SHARE
TWEET

2016-12-12 Locky "Software License"

Racco42 Dec 12th, 2016 (edited) 336 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-12 #locky email phishing campaign "Software License"
  2.  
  3. Sample email:
  4. ----------------------------------------------------------------------------------------------------------------------------
  5. From: "Zachariah Finch" <Finch.Zachariah@hundkurserforalla.se>
  6. To: [REDACTED]
  7. Subject: Software License
  8. Date: Mon, 12 Dec 2016 16:50:51 +0530
  9.  
  10. Hello [REDACTED], it is Zachariah.
  11. Sending you the scan of the software license agreement (Order #5434052).
  12. It is in the attachment. Please look into it ASAP.
  13.  
  14. ----
  15. Best Regards,
  16. Zachariah Finch
  17.  
  18. Attachment: softlic_5434052.zip -> ~Z9OK0OB3TN495M0OM51Q143N.wsf
  19. ----------------------------------------------------------------------------------------------------------------------------
  20. - sender varies between emails
  21. - subject is "Software License"
  22. - attached file "softlic_<7 digits>.zip" contains file "~<15+ uppercase chars and digits>.wsf", a JScript downloader
  23.  
  24. Download sites:
  25. http://bestbuylocal.com/ebboelbvs
  26. http://bestbuylocal.com/g2jvhsj9
  27. http://bestbuylocal.com/jfrtat
  28. http://bestbuylocal.com/vbaa8ys
  29. http://bestbuylocal.com/ycohx
  30. http://bestbuylocal.com/ykbbwq
  31. http://goodfoodprod.xyz/1exhfeofq9
  32. http://goodfoodprod.xyz/avntp
  33. http://goodfoodprod.xyz/cq8bqngvv
  34. http://goodfoodprod.xyz/ixtd7wctq
  35. http://goodfoodprod.xyz/oxw8e
  36. http://goodfoodprod.xyz/yxurej67wf
  37. http://qijiaosoft.com/xb4bwcomo
  38. http://rent-guarantee-insurance.co.uk/kuyzc
  39. http://rnaweb.nl/lib46
  40. http://sinanagirman.com/glouswg3g
  41. http://skpc.org.au/skhaxqghvx
  42. http://slipko.ru/rrbjjgb
  43. http://sobretesis.com/nunltpk
  44. http://softwarecomparel.org/a8ytyay8
  45. http://softwarecomparel.org/bc1pmv
  46. http://softwarecomparel.org/gfigo3ezn3
  47. http://softwarecomparel.org/lcv3ysact
  48. http://softwarecomparel.org/miaoaty9n
  49. http://softwarecomparel.org/xv9ecbtgj
  50. http://sorrentovalleypainrelief.com/ky9rk
  51. http://sovereignkitchens.com.au/gzttjwu9xp
  52. http://speciaaldesign.nl/xuazakski
  53. http://speckftp.de/ev1hcdxt
  54. http://sportsarena.gr/xjrue
  55. http://staygray.com/kxwcgnu
  56. http://staygray.com/mivftkxnmp
  57. http://stephaniemiddendorp.nl/h05ld2sut
  58. http://stjohns2012.ca/vn1wvzjk
  59. http://studioangelucci.eu/kmdkffw
  60. http://syedtradingco.com/yq6pp5kfu
  61. http://syncfish.com/qdzzef
  62. http://systemrma.pl/lumigwma
  63. http://t38faxvoip.com/yz3w7mn
  64. http://tbhomeinspection.com/mwo7gb
  65. http://tdtx.cn/zvzenep
  66. http://techpow.net/xme9kj
  67. http://teknoportbilisim.com/mkqamw6n
  68. http://tengalo.com/fwzysh
  69. http://the-agathon.com/gvcid8b
  70. http://thecodega.com/xegesuly
  71. http://thenumastore.com/k8f5irc
  72. http://theory.issp.ac.cn/xcemhkbr
  73. http://thxlove.com/odulqznn7
  74. http://tikrasturtas.lt/f8cfwlon
  75. http://tinybearshop.com/zlogeol
  76. http://tivicast.org/khlmwxrb
  77. http://tobybender.com/t4z8xrgdxz
  78. http://toyallstar.com/kohknfsf
  79. http://trade-unite.ru/k2qplhwug
  80. http://translate-all.eu/tdc7xep8yy
  81. http://trehoada.org/yuinghwmsz
  82. http://trendsandtrades.nl/wigm99l
  83. http://trilab.sk/epimbssz
  84. http://usedtextilemachinerylive.com/f5ee9qaadu
  85. http://v4c.tv/6arm9pnzr1
  86. http://valtho.com/6phqkll
  87. http://vanks.cl/2t3huwd
  88. http://villa64.dk/19tew8i
  89. http://vipseal.de/mvhhdq
  90. http://vodatelsys.com.cn/58lupnimb
  91. http://waner888.com/4go17e
  92. http://watchesheaven.com/altxyjw
  93. http://wflife.net/87o3ozdd
  94. http://wordpad.org/7ks1j
  95. http://wphone3c.com/6ap7em
  96. http://wreckingcrewnow.com/bfnfwyt87y
  97. http://wywfanp.com/4vasxe0mx
  98. http://xangelle.com/8wlji
  99. http://yes2malaysia.com/aekwxxd0e
  100.  
  101. UPDATED:
  102. http://smartfoodbuys.com/g2dznw
  103. http://thcr.com/f3g2xlxcvb
  104. http://zamiri.com/bsb6ql
  105.  
  106. Malware
  107. - encoded on download:
  108. 6c240457360a184035d9c61157762874bd750b9dd17aac0c1d5140a793da1c1f  http___bestbuylocal.com_ebboelbvs
  109. 82f8af07906ca58c34b3bc50ade9de8aff43bd7f75b21b22ea8641f1087297da  http___bestbuylocal.com_g2jvhsj9
  110. 7ce38ba0095ce0f7c6eea4c68ee286181e52efbf9bd62eaf1b369e3ff6654129  http___bestbuylocal.com_jfrtat
  111. 6982f13f6ddc8a3b5f588d850799edd262604110c7157fad35543faef87a69e0  http___bestbuylocal.com_vbaa8ys [1]
  112. 00836a1123532fbdfe96ff09358562982076e9a3ca8dbc036a26721cc4b570e1  http___bestbuylocal.com_ycohx
  113. 39ecd50a786a05483232d5d8e225a8b2a93c2ab104e926d0e4b0638c3793e5f4  http___bestbuylocal.com_ykbbwq
  114. 436fcd82ea790ba1e624bf4901999f448e0c5451875a3839c32631425b5b139c  http___goodfoodprod.xyz_1exhfeofq9
  115. 3a7f4f2ea8ae35f61a4363b313684655d478e00e1968dbf8206888d109225f5a  http___goodfoodprod.xyz_avntp
  116. b76cf76b6be672c5ac01498dfcb11bf8faa69850f9005ab44aa8637910faeb03  http___goodfoodprod.xyz_cq8bqngvv
  117. 7088c77e934514a88bbd1d7715482d47d076e0d70fad73249b602e7a3bccd56f  http___goodfoodprod.xyz_ixtd7wctq
  118. 2c7efb537d860c5ea416ec3a2710d7090eb3c238462c74d265bce6052a7fe3a2  http___goodfoodprod.xyz_oxw8e
  119. 642d73b3ade4f40a139f44ecb7fe6b15d29ac928917192827aa58b50c2ecf87d  http___goodfoodprod.xyz_yxurej67wf
  120. d678844a59cc1165323b8394b4ced2d04725f3bcb41bb06751d5aab8b026c041  http___qijiaosoft.com_xb4bwcomo
  121. 6ad19b97942c8a1c9645afedf24216893e0518cd5e7228bd511d8aa66d43bf5e  http___rent-guarantee-insurance.co.uk_kuyzc
  122. 7d23a9e12393ba31f5515532b3c5d30368adf1d7c19f02c4ac6c71582267c7c6  http___rnaweb.nl_lib46 [4]
  123. 14a35c37f6dab8be3eff608f03553e492186358fa60c832ec263d8564dc5bc0d  http___sinanagirman.com_glouswg3g
  124. ea75041ff4bd473db262abdbe48b053be966d8c76b2bdce4ddee3d07ffaf3c78  http___skpc.org.au_skhaxqghvx
  125. e0dd4f363afb34457649803fe84c190815159f4329b3fb698235514346d146df  http___slipko.ru_rrbjjgb
  126. 4cd284e46b4b0f4eb9f8c62d94a8a1451ce3c538cfa95c6d5d4bb323ef016cf7  http___sobretesis.com_nunltpk
  127. 4ef2782bfb9b1d06a2e078bf5ae2ccd96d2103344c529ff4cbbec52898f0f440  http___softwarecomparel.org_a8ytyay8
  128. 9f525417034f03161834dc8065098a68fed6d26156037c781e50c24ac93f365e  http___softwarecomparel.org_bc1pmv
  129. 3c5c9e53ac0419dff9b85dea2fd09a49689fce9f010bdff153b108af23b2b419  http___softwarecomparel.org_gfigo3ezn3
  130. ae506384c7636cf9794c9501ec4d5c31be4d0ee3697282c4ed12672be28d8f8b  http___softwarecomparel.org_lcv3ysact
  131. d09ebf1541419c8057aeec586b83c170a1ea5c345d541fdc7c33f213dc1f0723  http___softwarecomparel.org_miaoaty9n
  132. d22dcbcb8bc2a610f4331312380f77daf0cba9f4513a5624b899c758e0e76677  http___softwarecomparel.org_xv9ecbtgj
  133. ba5aa03d724d17312d9b65a420f91285caff711e2f891b3699093cc990fdaae0  http___sorrentovalleypainrelief.com_ky9rk
  134. aaeacc5507be1cb771d0df740e389849a417bdc259f64fba0f368639629d6d33  http___sovereignkitchens.com.au_gzttjwu9xp
  135. e49108967bf25018b37a9003ccbea4e995257ef598076d9c95c4718ace5c5df4  http___speciaaldesign.nl_xuazakski
  136. f32aa3677fab56060e02e8275f518ffe714c8a2ca37f127e869464e740aac2e9  http___speckftp.de_ev1hcdxt
  137. 6dbecfffa73aa316b67c4adcad0529cfd077a44f002dbd499c953dd57dae063e  http___sportsarena.gr_xjrue
  138. 70f726faad3d308f69e078277490223feaa610d808774d7dd20cf3d1b602771c  http___staygray.com_kxwcgnu
  139. 2f7fec278ddf37c67d062b4c46fa16fbea2cdb7d9d5cfe739599736ce9759749  http___staygray.com_mivftkxnmp
  140. 938b29ef27b15b968599b4e398c0e98989496a077cfe2ed61781acd3593a415a  http___stephaniemiddendorp.nl_h05ld2sut
  141. ebef46f2525369da429ade7192c616a09bda1d4e3b178f4b09524c2a5b7420be  http___stjohns2012.ca_vn1wvzjk
  142. 0f46d8774e4d0f2c9d544adb12204185a9d2d040e7670bb6b9a0ad700636ece7  http___studioangelucci.eu_kmdkffw
  143. 0743495293b35912ae279d980ef65a91311b140a0fbc46e410f49f5a0338fd9d  http___syncfish.com_qdzzef
  144. 336d5c2872f48df0438f3fd06b661a1265234540176a1d6e674bd301f3ef2412  http___systemrma.pl_lumigwma
  145. 1ab91e13c366d7821d043d03293c7075da42610860199cd115f0191ed5c92df2  http___t38faxvoip.com_yz3w7mn
  146. 35b0ac0b34949c988998259db6f871013289d24fd5f4992f2dbe180d3016504b  http___tbhomeinspection.com_mwo7gb
  147. 495d947f5355dc0dbf7a1f5f2265ccae1ec3bbbba7a13473b3724d3f7e19668b  http___techpow.net_xme9kj [5]
  148. fe101e6a832c5abad7bc93a1dc084b82cfa2eae0ce49ea822e44a74cf0240406  http___teknoportbilisim.com_mkqamw6n
  149. 07cb813888ba2d1749a70c509db8f58bd1513a82076ea7c786219280aa749cb7  http___tengalo.com_fwzysh
  150. ef13189ec4dc48b315477d4eea293e84e3a46e58498f1496cbdece75d906958d  http___the-agathon.com_gvcid8b
  151. 3f7d0ade8b072b97de1ce6af9d6198558c581abd8311c0a558e97db185132add  http___thecodega.com_xegesuly
  152. 57a89413d4feb0a6fb53f7de5d79c1ddae90e94467761948fbc15e88c1f33677  http___theory.issp.ac.cn_xcemhkbr [2]
  153. e13e9a52f0d38101b43d25a401133b293304aa8a8c76cd97f4d5aaa1276d7240  http___thxlove.com_odulqznn7
  154. 53488a8bba05a8565c8d5cddb6182e5f1424d13d477466637fdd9565a536f97b  http___tinybearshop.com_zlogeol [3]
  155. a8f56da9ae47d0afc1c10c043846f9094c3dd24e8a0f08123f9a47bf7506c471  http___tivicast.org_khlmwxrb
  156. 324028c7b75ced6d643038d77a89973cb1443d15fd30e4e06a1a8b4b90081468  http___tobybender.com_t4z8xrgdxz
  157. 0fb8a5628f8324d4c953f3f8abf1db535c6da21183e89db5eaa0ba81eaeea4fa  http___toyallstar.com_kohknfsf
  158. 0e155e49aaccb4745ec41e06d87e351403a064759f21d828587e326cf8c1173e  http___trade-unite.ru_k2qplhwug
  159. 7bc4ab4a930525f38f1da56e0b9957632236ef27dc4d30f627449caa49671580  http___translate-all.eu_tdc7xep8yy
  160. 6119c70af8fe33fb465ec81084700be4e5b46422efaab30468185c87de91bd1d  http___trehoada.org_yuinghwmsz
  161. 3674f42841fbda919aadce725f0b977219f06b5fecba21f9187c39d59f0b4f5d  http___trendsandtrades.nl_wigm99l
  162. f616fa9d194b3381e5e925be9d222cd14940a7aee7fa0bc45ddffd0270071795  http___trilab.sk_epimbssz
  163. d8cae33291181cc00ee04953be02d7043b9e1c47c22b5feafcdb0f0b9b4c6127  http___v4c.tv_6arm9pnzr1
  164. 7b431bd614690f420f9deba4cad3cc291e90a49e974fe2be7cea7f24c0ad0cb7  http___vanks.cl_2t3huwd
  165. 50ea9164fab21ec93c63ded772eb651ddc64ad3f8ff73b001579d3b816130970  http___villa64.dk_19tew8i
  166. 96d7d8f82dec80450db10412ecbc84f60a8f2fe5b006923b63899f5581c2a065  http___vipseal.de_mvhhdq
  167. 31b74aa8c4bfea1046ea599b275866d1a8e05872160bb03347d5ab6d2b211d56  http___vodatelsys.com.cn_58lupnimb
  168. 40b523ea24f1d8a86a415306d3a088971276dd5e5b89e293121423a9d3afefdd  http___waner888.com_4go17e
  169. 5812e92b756fb330c238fd198a70e19a9492c5721a6461741cc252726a88e236  http___wflife.net_87o3ozdd
  170. f67f079aafe44a6e3671981729e811f89104af71d07e310ecf2ccc3e97c0141f  http___wordpad.org_7ks1j
  171. db3c8e9874a8051904be88b3a5288fb96dc76c9461c65347e3516ece7709cba1  http___wphone3c.com_6ap7em
  172. 71f266b9dd2dd96ae9cfb248aa59ecd6fda27bafd1dc30ce39906488867e100b  http___wreckingcrewnow.com_bfnfwyt87y
  173. 2be8ec6667022433ba1c1e7e4e28c6170769bc2923ad70e9ba8e8ea0a0c9eb57  http___xangelle.com_8wlji
  174. - decoded
  175. b3a6589f9d8848c89640bd822a674fe1169846fb321a9df82b93d15f0bcd8386 [1]
  176. d531179eb52a2e1ff66cdba1239dee39f7503046091072ca796eceb402e92322 [2]
  177. 46e6b1fec964bbbeebe26370f8513cb082e42a8f12975c8088773962e82919ae [3]
  178. 6897c919c63f6570dbe7b0ccd85739d56f05366ed4f9908f837ccf59193caa03 [4]
  179. 30a13967591a22b54707d2a8e3016e2aec8317aebfe324165c2246198ff41eec [5]
  180. - executed by "rundll32.exe %TEMP%\<filename>.ZK,64Hq4CTd1F2mXYBw"
  181. - samples
  182. https://www.virustotal.com/file/b3a6589f9d8848c89640bd822a674fe1169846fb321a9df82b93d15f0bcd8386/analysis/1481543687/ [1]
  183. https://www.virustotal.com/file/d531179eb52a2e1ff66cdba1239dee39f7503046091072ca796eceb402e92322/analysis/1481543734/ [2]
  184. https://www.virustotal.com/file/46e6b1fec964bbbeebe26370f8513cb082e42a8f12975c8088773962e82919ae/analysis/1481543749/ [3]
  185. https://www.virustotal.com/file/6897c919c63f6570dbe7b0ccd85739d56f05366ed4f9908f837ccf59193caa03/analysis/1481543769/ [4]
  186. https://www.virustotal.com/file/30a13967591a22b54707d2a8e3016e2aec8317aebfe324165c2246198ff41eec/analysis/1481543785/ [5]
  187.  
  188. C2:
  189. POST http://185.46.11.236/checkupdate
  190. POST http://91.200.14.109/checkupdate
  191. POST http://93.170.104.23/checkupdate
  192. POST http://95.213.224.117/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top