Advertisement
Racco42

2017-10-09 Locky "New voice message"

Oct 9th, 2017
4,046
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.17 KB | None | 0 0
  1. 2017-10-09: #locky email phishing campaign "New voice message"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------------------
  5. From: "Voicemail Service" <vmservice@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: New voice message 19088622012 in mailbox 190886220121 from "19088622012" <0348866828>
  8. Date: Mon, 09 Oct 2017 10:08:51 -0500
  9.  
  10. Dear user:
  11.  
  12. just wanted to let you know you were just left a 0:53 long message (number 19088622012)
  13. in mailbox 190886220121 from "19088622012" <0348866828>, on Mon, 09 Oct 2017 10:08:51 -0500
  14. so you might want to check it when you get a chance. Thanks!
  15.  
  16. --Voicemail Service
  17.  
  18. Attachment: msg034179.7z -> msg093208746.vbs
  19. ------------------------------------------------------------------------------------------------------------------------
  20. - sender is "Voicemail Service", email is forged to be coming from recipient's domain vmservice@[domain]
  21. - subject is "New voice message <11 digits> in mailbox <12 digits> from "<11 digits>" <<10 digits>>"
  22. - attached file "msg<4-9 digits>.7z" contains file "msg<8-9 digits>.vbs", a VBScript downloader, which will download malware from one of Malware download sites
  23. - body of the email contains a link, which will download additional code from:
  24.  
  25. Links:
  26. http://afslearnenglish.com/voicemsg.html
  27. http://agregate-cariera.ro/voicemsg.html
  28. http://agrourbis.com/voicemsg.html
  29. http://alucmuhendislik.com/voicemsg.html
  30. http://auto-ecolecoccinelle.com/voicemsg.html
  31. http://datenhaus.info/voicemsg.html
  32. http://estudiperceptiva.com/voicemsg.html
  33. http://ferienwohnung-schitter.at/voicemsg.html
  34. http://fortcollins-accounting.com/voicemsg.html
  35. http://hashigosha.com/voicemsg.html
  36. http://ilnumeroverde.it/voicemsg.html
  37. http://kalorsystem.com/voicemsg.html
  38. http://louisawong.net/voicemsg.html
  39. http://maule.biz/voicemsg.html
  40. http://missinglynxsystems.com/voicemsg.html
  41. http://mobius-group.com/voicemsg.html
  42. http://monroepoa.org/voicemsg.html
  43. http://monstermx.com/voicemsg.html
  44. http://mueblesamedidamalaga.com/voicemsg.html
  45. http://norsky.pt/voicemsg.html
  46. http://pagosdelrey.mobi/voicemsg.html
  47. http://parquetroman.com/voicemsg.html
  48. http://pinkyardflamingos.com/voicemsg.html
  49. http://profigera.pt/voicemsg.html
  50. http://recturf.com.au/voicemsg.html
  51. http://resortphotographics.com/voicemsg.html
  52. http://sgtenterprises.com/voicemsg.html
  53. http://shineindian.com/voicemsg.html
  54. http://simonline.nl/voicemsg.html
  55. http://somallc.com/voicemsg.html
  56. http://sunny-voices.de/voicemsg.html
  57. http://team-bobcat.org/voicemsg.html
  58. http://vincent-farben.de/voicemsg.html
  59. http://weloveflowers.co.uk/voicemsg.html
  60. http://wwwa.su/voicemsg.html
  61. http://zik-et-dance.com/voicemsg.html
  62.  
  63. - downloaded HTML contins an IFrame with link to
  64. http://moroplinghaptan.info/offjsjs/
  65. - domain is unreachable at this time, but probably will contain loader for the malware below:
  66.  
  67. Malware download sites:
  68. http://aeaccting.com/oiheiryur92
  69. http://ashapeforlife.com/oiheiryur92
  70. http://ashtontan.com/oiheiryur92
  71. http://asnsport-bg.com/oiheiryur92
  72. http://atlantarecyclingcenters.com/oiheiryur92
  73. http://bodywork-sf.net/oiheiryur92
  74. http://brascopperchile.cl/oiheiryur92
  75. http://brc.es/oiheiryur92
  76. http://bsfotodesign.com/oiheiryur92
  77. http://deltadisseny.com/oiheiryur92
  78. http://emmabeckerle.com/oiheiryur92
  79. http://envirotambang.com/oiheiryur92
  80. http://escolademusicasonare.com.br/oiheiryur92
  81. http://essenza.co.id/oiheiryur92
  82. http://evlilikpsikolojisi.com/oiheiryur92
  83. http://financeforautos.com/oiheiryur92
  84. http://fls-portal.co.uk/oiheiryur92
  85. http://galeona.com/oiheiryur92
  86. http://gilgroup.com/oiheiryur92
  87. http://mail.estudiorrbp.com.uy/oiheiryur92
  88. http://mediatrendsistem.com/oiheiryur92
  89. http://mtblanc-let.co.uk/oiheiryur92
  90. http://scottfranch.org/p66/oiheiryur92
  91.  
  92. Malware:
  93. - locky ransomware, offline .ykcol variant
  94. - SHA256: 66b718f0d6b089523611cec3d7155939f6713e744e5d1316742aa6920804c772, MD5: a0e33d432906262eb9980030a405c3fc
  95. - VT: https://www.virustotal.com/file/66b718f0d6b089523611cec3d7155939f6713e744e5d1316742aa6920804c772/analysis/1507561952/
  96. - HA: https://www.reverse.it/sample/66b718f0d6b089523611cec3d7155939f6713e744e5d1316742aa6920804c772?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement