Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-08 #locky email phishing camapaign "Fax transmission"
- Email sample:
- ------------------------------------------------------------------------------------------------------------
- From: iFax Service <emailsend@wr-consultores.com>
- To: [REDACTED]
- Subject: Fax transmission: F-7957362261-8801377743-201611050329-4863.zip
- Date: Wed, 9 Nov 2016 05:03:29 +0630
- Please find attached to this email a facsimile transmission we
- have just received on your behalf
- (Do not reply to this email as any reply will not be read by
- a real person)
- Attachment: F-7957362261-8801377743-201611050329-4863.zip
- ------------------------------------------------------------------------------------------------------------
- - sender varies between emails, but the name is "(iFAX or FAX or NetFAX or IVR)" Service and address starts with "emailsend"
- - subject is "Fax transmission: F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip"
- - attached file "F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip" contains file "F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.js", a JScript downloader
- Download sites (actual URLs contain suffix ?<random>=<random> which does not influence the download):
- http://asrcargo.ru/7845gf
- http://chewysissy.net/7845gf
- http://elektrickekefky.sk/7845gf
- http://gadgetdealz.net/7845gf
- http://hydroservis.sk/7845gf
- http://iaam.com.br/7845gf
- http://igraficas.com/7845gf
- http://immobilienbegleitung.de/7845gf
- http://inkjetss.com/7845gf
- http://inteza.pl/7845gf
- http://ivocal.fr/7845gf
- http://izmirisgb.com/7845gf
- http://jlxzy.net/7845gf
- http://jrockish.bravepages.com/7845gf
- http://julian-g.ro/7845gf
- http://kedaikerinchi.com/7845gf
- http://khashchevato42.ru/7845gf
- http://kiannaghsh.ir/7845gf
- http://kurdinfo.ru/7845gf
- http://lekstom.ru/7845gf
- http://lloveras.com/7845gf
- http://mapbook.ir/7845gf
- http://markanltd.com/7845gf
- http://masiled.es/7845gf
- http://materlux.ru/7845gf
- http://mavicicek.com/7845gf
- http://maytinhcaobang.net/7845gf
- http://mjtmak.com/7845gf
- http://mokinukai.lt/7845gf
- http://mtgchile.cl/7845gf
- http://muaban86.net/7845gf
- http://muzica-evenimente.ro/7845gf
- http://mw077.ru/7845gf
- http://myhtar.ru/7845gf
- http://natalilife.ru/7845gf
- http://teazexebec.com/7845gf
- Malware:
- - encoded on download SHA256 b5164a2f4ea1c7a2d338f47b7b391cfda6f8be6a7a2e3e3d9fc070dda863fdc5, MD5 d2888f6c40e32714a65f23df32a6930d
- - decoded SHA256 57a0f81246a70462028c1adf1b5d8f02580845084e12a5edf3652bb2d9b2077d, MD5 ad6fb318002df4ffc80795cc31d529b4
- - executed by "rundll32.exe %TEMP%\<dll_name>,nipple"
- C2:
- POST http://158.69.223.5/message.php
- POST http://85.143.212.23/message.php
- POST http://gfytvimwwi.pl/message.php
- POST http://cuduqdh.pl/message.php
- POST http://qyxrdhfuufn.biz/message.php
- POST http://ilicnmsuferm.biz/message.php
- POST http://ilicnmsuferm.biz/message.php
- POST http://ggcemyyajb.pl/message.php
- POST http://pprdnueyhukcjy.info/message.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement