API tools faq
paste
MalwareMustDie

LOCKY IS BACK

MalwareMustDie
Jun 22nd, 2016
191
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Lua 10.01 KB | None | 0 0
raw download clone embed print report
  1. ==============================
  2. LOCKY IS BACK!! LOCKY IS BACK!!
  3. ** This indicator is BEST seen in RAW MODE **
  4. Pictures supported this infection http://imgur.com/a/3oNIh
  5. Dialogue for this analysis and recent info: https://www.reddit.com/r/Malware/comments/4p9uli/locky_ransomware_new_campaign_payload_nodes_and/
  6. by #MalwareMustDie team
  7. ===============================
  8.  
  9. VT:
  10. https://www.virustotal.com/en/file/3559935e2f9a49fc5c2d520ac5a80f5d289b2ccfb56fa930f5a79fbfac2e0bb3/analysis/
  11. https://www.virustotal.com/en/file/44cd5cb63942c3cfa88f2726273f286e411b529d62e3c57fd0060454fdd9e9ec/analysis/
  12.  
  13. unpacked (others did): https://www.virustotal.com/en/file/927592e08fd8201aa1e732d76a90241a0a808a6a06422977356f18ef9f3ed147/analysis/
  14.  
  15. // initial infection method:
  16. zip attachment's .js downloader (see pic)
  17.  
  18. // download method:
  19. user-agent        : User-Agent: Mozilla/4.0
  20. (compatible; Win32; WinHttp.WinHttpRequest.5)
  21.  
  22. // CNCs:
  23.  
  24. POST: /upload/_dispatch.php
  25.  
  26. // CNC CALLBACK IP:
  27.  
  28. 185.82.216.55 | bahromkina2.example.com. |59729 | 185.82.216.0/23 | ITL | BG | pt-proxy-sof-42-uaserver.net | ITL Sofia Datacenter Network
  29. 217.12.223.83 | bahromkina.example.com. |15626 | 217.12.192.0/19 | ITLAS | UA | itl.net.ua | ITL Company
  30. 51.254.240.48 |  |16276 | 51.254.0.0/15 | OVH | FR | ovh.com | OVH SAS
  31. 91.219.29.41 | 41.29.219.91.colo.ukrservers.com. |3254 | 91.219.29.0/24 | LUCKYNET | UA | ukrservers.com | FLP Kochenov Aleksej Vladislavovich
  32. hyojticpiiirn.biz | 93.170.104.107|elizaveta.bakhromkina.1vm.in.|50245 | 93.170.104.0/23 | SERVEREL | CZ | breezle.net | Breezle LLC
  33.  
  34. // DGA pointed to CNC:
  35.  
  36. LNMHGLVI.INFO (GANDI.NET / FR)
  37. UDMJKPVLDKOE.RU (NAUNET.RU / RU)
  38.  
  39. // RANSOM SERVICE:
  40.  
  41. http://sonuh5glplozcs2m.tor2web.org/xxx
  42. http://sonuh5glplozcs2m.onion.to/xxx
  43.  
  44. // crypted payload URL:
  45.  
  46. h00p://hrlpk.com/s5ibqz1
  47. h00p://depaardestal.nl/z5htsm
  48. h00p://jasoncoroy.com/szlzqni
  49. h00p://stbb.pt/z59ifwj
  50. h00p://handicraftmag.com/mrihc
  51. h00p://scpremiumbikes.com/3y1b0n4s
  52. h00p://arabian-star.com/nay7jq7
  53. h00p://innatesynergy.com/mrgdve3
  54. h00p://easysupport.us/fl85xie
  55. h00p://modelestrazackie.za.pl/zfww8nx
  56. h00p://searchforamy.com/1fz0k9kp
  57. h00p://wasearch.us/6mm3hk
  58. h00p://yourworshipspace.com/a3py3w
  59. h00p://ugmp.nazwa.pl/xkhhf2n
  60. h00p://otolocphat.com/bv2n241r
  61. h00p://reginamargherita96.net/hhtvomcw
  62. h00p://testfacility.awsome.pl/zc73v
  63. h00p://clerici.info/g1sd5d59
  64. h00p://marxforschung.de/tt18a
  65. h00p://kitchenconceptagra.com/5s9xb7j
  66. h00p://vantagenetsvc.com/a7xssz
  67. h00p://rzezba-bierowiec.za.pl/y7fbo1a
  68. h00p://akdenizozalit.com/ixoxi
  69. h00p://unitedprogamers.za.pl/ylxt67
  70. h00p://204.232.192.84/abjvucr
  71. h00p://samrhamburg.com/jrh9b
  72. h00p://beluxfurniture.com/0jcxx
  73. h00p://racedayworld.com/808k8pd
  74. h00p://totalsportnetwork.com/kpbrp2mq
  75. h00p://fuji-mig.com/awcigpa1
  76. h00p://pawelbuczynski.za.pl/z1q8u
  77. h00p://ekonova.nazwa.pl/wc0coj
  78. h00p://cbactive.com/1sdfs
  79. h00p://passagegoldtravel.com/bqugo3qb
  80. h00p://iminlife.com/cqoanbzr
  81. h00p://hrlpk.com/s5ibqz1
  82. h00p://allchannel.net/lue6c4
  83. h00p://ft.dol.za.pl/ymsikgp7
  84. h00p://komplettraeder-24.de/w61qx92
  85. h00p://pub-voiture.com/dcsjrjm
  86. h00p://ding-a-ling-tel.com/bazk3kao
  87. h00p://infocuscreative.net/didt48j
  88. h00p://stckwt.net/p4jlk
  89. h00p://heavenboundministry.com/i7a59qj
  90. h00p://wbksis.com/5mxl28il
  91. h00p://percorsipsicoarte.com/6gz707c
  92. h00p://futuretech-iq.net/koqpy
  93. h00p://hyip-all.com/9qwmc65
  94.  
  95.  
  96. // PAYLOAD Hostname vs IP BGP INFO:
  97.  
  98. hrlpk.com | 203.124.43.226 | host201003.comsatshosting.com. |7590 | 203.124.43.0/24 | COMSATS | PK | comsats.pk | Comsats
  99. depaardestal.nl | 46.30.213.77 | webcluster14.webpod2-cph3.one.com. |51468 | 46.30.208.0/21 | ONECOM | DK | one.com | One.com A/S
  100. jasoncoroy.com | 162.213.157.131 | s8-vancouver.accountservergroup.com. |54527 | 162.213.156.0/23 | ASTUTEHOSTING | CA | worldwidewebhosting.com | World Wide Web Hosting LLC
  101. stbb.pt | 109.71.40.52 | ptispapi.alojamentos10.com. |24768 | 109.71.40.0/24 | ALMOUROLTEC | PT | webserver.pt | ALMOUROLTEC - Lda dba PTisp
  102. handicraftmag.com | 27.254.33.31 | mail.bkkserv.com. |9891 | 27.254.32.0/21 | CSLOX-IDC-AS | TH | csloxinfo.net | CSLOXINFO IDC
  103. scpremiumbikes.com | 103.6.198.138 | msv22-luminosaurus.mschosting.com. |46015 | 103.6.196.0/22 | EXABYTES-AS | MY | exabytes.com.my | EXA Bytes Network SDN.bhd.
  104. arabian-star.com | 129.121.5.191 | ip-129-121-5-191.local. |36024 | 129.121.0.0/19 | COLO4-CO | US | seowebhosting.net | Oso Grande IP Services LLC
  105. innatesynergy.com | 103.6.198.219 | msv35-apricot.mschosting.com. |46015 | 103.6.196.0/22 | EXABYTES-AS | MY | exabytes.com.my | EXA Bytes Network SDN.bhd.
  106. easysupport.us | 198.58.93.28 | stats.rhea.arvixe.com. |20013 | 198.58.93.0/24 | CYRUSONE | US | arvixe.com | Arvixe LLC
  107. modelestrazackie.za.pl | 193.203.99.113 | ip-99-113.redefine.pl. |47303 | 193.203.99.0/24 | REDEFINE | PL | redefine.pl | Redefine Sp z o.o.
  108. searchforamy.com | 91.186.0.4 |  |29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | euroconnex.net | Simply Transit Ltd
  109. wasearch.us | 216.117.166.34 | paid2savenonprofits.com. |10843 | 216.117.128.0/18 | AITNET | US | blind-media.net | Advanced Internet Technologies Inc.
  110. yourworshipspace.com | 160.153.77.2 | ip-160-153-77-2.ip.secureserver.net. |26496 | 160.153.64.0/19 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
  111. ugmp.nazwa.pl | 77.55.97.84 | adt84.rev.netart.pl. |15967 | 77.55.0.0/16 | NAZWAPL | PL | netart.pl | Nazwa.pl S.A.
  112. otolocphat.com | 123.30.145.20 | share59-r3.nhanhoa.com. |45899 | 123.30.145.0/24 | VNPT-AS | VN | vdc.vn | Vietnam Data Communication Company
  113. reginamargherita96.net | 213.205.38.25 | client-sh-5.hosting.tiscali.it. |8612 | 213.205.0.0/18 | TISCALI | IT | tiscali.it | Tiscali SpA
  114. testfacility.awsome.pl | 193.203.99.114 | ip-99-114.redefine.pl. |47303 | 193.203.99.0/24 | REDEFINE | PL | redefine.pl | Redefine Sp z o.o.
  115. clerici.info | 213.205.38.24 | client-sh-4.hosting.tiscali.it. |8612 | 213.205.0.0/18 | TISCALI | IT | tiscali.it | Tiscali SpA
  116. marxforschung.de | 89.107.186.4 | xa4.serverdomain.org. |12843 | 89.107.184.0/21 | TELEMAXX | DE | webhostone.de | WebhostOne GmbH
  117. kitchenconceptagra.com | 142.4.60.226 | webnx1.thevbsols.com. |18450 | 142.4.32.0/19 | WEBNX | US | webnx.com | WebNX Inc.
  118. vantagenetsvc.com | 23.229.133.197 | ip-23-229-133-197.ip.secureserver.net. |26496 | 23.229.132.0/22 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
  119. rzezba-bierowiec.za.pl | 193.203.99.113 | ip-99-113.redefine.pl. |47303 | 193.203.99.0/24 | REDEFINE | PL | redefine.pl | Redefine Sp z o.o.
  120. akdenizozalit.com | 94.73.151.190 | 94-73-151-190.cizgi.net.tr. |34619 | 94.73.151.0/24 | CIZGI | TR | cizgi.net.tr | Cizgi Telekomunikasyon Anonim Sirketi
  121. unitedprogamers.za.pl | 193.203.99.114 | ip-99-114.redefine.pl. |47303 | 193.203.99.0/24 | REDEFINE | PL | redefine.pl | Redefine Sp z o.o.
  122. 204.232.192.84 | 204-232-192-84.static.cloud-ips.com.|33070 | 204.232.192.0/19 | RMH-14 | US | rackspace.com | Rackspace Hosting
  123. samrhamburg.com | 149.115.19.219 |  |30447 | 149.115.16.0/20 | INFB2-AS | US | cogentco.com | PSINet Inc.
  124. beluxfurniture.com | 144.76.82.6 | beluxhome.com. |24940 | 144.76.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
  125. racedayworld.com | 23.229.189.110 | ip-23-229-189-110.ip.secureserver.net. |26496 | 23.229.160.0/19 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
  126. totalsportnetwork.com | 192.186.209.5 | ip-192-186-209-5.ip.secureserver.net. |26496 | 192.186.208.0/22 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
  127. fuji-mig.com | 93.190.41.97 | server1.erahosting.net. |6849 | 93.190.40.0/21 | UKRTELNET | UA | ukrainianhosting.com | Private Company Ukrainian Hosting
  128. pawelbuczynski.za.pl | 193.203.99.113 | ip-99-113.redefine.pl. |47303 | 193.203.99.0/24 | REDEFINE | PL | redefine.pl | Redefine Sp z o.o.
  129. ekonova.nazwa.pl | 85.128.210.66 | anb66.rev.netart.pl. |15967 | 85.128.128.0/17 | NAZWAPL | PL | netart.pl | Nazwa.pl S.A.
  130. cbactive.com | 23.229.171.33 | ip-23-229-171-33.ip.secureserver.net. |26496 | 23.229.160.0/19 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
  131. passagegoldtravel.com | 23.229.182.198 | ip-23-229-182-198.ip.secureserver.net. |26496 | 23.229.160.0/19 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
  132. iminlife.com | 45.40.143.233 | ip-45-40-143-233.ip.secureserver.net. |26496 | 45.40.140.0/22 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
  133. hrlpk.com | 203.124.43.226 | host201003.comsatshosting.com. |7590 | 203.124.43.0/24 | COMSATS | PK | comsats.pk | Comsats
  134. allchannel.net | 94.73.146.80 | 94-73-146-80.cizgi.net.tr. |34619 | 94.73.146.0/24 | CIZGI | TR | cizgi.net.tr | Cizgi Telekomunikasyon Anonim Sirketi
  135. ft.dol.za.pl | 193.203.99.112 | ip-99-112.redefine.pl. |47303 | 193.203.99.0/24 | REDEFINE | PL | redefine.pl | Redefine Sp z o.o.
  136. komplettraeder-24.de | 217.160.177.243 | srv2.paradiseserver.net. |8560 | 217.160.0.0/16 | ONEANDONE | DE | 1and1.co.uk | 1&1 Internet AG
  137. pub-voiture.com | 195.14.0.150 | 195-14-0-150.nuxit.net. |41186 | 195.14.0.0/24 | ISPFR | FR | nuxit.com | NUXIT s.a.r.l.
  138. ding-a-ling-tel.com | 216.55.149.9 | hostedc45.carrierzone.com. |30447 | 216.55.144.0/20 | INFB2-AS | US | internetnamesforbusiness.com | InternetNamesforBusiness.com
  139. infocuscreative.net | 192.186.200.134 | ip-192-186-200-134.ip.secureserver.net. |26496 | 192.186.200.0/22 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
  140. stckwt.net | 64.124.16.204 | unknown.kuwhost.com. |6461 | 64.124.0.0/15 | ABOVENET | US | lomag.net | Lomag Internet Services LLC
  141. heavenboundministry.com | 50.87.144.196 | gator3160.hostgator.com. |46606 | 50.87.0.0/16 | UNIFIEDLAYER-AS-1 | US | unifiedlayer.com | Unified Layer
  142. wbksis.com | 64.69.219.91 |  |19871 | 64.69.218.0/23 | NETWORK-SOLUTIONS-HO | US | wspisp.net | Website Pros
  143. percorsipsicoarte.com | 213.205.38.28 | client-sh-8.hosting.tiscali.it. |8612 | 213.205.0.0/18 | TISCALI | IT | tiscali.it | Tiscali SpA
  144. futuretech-iq.net | 160.153.73.4 | ip-160-153-73-4.ip.secureserver.net. |26496 | 160.153.64.0/19 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
  145. hyip-all.com | 91.239.232.79 | 91.239.232.79.hostpro.com.ua. |196645 | 91.239.232.0/24 | HOSTPRO | UA | hostpro.ua | Hostpro Ltd.
  146.  
  147. [EOF] #MalwareMustDie
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!