SHARE
TWEET

2017-10-09 Locky "New voice message"

Racco42 Oct 9th, 2017 (edited) 1,274 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-10-09: #locky email phishing campaign "New voice message"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------------------
  5. From: "Voicemail Service" <vmservice@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: New voice  message 19088622012 in mailbox 190886220121 from "19088622012" <0348866828>
  8. Date: Mon, 09 Oct 2017 10:08:51 -0500
  9.  
  10. Dear user:
  11.  
  12. just wanted to let you know you were just left a 0:53 long message (number 19088622012)
  13. in mailbox 190886220121 from "19088622012" <0348866828>, on Mon, 09 Oct 2017 10:08:51 -0500
  14. so you might want to check it when you get a chance.  Thanks!
  15.  
  16.                                 --Voicemail Service
  17.  
  18. Attachment: msg034179.7z -> msg093208746.vbs
  19. ------------------------------------------------------------------------------------------------------------------------
  20. - sender is "Voicemail Service", email is forged to be coming from recipient's domain vmservice@[domain]
  21. - subject is "New voice  message <11 digits> in mailbox <12 digits> from "<11 digits>" <<10 digits>>"
  22. - attached file "msg<4-9 digits>.7z" contains file "msg<8-9 digits>.vbs", a VBScript downloader, which will download malware from one of Malware download sites
  23. - body of the email contains a link, which will download additional code from:
  24.  
  25. Links:
  26. http://afslearnenglish.com/voicemsg.html
  27. http://agregate-cariera.ro/voicemsg.html
  28. http://agrourbis.com/voicemsg.html
  29. http://alucmuhendislik.com/voicemsg.html
  30. http://auto-ecolecoccinelle.com/voicemsg.html
  31. http://datenhaus.info/voicemsg.html
  32. http://estudiperceptiva.com/voicemsg.html
  33. http://ferienwohnung-schitter.at/voicemsg.html
  34. http://fortcollins-accounting.com/voicemsg.html
  35. http://hashigosha.com/voicemsg.html
  36. http://ilnumeroverde.it/voicemsg.html
  37. http://kalorsystem.com/voicemsg.html
  38. http://louisawong.net/voicemsg.html
  39. http://maule.biz/voicemsg.html
  40. http://missinglynxsystems.com/voicemsg.html
  41. http://mobius-group.com/voicemsg.html
  42. http://monroepoa.org/voicemsg.html
  43. http://monstermx.com/voicemsg.html
  44. http://mueblesamedidamalaga.com/voicemsg.html
  45. http://norsky.pt/voicemsg.html
  46. http://pagosdelrey.mobi/voicemsg.html
  47. http://parquetroman.com/voicemsg.html
  48. http://pinkyardflamingos.com/voicemsg.html
  49. http://profigera.pt/voicemsg.html
  50. http://recturf.com.au/voicemsg.html
  51. http://resortphotographics.com/voicemsg.html
  52. http://sgtenterprises.com/voicemsg.html
  53. http://shineindian.com/voicemsg.html
  54. http://simonline.nl/voicemsg.html
  55. http://somallc.com/voicemsg.html
  56. http://sunny-voices.de/voicemsg.html
  57. http://team-bobcat.org/voicemsg.html
  58. http://vincent-farben.de/voicemsg.html
  59. http://weloveflowers.co.uk/voicemsg.html
  60. http://wwwa.su/voicemsg.html
  61. http://zik-et-dance.com/voicemsg.html
  62.  
  63. - downloaded HTML contins an IFrame with link to
  64. http://moroplinghaptan.info/offjsjs/
  65. - domain is unreachable at this time, but probably will contain loader for the malware below:
  66.  
  67. Malware download sites:
  68. http://aeaccting.com/oiheiryur92
  69. http://ashapeforlife.com/oiheiryur92
  70. http://ashtontan.com/oiheiryur92
  71. http://asnsport-bg.com/oiheiryur92
  72. http://atlantarecyclingcenters.com/oiheiryur92
  73. http://bodywork-sf.net/oiheiryur92
  74. http://brascopperchile.cl/oiheiryur92
  75. http://brc.es/oiheiryur92
  76. http://bsfotodesign.com/oiheiryur92
  77. http://deltadisseny.com/oiheiryur92
  78. http://emmabeckerle.com/oiheiryur92
  79. http://envirotambang.com/oiheiryur92
  80. http://escolademusicasonare.com.br/oiheiryur92
  81. http://essenza.co.id/oiheiryur92
  82. http://evlilikpsikolojisi.com/oiheiryur92
  83. http://financeforautos.com/oiheiryur92
  84. http://fls-portal.co.uk/oiheiryur92
  85. http://galeona.com/oiheiryur92
  86. http://gilgroup.com/oiheiryur92
  87. http://mail.estudiorrbp.com.uy/oiheiryur92
  88. http://mediatrendsistem.com/oiheiryur92
  89. http://mtblanc-let.co.uk/oiheiryur92
  90. http://scottfranch.org/p66/oiheiryur92
  91.  
  92. Malware:
  93. - locky ransomware, offline .ykcol variant
  94. - SHA256: 66b718f0d6b089523611cec3d7155939f6713e744e5d1316742aa6920804c772, MD5: a0e33d432906262eb9980030a405c3fc
  95. - VT: https://www.virustotal.com/file/66b718f0d6b089523611cec3d7155939f6713e744e5d1316742aa6920804c772/analysis/1507561952/
  96. - HA: https://www.reverse.it/sample/66b718f0d6b089523611cec3d7155939f6713e744e5d1316742aa6920804c772?environmentId=100
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top