SHARE
TWEET

2016-12-16 Locky "Attached document"

Racco42 Dec 16th, 2016 (edited) 299 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-16: #locky email phishing campaign "Attached document"
  2.  
  3. Sample email:
  4. ------------------------------------------------------------------------------------------------------------------------------
  5. From: copier@[REDACTED]
  6. To:  [REDACTED]
  7. Subject: Attached document
  8. Date: Fri, 16 Dec 2016 02:14:20 -0700
  9.  
  10. Attachment: 9310_0038.docm
  11. ------------------------------------------------------------------------------------------------------------------------------
  12. - sender address is copier@<recipient's domain>
  13. - subject is "Attached document"
  14. - email body is empty
  15. - attached file "<4 digits>_<3-4 digits>.docm" is Microsoft Word file with autoopening macro which downloads malware
  16.  
  17. Download sites:
  18. http://028cdxyk.com/hjg766
  19. http://aacom.pl/hjg766
  20. http://aaryn.net/hjg766
  21. http://akida.com/hjg766
  22. http://alock.co/hjg766
  23. http://amaniinitiative.org/hjg766
  24. http://archibaldmicrobrasserie.ca/hjg766
  25. http://auto-zakaz.com.ua/hjg766
  26. http://banhang123.com/hjg766
  27. http://billionsfamily.com/hjg766
  28. http://brookstonemanuals.com/hjg766
  29. http://calderon.com.mx/hjg766
  30. http://dealspari.com/hjg766
  31. http://demo.ahost5.ru/hjg766
  32. http://demo.pornuha4you.com/hjg766
  33. http://dicksmacker.com/hjg766
  34. http://dryerventexpress.com/hjg766
  35. http://ebreckinteriors.com/hjg766
  36. http://fiddlefire.net/hjg766
  37. http://gallery.mohammadtarighi.ir/hjg766
  38. http://hho68.com/hjg766
  39. http://houssiere.daniel.formations-web.alsace/hjg766
  40. http://ilasd.org/hjg766
  41. http://infinitecorp.ca/hjg766
  42. http://infosys.co.kr/hjg766
  43. http://inzt.net/hjg766
  44. http://ivibohoc.url.ph/hjg766
  45. http://kayamuh.sarf.com.tr/hjg766
  46. http://kirulya.com/hjg766
  47. http://kurou.bokunenjin.com/hjg766
  48. http://ledticket.com/hjg766
  49. http://lucapotenziani.com/hjg766
  50. http://mainlinecarriers.co.tz/hjg766
  51. http://masonlodgestpeter.org/hjg766
  52. http://mbdvacations.com/hjg766
  53. http://medianisprint.com/hjg766
  54. http://mgascca.com/hjg766
  55. http://movewithgrace.ca/hjg766
  56. http://mprotectcorp.com/hjg766
  57. http://msveletiny.cz/hjg766
  58. http://nonblockservice08.info/hjg766
  59. http://nortra-cables.com/hjg766
  60. http://obccllc.com/hjg766
  61. http://old.strommarnas.se/hjg766
  62. http://pcflame.com.au/hjg766
  63. http://perspektive-fuer-kinder.de/hjg766
  64. http://profitmonster.com/hjg766
  65. http://promgazenergo34.ru/hjg766
  66. http://pta-babel.net/hjg766
  67. http://qe7.ca/hjg766
  68. http://rdsc-seminar.com/hjg766
  69. http://s393640255.onlinehome.us/hjg766
  70. http://s435378127.online-home.ca/hjg766
  71. http://s437702314.onlinehome.us/hjg766
  72. http://shomesofa.com/hjg766
  73. http://smcga.ca/hjg766
  74. http://stoneofliberty.com/hjg766
  75. http://store.elixe.net/hjg766
  76. http://taladm.ru/hjg766
  77. http://test1.zrise.top/hjg766
  78. http://theexcelconsultant.com/hjg766
  79. http://thomas-christ.de/hjg766
  80. http://topstoneisland.com/hjg766
  81. http://tunca.bel.tr/hjg766
  82. http://www.dazzle-events.be/hjg766
  83. http://www.englishworld.it/hjg766
  84. http://www.enhansit.com/hjg766
  85. http://www.lauraleedonnelly.com/hjg766
  86. http://www.mywoc.ca/hjg766
  87. http://www.sapol.it/hjg766
  88. http://www.servipisos.com.ar/hjg766
  89. http://www.sitivisibili.it/hjg766
  90. http://www.thepasobueno.com/hjg766
  91. http://www.tourist-car.ru/hjg766
  92. http://yellowstudio.pl/hjg766
  93.  
  94. UPDATE:
  95. http://allan.multimediedesignerskive.dk/hjg766
  96. http://bikebrowse.com/hjg766
  97. http://ustadhanif.com/hjg766
  98.  
  99.  
  100. Malware
  101. - encoded on download, SHA256 23fadcae84181af9773c3c4535a1fb2fc1d02ab1418c22750f100953ba324c2f, MD5 36cc79869bf6fb048a2c3bc274f36690
  102. - decoded SHA256 2c4ea27abe8f6199dbbc3f5de2b3bd181ffbfb2481ef307351b7fc4d8b5fdb99, MD5 7a3b10f987d635242370e0e2ef051a9b
  103. - executed by "rundll32.exe %TEMP%\<filename>.aww,GetMessage"
  104. - sample https://www.reverse.it/sample/02cec4ff4c794c358bdd25f15c38df2d52b659eba40c476bb15b42a4fab62eb0?environmentId=100
  105.  
  106. C2:
  107. POST http://37.235.50.29/checkupdate
  108. POST http://176.121.14.95/checkupdate
  109. POST http://86.110.117.155/checkupdate
  110. POST http://83.220.172.182/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top