API tools faq
paste
Advertisement
Racco42

2016-11-02 Locky "part X"

Racco42
Nov 2nd, 2016
2,323
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.96 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-02: #locky email phishing campaign "part N"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------------
  5. From: TRICIA SURGESON <triciasurgeson@our-event.org>
  6. To: [REDACTED]
  7. Subject: part 4
  8. Date: Wed, 02 Nov 2016 17:42:54 +0700
  9.  
  10. As promised
  11. TRICIA
  12.  
  13. Attached: "OKUZMFD1274.zip"
  14. -----------------------------------------------------------------------------------------------------------------------
  15. - sender varies between emails
  16. - subject is "part <digit>"
  17. - attached file "<random chars><random number>.zip" contains "<random chars><random number>.wsf", a JScript downloader
  18.  
  19. Download sites (actual URLs countain suffix ?<random>=<random> which does not influence the download):
  20. http://365aiwu.net/43ftybb8
  21. http://421pfyy.com/43ftybb8
  22. http://adasulamasistemleri.com/43ftybb8
  23. http://aifgroup.jp/43ftybb8
  24. http://aircrew.co.in/43ftybb8
  25. http://alkfor.ru/43ftybb8
  26. http://allebanken.net/43ftybb8
  27. http://almaks-mr.ru/43ftybb8
  28. http://animals.org.il/43ftybb8
  29. http://anime-one.com/43ftybb8
  30. http://arnaudgranata.com/43ftybb8
  31. http://atart.cn/43ftybb8
  32. http://atforum.pl/43ftybb8
  33. http://autoabs.lt/43ftybb8
  34. http://automaler.ru/43ftybb8
  35. http://awaelschool.com/43ftybb8
  36. http://ayulduz.biz/43ftybb8
  37. http://baraonda.gr/43ftybb8
  38. http://basketballninja.com/43ftybb8
  39. http://bassguitartips.com/43ftybb8
  40. http://battleduck.ch/43ftybb8
  41. http://bdvdo.net/43ftybb8
  42. http://beautyexpress.com.au/43ftybb8
  43. http://bechsautomobiler.dk/43ftybb8
  44. http://bestprservices.com/43ftybb8
  45. http://bha-group.eu/43ftybb8
  46. http://bhatiarasayanudyog.in/43ftybb8
  47. http://birthdaystoday.net/43ftybb8
  48. http://bluehost.hu/43ftybb8
  49. http://bogaziciradyo.com/43ftybb8
  50. http://bst.tw/43ftybb8
  51. http://buhlmend.net/43ftybb8
  52. http://cabanaionela.ro/43ftybb8
  53. http://carmenortigosa.com/43ftybb8
  54. http://chandrphen.com/43ftybb8
  55. http://cheappaintball.net/43ftybb8
  56. http://christen-in-nuernberg.de/43ftybb8
  57. http://christmas-metal-meeting.de/43ftybb8
  58. http://city-charger.ru/43ftybb8
  59. http://classicnet.ir/43ftybb8
  60. http://club-impact.ro/43ftybb8
  61. http://coinobras.com/43ftybb8
  62. http://consardproiectare.ro/43ftybb8
  63. http://corinnenewton.ca/43ftybb8
  64. http://cyclingpromotion.com.au/43ftybb8
  65. http://cyprushealthservices.com/43ftybb8
  66. http://d2dlaundry.com/43ftybb8
  67. http://debki-klara.pl/43ftybb8
  68. http://deborahshallcross.com/43ftybb8
  69. http://decactus.cl/43ftybb8
  70. http://delanothayer.cl/43ftybb8
  71. http://dersiz.com/43ftybb8
  72. http://desertkingwaterproofing.com/43ftybb8
  73. http://diandiandx.com/43ftybb8
  74. http://drossell.com/43ftybb8
  75. http://dwcell.com/43ftybb8
  76. http://ejiavip.com/43ftybb8
  77. http://eldamennska.is/43ftybb8
  78. http://eskopb.com/43ftybb8
  79. http://eurotrading.com.ua/43ftybb8
  80. http://evogelbacher.de/43ftybb8
  81. http://fibrotek.com/43ftybb8
  82. http://filmsites.nl/43ftybb8
  83. http://gzycgj.com/43ftybb8
  84. http://irk.24abcd.ru/43ftybb8
  85. http://wonnapian.com/43ftybb8
  86.  
  87. UPDATED:
  88. http://677spo.com/43ftybb8
  89. http://abrahams.ch/43ftybb8
  90. http://beamit.be/43ftybb8
  91. http://bvn.lt/43ftybb8
  92. http://casadalocacao.com/43ftybb8
  93. http://cheedellahousing.com/43ftybb8
  94. http://contserv.ro/43ftybb8
  95. http://cxsd.com.cn/43ftybb8
  96. http://ecomission.com.au/43ftybb8
  97. http://el-sklep.com/43ftybb8
  98. http://enkobud.dp.ua/43ftybb8
  99. http://erotes.gr/43ftybb8
  100. http://xiguacity.com/43ftybb8
  101.  
  102. Malware:
  103. - encoded on download, SHA 256 3511f8eb38e9faa1f9ac6a654eb31bb3b612a1ec65b4f58da11c7832d42cf197, filesize 323584
  104. - decoded SHA256 610e1f5a9386b13cbaac217f05f8089270136ccab00922856fb992eb08a9d12f
  105. - executed by "rundll32 <dll_name>,test123"
  106. - sample https://www.virustotal.com/en/file/610e1f5a9386b13cbaac217f05f8089270136ccab00922856fb992eb08a9d12f/analysis/
  107.  
  108. C2:
  109. http://194.28.87.26/linuxsucks.php
  110. http://194.1.239.152/linuxsucks.php
  111. http://51.255.107.20/linuxsucks.php
  112. http://gxfbwjvior.biz/linuxsucks.php
  113. http://wpdrmxkbnjpoidf.biz/linuxsucks.php
  114. http://juykbsopyu.pw/linuxsucks.php
  115. http://evhblsxym.org/linuxsucks.php
  116. http://evhblsxym.org/linuxsucks.php
  117. http://pvdhqmbqwxx.org/linuxsucks.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!