API tools faq
paste
Advertisement
Racco42

2016-11-08 Locky "Fax transmission"

Racco42
Nov 9th, 2016
1,819
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.88 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-08 #locky email phishing camapaign "Fax transmission"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------
  5. From: iFax Service <emailsend@wr-consultores.com>
  6. To: [REDACTED]
  7. Subject: Fax transmission: F-7957362261-8801377743-201611050329-4863.zip
  8. Date: Wed, 9 Nov 2016 05:03:29 +0630
  9.  
  10. Please find attached to this email a facsimile transmission we
  11. have just received on your behalf
  12.  
  13. (Do not reply to this email as any reply will not be read by
  14. a real person)
  15.  
  16. Attachment: F-7957362261-8801377743-201611050329-4863.zip
  17. ------------------------------------------------------------------------------------------------------------
  18. - sender varies between emails, but the name is "(iFAX or FAX or NetFAX or IVR)" Service and address starts with "emailsend"
  19. - subject is "Fax transmission: F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip"
  20. - attached file "F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip" contains file "F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.js", a JScript downloader
  21.  
  22. Download sites (actual URLs contain suffix ?<random>=<random> which does not influence the download):
  23. http://asrcargo.ru/7845gf
  24. http://chewysissy.net/7845gf
  25. http://elektrickekefky.sk/7845gf
  26. http://gadgetdealz.net/7845gf
  27. http://hydroservis.sk/7845gf
  28. http://iaam.com.br/7845gf
  29. http://igraficas.com/7845gf
  30. http://immobilienbegleitung.de/7845gf
  31. http://inkjetss.com/7845gf
  32. http://inteza.pl/7845gf
  33. http://ivocal.fr/7845gf
  34. http://izmirisgb.com/7845gf
  35. http://jlxzy.net/7845gf
  36. http://jrockish.bravepages.com/7845gf
  37. http://julian-g.ro/7845gf
  38. http://kedaikerinchi.com/7845gf
  39. http://khashchevato42.ru/7845gf
  40. http://kiannaghsh.ir/7845gf
  41. http://kurdinfo.ru/7845gf
  42. http://lekstom.ru/7845gf
  43. http://lloveras.com/7845gf
  44. http://mapbook.ir/7845gf
  45. http://markanltd.com/7845gf
  46. http://masiled.es/7845gf
  47. http://materlux.ru/7845gf
  48. http://mavicicek.com/7845gf
  49. http://maytinhcaobang.net/7845gf
  50. http://mjtmak.com/7845gf
  51. http://mokinukai.lt/7845gf
  52. http://mtgchile.cl/7845gf
  53. http://muaban86.net/7845gf
  54. http://muzica-evenimente.ro/7845gf
  55. http://mw077.ru/7845gf
  56. http://myhtar.ru/7845gf
  57. http://natalilife.ru/7845gf
  58. http://teazexebec.com/7845gf
  59.  
  60. Malware:
  61. - encoded on download SHA256 b5164a2f4ea1c7a2d338f47b7b391cfda6f8be6a7a2e3e3d9fc070dda863fdc5, MD5 d2888f6c40e32714a65f23df32a6930d
  62. - decoded SHA256 57a0f81246a70462028c1adf1b5d8f02580845084e12a5edf3652bb2d9b2077d, MD5 ad6fb318002df4ffc80795cc31d529b4
  63. - executed by "rundll32.exe %TEMP%\<dll_name>,nipple"
  64.  
  65. C2:
  66. POST http://158.69.223.5/message.php
  67. POST http://85.143.212.23/message.php
  68. POST http://gfytvimwwi.pl/message.php
  69. POST http://cuduqdh.pl/message.php
  70. POST http://qyxrdhfuufn.biz/message.php
  71. POST http://ilicnmsuferm.biz/message.php
  72. POST http://ilicnmsuferm.biz/message.php
  73. POST http://ggcemyyajb.pl/message.php
  74. POST http://pprdnueyhukcjy.info/message.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!