xs4f
  51. ca5d1179982b03692adf1ffe075c5e49ef9f4ba2a88f29de4c00d4851ef85816 http___ponggirr.net_qs060j5
  52. e68f08145a988abbecfcd02b0f666dab1926276028c2f44f8887c944fb405b4c http___satyrwelf.net_0ygdf9nf
  53. e59fa4b1e5c58a0bbdfc09603989a9031c2fb714555ac53002e98e3e26d0501e http___satyrwelf.net_27d4l09
  54. 3edbf01784905a228ce8a1b9400a9d3fdad14419a309d8f4f47968e166f6b872 http___satyrwelf.net_96cbdy
  55. 6390b64bc373f450fd88cab398409bfffbe04ad48c5840c8a0481ae8c004f727 http___satyrwelf.net_igle880a
  56. aaec809824319c7f703507cbab4c436417d655707e7ad481acc7df068986f765 http___satyrwelf.net_k9nz8
  57. - decoded
  58. 175b43aa6bbfd407a4a4fda7205505a547169b4d63bdad16a5c361e2e6d80d0b http___gobantakao.com_0a64s
  59. 6662d052c0f4ec11f0ae3dae7c5ae8994fb581741fcc6fe5dbb540f926865216 http___satyrwelf.net_96cbdy
  60. - executed as "rundll32.exe %TEMP%\HO396K~1.DLL,qwerty 323"
  61.  
  62. https://www.reverse.it/sample/7f17f704e95a751f7d586a6610d9e86023b44245400e604c469d16a9706ddaef?environmentId=100
  63. https://www.reverse.it/sample/bdd56b075b7b18221e1598e3e5f15d13089c9514a9828825f83d5f87f65c31f6?environmentId=100
  64. https://www.reverse.it/sample/3245cf99876e45110604d80cf0bcf3f59cebfae20ee5f1544afca0c2c058cb56?environmentId=100
  65. https://www.reverse.it/sample/c9fc1d7fa5e3853d10a9a4fe89d7a809b019e4e7961b894be69dbe855683e166?environmentId=100
  66. https://www.reverse.it/sample/a221882467b90ecab4b0c582860e340299ccb1e6b41301404c7faa64779a8522?environmentId=100
  67. https://www.reverse.it/sample/fa66023c2c81d76138bcf651670708ed65bd91f2fab58be56606fe2acf25d4d8?environmentId=100
  68. https://www.reverse.it/sample/805609c14c200c05a84d3bcf2c70aad2533cbbd5e050f6e3836ffc76d2ec23c2?environmentId=100
  69. https://www.reverse.it/sample/6f48af0b2f44c23dd12e958573c329734c2d5756fa942cde94d8524ebc19a68b?environmentId=100
  70. https://www.reverse.it/sample/ddbf9b5377479b3c08bd53c5d70b29136c906c96568a1ca1574ef6d7443ed288?environmentId=100
  71. https://www.reverse.it/sample/bb5ef74f2b10eb333d24a87fcbb79205f519dc5c7f10951d4b3101aa4ff40239?environmentId=100
  72.  
  73. C2:
  74. - no C2 communication observed
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!