SHARE
TWEET

2017-01-09 Locky "New voice message"

Racco42 Sep 1st, 2017 (edited) 1,174 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-09-01: #locky email phishing campaign "New voice message"
  2. Samples: 549
  3.  
  4. Email sample:
  5. -----------------------------------------------------------------------------------------------------------------------
  6. From: "Voicemail Service" <vmservice@[REDACTED]>
  7. To: [REDACTED]
  8. Subject: New voice  message 14919581557 in mailbox 149195815571 from "14919581557" <6149529104>
  9. Date: Fri, 01 Sep 2017 15:43:33 +0530
  10.  
  11. Dear user:
  12.  
  13. just wanted to let you know you were just left a 0:13 long message (number 14919581557)
  14. in mailbox 149195815571 from "14919581557" <6149529104>, on Fri, 01 Sep 2017 15:43:33 +0530
  15. so you might want to check it when you get a chance.  Thanks!
  16.  
  17.                                 --Voicemail Service
  18.  
  19. Attachment: MSG0000000099.7z ->
  20. -----------------------------------------------------------------------------------------------------------------------
  21. - sender is "Voicemail Service" <vmservice@[recipient's domain]>
  22. - subject is "New voice  message <11 digits> in mailbox <12 digits> from "<11 digits>" <10 digits>"
  23. - attached file "MSG0000000<3 digits>.7z" contains file "MSG0000000<3 digits>.vbs", a VBScript downloader which will download encoded malware from:
  24.  
  25. Download sites:
  26. http://autoecole-jeanpierre.com/jhbvDjs0267
  27. http://clazbrokerageservices.com/jhbvDjs0267
  28. http://expresopanama.com/jhbvDjs0267
  29. http://fls-portal.co.uk/jhbvDjs0267
  30. http://greenerlivingca.com/jhbvDjs0267
  31. http://henweekendsbirmingham.co.uk/jhbvDjs0267
  32. http://paben.co.uk/jhbvDjs0267
  33. http://rampagida.com.tr/jhbvDjs0267
  34. http://richarddrakeconstruction.com/jhbvDjs0267
  35. http://rs-consultores.pt/jhbvDjs0267
  36. http://saunaesofmansatis.net/jhbvDjs0267
  37. http://sindeval.es/jhbvDjs0267
  38. http://telesolutionsconsultants.com/jhbvDjs0267
  39. http://terae-lumiere.com/jhbvDjs0267
  40. http://tractament-imatges.com/jhbvDjs0267
  41. http://vinneydropmodorfosius.net/af/jhbvDjs0267
  42.  
  43. Malware:
  44. - Locky, lukitus variant
  45. - encoded on download, SHA256 d98a03d050232868e7990f5f5351cb27dee87044f524e15e8854c64c0bfc2b45, MD5 bd514d7c0102ef91bfccfeebdaa2109d
  46. - decode by XORing with "wHIPx3Yg61EQPp0WWfE33TIdtOCRENrF"
  47. - decoded SHA256 9c6db2a1c10359554978f5410a8bfc0a1edb9b02ce368a69a6ecc72aa4ebf53a, MD5 9a7b1125663fda90031be892d2d5f39e
  48. - VT: https://www.virustotal.com/file/9c6db2a1c10359554978f5410a8bfc0a1edb9b02ce368a69a6ecc72aa4ebf53a/analysis/1504260662/
  49. - HA: https://www.hybrid-analysis.com/sample/9c6db2a1c10359554978f5410a8bfc0a1edb9b02ce368a69a6ecc72aa4ebf53a?environmentId=100
  50. - C2: POST 82.202.221.108:80//imageload.cgi
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top