API tools faq
paste
Racco42

2016-11-09 Locky "Message from KMBT_C220"

Racco42
Nov 9th, 2016
1,639
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.11 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-09 #locky email phishing campaign "Message from KMBT_C220"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------
  5. From: <scanner@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Message from KMBT_C220
  8. Date: Wed, 09 Nov 2016 17:25:46 +0300
  9.  
  10. Attachment: SKMBT_C09360689251274.zip
  11. -----------------------------------------------------------------------------------------------------------
  12. - sender is scanner@<recipient's domain>
  13. - subject is "Message from KMBT_C220"
  14. - email body is empty
  15. - attached file SKMBT_C<14 digits>.zip" contains file "<2 digits><2-7 letters><8 digits>.wsf", a JScript downloader
  16.  
  17. Download sites (actual URLs contains suffix ?<random>=<random> which does not influence the download):
  18. http://alamanconsulting.at/0ftce4
  19. http://ayurvedic.by/0ftce4
  20. http://ekaterinburg.kacatka.ru/0ftce4
  21. http://hoangtranwater.com/0ftce4
  22. http://hoteldseason.com/0ftce4
  23. http://hotelvinayakpalace.in/0ftce4
  24. http://hotloto.com/0ftce4
  25. http://hqseconsulting.com/0ftce4
  26. http://hupsoft.com/0ftce4
  27. http://idontknow.eu/0ftce4
  28. http://idplus.sg/0ftce4
  29. http://ifreenet.it/0ftce4
  30. http://ijai.fr/0ftce4
  31. http://iloveyf.com/0ftce4
  32. http://indospyshop.com/0ftce4
  33. http://innsat.pl/0ftce4
  34. http://inzt.net/0ftce4
  35. http://iriscommunications.com.pk/0ftce4
  36. http://istanbulsoft.com.tr/0ftce4
  37. http://ivakil.com/0ftce4
  38. http://jaysilverdp.com/0ftce4
  39. http://jcuenca.es/0ftce4
  40. http://jer.be/0ftce4
  41. http://jingaiwang.com/0ftce4
  42. http://joralan.es/0ftce4
  43. http://jxhyhz.com/0ftce4
  44. http://kembarastation.com/0ftce4
  45. http://kenankaynak.com/0ftce4
  46. http://ketoantamviet.edu.vn/0ftce4
  47. http://konan.nl/0ftce4
  48. http://kopeyskdom.ru/0ftce4
  49. http://krasnodar-sp.ru/0ftce4
  50. http://k-scope.ca/0ftce4
  51. http://kyrre.cn/0ftce4
  52. http://labtekindie.com/0ftce4
  53. http://lacosanostra.co/0ftce4
  54. http://lander.pl/0ftce4
  55. http://laurenward.me/0ftce4
  56. http://leftakis.gr/0ftce4
  57. http://level3.tv/0ftce4
  58. http://lifez.nl/0ftce4
  59. http://lindafluge.no/0ftce4
  60. http://lingerievalentine.ueuo.com/0ftce4
  61. http://linkset.ro/0ftce4
  62. http://lujin.ro/0ftce4
  63. http://luke-woods.com/0ftce4
  64. http://luostone.com/0ftce4
  65. http://martos.pt/0ftce4
  66. http://matbaa.be/0ftce4
  67. http://mch.kz/0ftce4
  68. http://mckm11.cba.pl/0ftce4
  69. http://meditativyoga.net/0ftce4
  70. http://micashu.org/0ftce4
  71. http://michellemccarron.com/0ftce4
  72. http://microscopiavirtual.cl/0ftce4
  73. http://milagrotarim.com/0ftce4
  74. http://mineralsteel.cl/0ftce4
  75. http://mogadk.ru/0ftce4
  76. http://mospi.ru/0ftce4
  77. http://moydom.by/0ftce4
  78. http://mschroll.de/0ftce4
  79. http://mtsas.freehost.pl/0ftce4
  80. http://muamusic.com/0ftce4
  81. http://muellerhans.ch/0ftce4
  82. http://musicphilicwinds.org/0ftce4
  83. http://muziekupdate.nl/0ftce4
  84. http://mvpdental.com/0ftce4
  85. http://mypcdaddy.com/0ftce4
  86. http://naarndonau.at/0ftce4
  87. http://naka-dent.mobi/0ftce4
  88. http://oontsheol.net/0ftce4
  89. http://shukatsu-live.com/0ftce4
  90. http://sport-grace.by/0ftce4
  91. http://tikkatawgi.com/0ftce4
  92. http://vologda.maxuma.ru/0ftce4
  93. http://www.0898tz.com/0ftce4
  94. http://www.limpotools.com/0ftce4
  95.  
  96.  
  97. Malware:
  98. - encoded on download, SHA256 65ef65ddc2353876069b81d20950205e605cfb2a60d9df2ecff527306e753fc6, MD5 470a2d4f82942f35ef29466e38f7633a
  99. - decoded SHA256 e02200c62f018e40a5215987ea1f37e522260a5c58314ed6838ea521d60a60ab, MD5 bad38a067ec66c9ddba06fc081243c4e
  100. - executed by "rundll32.exe %TEMP%\<dll_name>,testtest"
  101.  
  102. C2:
  103. POST http://109.248.59.103/message.php
  104. POST http://158.69.223.5/message.php
  105. POST http://85.143.212.23/message.php
  106. POST http://bcpemeybhv.pw/message.php
  107. POST http://dfqfacbwnrkx.ru/message.php
  108. POST http://hjbfbueoibruha.info/message.php
  109. POST http://hotqdrhiswxkqy.xyz/message.php
  110. POST http://kjkoqidpcisg.info/message.php
  111. POST http://knalnwddhkcw.pl/message.php
  112. POST http://mwctebbudxirqu.xyz/message.php
  113. POST http://myytgcxitxirooeax.org/message.php
  114. POST http://owgrdlddchyovfnbw.info/message.php
  115. POST http://qpfuamhyagd.org/message.php
  116. POST http://rdmxajcmomrm.pw/message.php
  117. POST http://rekiprqgjhvguy.ru/message.php
  118. POST http://sjhxrqfmh.biz/message.php
  119. POST http://tjivptrtlcx.su/message.php
  120. POST http://uajjuxiaa.info/message.php
  121. POST http://xaplfcvqw.pl/message.php
  122. POST http://ypvrfmuj.work/message.php
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!