Advertisement
Racco42

2017-08-11 Locky "Document / Scan"

Aug 11th, 2017
2,807
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.67 KB | None | 0 0
  1. 2017-08-11: #Locky email phishing campaign "Document / Scan / Order"
  2. Samples: 626
  3.  
  4. Email sample:
  5. --------------------------------------------------------------------------------------------------------------------
  6. From: Evangelina <Evangelina.04@[REDACTED]>
  7. To: [REDACTED]
  8. Subject: Document
  9. Date: Fri, 11 Aug 2017 14:31:00 +0400
  10.  
  11. Attachment: PDF00076094.pdf
  12. --------------------------------------------------------------------------------------------------------------------
  13. - sender address is forged to be from same domain as recepient's, format: <Name>.<number>@<domain>
  14. - subject is "<Document|Invoice|Order|Paper|Receipt|Scan|Scanned Document>
  15. - email body is empty
  16. - attached file "PDF<6-8 digits>.pdf contains an embedded .docm file, which when opened runs macro that will download from:
  17.  
  18. Download sites:
  19. http://2-wave.com/JbhbUsfs
  20. http://3e.com.pt/JbhbUsfs
  21. http://3lr.es/JbhbUsfs
  22. http://6tricksguides.com/JbhbUsfs
  23. http://abstonework.ca/JbhbUsfs
  24. http://accuflowfloors.com/JbhbUsfs
  25. http://ach-wie.net/JbhbUsfs
  26. http://actt.gr/JbhbUsfs
  27. http://acurcioefilhos.pt/JbhbUsfs
  28. http://adr-werbetechnik.de/JbhbUsfs
  29. http://aegeanlab.gr/JbhbUsfs
  30. http://cafe-papermoon.com/JbhbUsfs
  31. http://cagliaricity.com/JbhbUsfs
  32. http://calvintp.fr/JbhbUsfs
  33. http://campusassas.com/JbhbUsfs
  34. http://cancortes.com/JbhbUsfs
  35. http://carriereiserphotography.com/JbhbUsfs
  36. http://caseyeap.com/JbhbUsfs
  37. http://cctv.pt/JbhbUsfs
  38. http://darca.info/JbhbUsfs
  39. http://grossert.de/JbhbUsfs
  40. http://indiasublime.in/JbhbUsfs
  41. http://inormann.it/JbhbUsfs
  42. http://love.chuanmeiker.com/JbhbUsfs
  43. http://nancywillems.nl/JbhbUsfs
  44. http://nerdydroid.com/JbhbUsfs
  45. http://rtozottosdossder.net/af/JbhbUsfs
  46. http://seoulhome.net/JbhbUsfs
  47. http://starsafety.net/JbhbUsfs
  48. http://swangroup.net/JbhbUsfs
  49.  
  50. Update:
  51. http://carriereiter.com/JbhbUsfs
  52. http://gardenconcept.pl/JbhbUsfs
  53. http://infopoupees.com/JbhbUsfs
  54. http://musicphilicwinds.org/JbhbUsfs
  55.  
  56. Update:
  57. http://121-psychic-reading.co.uk/JbhbUsfs
  58. http://1888titlework.com/JbhbUsfs
  59. http://adaliyapi.com/JbhbUsfs
  60. http://campuslinne.com/JbhbUsfs
  61. http://conceptfactory.com.au/JbhbUsfs
  62. http://eselink.com.my/JbhbUsfs
  63. http://sharplingerie.com/JbhbUsfs
  64. http://toyah.de/JbhbUsfs
  65.  
  66. Malware:
  67. - Locky ransomware
  68. - SHA256: SHA256 5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e
  69. - MD5: 9dcdfbb3e8e4020e4cf2fc77e86daa76
  70. - VT: https://www.virustotal.com/en/file/5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e/analysis/1502448250/
  71. - HA: https://www.hybrid-analysis.com/sample/5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e?environmentId=100
  72. - C2: POST 91.219.28.39/checkupdate
  73. POST 185.127.24.191/checkupdate
  74. - file extension: .diablo6
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement