API tools faq
paste
Racco42

Locky "87b3ff3rc"

Racco42
Sep 5th, 2016
1,680
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.77 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-05 #locky email phishing camaign "87b3ff3rc"
  2.  
  3. Email sample:
  4. - Subject is constructed as [Attached|Copy|Emailing|File]: [Blank|IMG|INV|Invoice|Photo|Picture|Receipt](number)
  5. - Email body is empty
  6. - Sender address is faked to look like from same domain as recipients
  7.  
  8. Attached file "[Blank|IMG|INV|Invoice|Photo|Picture|Receipt](number).zip" (same as part of Subject) contains file <random>.wsf which contains JScript downloader
  9.  
  10. Download sites:
  11. http://52433865.fn.freenet-hosting.de/87b3ff3rc
  12. http://amii.50webs.com/87b3ff3rc
  13. http://bbruo.edurm.ru/87b3ff3rc
  14. http://boxpate.de/87b3ff3rc
  15. http://deemc.homepage.t-online.de/87b3ff3rc
  16. http://foto.hasimehrou.cz/87b3ff3rc
  17. http://frumuseanudaniela.go.ro/87b3ff3rc
  18. http://gregor-weiss.business.t-online.de/87b3ff3rc
  19. http://jvelizg.vtrbandaancha.net/87b3ff3rc
  20. http://kakeekoda.web.fc2.com/87b3ff3rc
  21. http://lanjaron.es.mialias.net/87b3ff3rc
  22. http://lcc.vtrbandaancha.net/87b3ff3rc
  23. http://maxshoppppsr.biz/js/87b3ff3rc
  24. http://miyufortuneteller.web.fc2.com/87b3ff3rc
  25. http://mojejeze.republika.pl/87b3ff3rc
  26. http://monkeeey.web.fc2.com/87b3ff3rc
  27. http://quietvain.nobody.jp/87b3ff3rc
  28. http://rakutenka.tuzikaze.com/87b3ff3rc
  29. http://religiaspoko.republika.pl/87b3ff3rc
  30. http://roadstercrew-nw.homepage.t-online.de/87b3ff3rc
  31. http://seikeiradioclub.web.fc2.com/87b3ff3rc
  32. http://tensai.wallst.ru/87b3ff3rc
  33. http://treasure-force.com/87b3ff3rc
  34. http://tvcm.com.br/87b3ff3rc
  35. http://www.bals.nichost.ru/87b3ff3rc
  36. http://www.birthmark.go.ro/87b3ff3rc
  37. http://www.equipe4.net/87b3ff3rc
  38. http://www.fabriziolovino.com/87b3ff3rc
  39. http://www.greentechdesign.ca/87b3ff3rc
  40. http://www.madonnaceleste.com/87b3ff3rc
  41. http://www.masamaru.net/87b3ff3rc
  42. http://www.officinaomc.com/87b3ff3rc
  43. http://www.poli-mec.it/87b3ff3rc
  44. http://www.rossorelli.ru/87b3ff3rc
  45. http://www.trzynastkajg.republika.pl/87b3ff3rc
  46. http://www.yacht-market.eu/87b3ff3rc
  47. http://yggithuq.utawebhost.at/87b3ff3rc
  48.  
  49. Malware
  50. - encoded on download SHA256 13966e6557682c39a071198b201be0afb89922d4d25db9cbdec15a9142a20b78, filesize 201,216 bytes
  51. - decoded SHA256 bfe580cf1f33ec1c456385fef84ba01ca40a4e81833a8519b5b9b71e967d6444
  52. - RSA key is part of configuration, no C2 communication https://twitter.com/0xtadavie/status/772796495280111616
  53.  
  54. https://www.reverse.it/sample/5444b5e28905855ac149784d59461a67f3ab216c847a9e1ad59004076171571b?environmentId=100
  55. https://www.reverse.it/sample/89e9924ce9bb332e1707eb32fa09843b9ae0dea769595beaa5a1f88653f1ef04?environmentId=100
  56. https://www.reverse.it/sample/ad8c71e18bf407173d5e6a7e877301478bb8f6d12fe331ffbf5b583915845640?environmentId=100
  57. https://www.reverse.it/sample/942f7a76811042cf90859667a217e8b8d597bfdd63b762691a24ee9c17f27c5c?environmentId=100
  58. https://www.reverse.it/sample/b2738a8ae1cea39b5ab5b6535398d54a5606a8df44c0cd97204eb2dc092d0481?environmentId=100
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!