SHARE
TWEET

2016-11-25 Locky "Important Information"

Racco42 Nov 25th, 2016 (edited) 219 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-11-25 #locky email phishing campaign "Important Information"
  2.  
  3. Email sample
  4. -------------------------------------------------------------------------------------------------------------
  5. From: "Phoebe Mclean" <Mclean.Phoebe@orawebaruhaz.com>
  6. To: [REDACTED]
  7. Subject: Important Information
  8. Date: Fri, 25 Nov 2016 05:39:51 -0500
  9.  
  10.  
  11. Dear [REDACTED], your payment was not processed due to the problem with credentials.
  12. Payment details are in the attached document.
  13.  
  14. Please check it out as soon as possible.
  15.  
  16. Attachment: payment_[REDACTED].zip -> HQ4b42nu.js
  17. -------------------------------------------------------------------------------------------------------------
  18. - sender varies between emails
  19. - subject is "Important Information"
  20. - attached file "payment_<recipient name>.zip" contains file "HQ<6-9 lowercase chars>.js", a JScript downloader
  21.  
  22. Download sites:
  23. http://agamaflop.net/6mhcounvr
  24. http://agamaflop.net/kvlj0
  25. http://agamaflop.net/pvva9uxg3f
  26. http://internationalsaws.it/z4xfmsb7
  27. http://itrechtsanwalt.at/41k0ye7wk
  28. http://jsydjc.com/xfsxwi
  29. http://karayurt.nl/4edqluaffx
  30. http://malamalamak9.net/xbrfr
  31. http://mandsong.com/3dow6hd2
  32. http://mandsong.com/6uwkeev5ht
  33. http://microcontroller-cafe.com/1ssyys
  34. http://montazh5.ru/7eerbjgbjj
  35. http://muffben.net/5pctik
  36. http://muffben.net/dyixm8h6x
  37. http://muffben.net/n86rv07wep
  38. http://puttechnologies.com/k0ncwuajq
  39. http://repka.eu/tg2cyp
  40. http://rerda.com/cqmgybvcf
  41. http://ripalknurl.net/3jl4ewks
  42. http://ripalknurl.net/e7u7dsirr
  43. http://ripalknurl.net/rwznknsrm4
  44. http://ruangmobil.com/aykz8o5zzj
  45. http://satthachkhe.vn/oecdiyyxpz
  46. http://sgadoutdo.net/0bvwbh
  47. http://sgadoutdo.net/flvnz
  48. http://sgadoutdo.net/ougezzqzf
  49. http://sgadoutdo.net/zyxird
  50. http://shomesofa.com/gidg3gpe
  51. http://signdepot.com.au/nj5eq
  52. http://simtecs.net/dubvr1ic
  53. http://sitivisibili.it/qyebiv2oa2
  54. http://slut-land.com/qjqxbo2n
  55. http://sonajp.com/aklky4epuq
  56. http://stservis14.ru/fnyyzvd
  57. http://svegev.ru/gxl013km34
  58. http://sxxcjt.com/kmgppa4zj4
  59. http://szycfj.com/egej4hc
  60. http://tasct.ru/gmwpep
  61. http://todos.com.au/a2rjocg6
  62. http://tuurbo.be/g5es0jxs6q
  63. http://tx318.com/sbg12g0d4
  64. http://vanks.cl/plby8w55
  65. http://veritasresults.com/hpxw6g
  66. http://vesan.info/dvwsp8v3f
  67. http://vitreus.nl/hlap29
  68.  
  69. Malware:
  70. - encoded on download
  71. b56252d69d0995a03174aaa3dd03772a6a1348055c8652b336ad90afc76409a7  http___agamaflop.net_6mhcounvr
  72. 9fce5c44a55f1b5c794f3daf256251177152fb57d99d67823046a7b5f8398edc  http___agamaflop.net_kvlj0
  73. 499d2524909a4ce0e56902656af2a992478d64180e7925652dcf53a39c8f0234  http___agamaflop.net_pvva9uxg3f
  74. 757aa99b9925f30ef9a0bbd904ed0f01c01deef6b7a85cbb2a7af236bd178474  http___internationalsaws.it_z4xfmsb7 [5]
  75. e79e42d492d66b0ddfbf936497023fcdfb0a7cf931309398a60ec7629181718a  http___itrechtsanwalt.at_41k0ye7wk
  76. fdfbfa2f03a1e72210c51f3ab5c564bd954a3de26715f5e2dd7efddfe8892101  http___jsydjc.com_xfsxwi
  77. 58fdc77f5fca7c17bb9f8dc597aff4654a4e38b3b0b9f67b078d8c8c72ae4014  http___karayurt.nl_4edqluaffx [4]
  78. e9e0d8cc381e30aef56409b33923107be8d8527d7693fd98975cdb8af09fa5d5  http___malamalamak9.net_xbrfr
  79. a0319e0083a147a8777e59ddfbed015ddae21e8e6698062f4a1f860aed1d8111  http___mandsong.com_3dow6hd2
  80. 849ec232c26d474869dec995160b782eaa96ad5b882ea4bbe50f80f6449015d0  http___mandsong.com_6uwkeev5ht
  81. dbfb0d530f471ba20cdad7c5bafc12767c51beca3d29585cef36d0e5fe8fae43  http___microcontroller-cafe.com_1ssyys
  82. c383fec5645317afc345add9cbcf52b5f6031d73817d9c9bbc3a0cbde4f77703  http___montazh5.ru_7eerbjgbjj
  83. 556581eea86a444a1cd6ab08eb528bd548138c818e56ab6195041f402c91169a  http___muffben.net_5pctik
  84. 54cddc9c44c205c5af039eedd40a623ccbd6d1e86e78fcfb01043e77316c84d8  http___muffben.net_dyixm8h6x
  85. 48ca6a92231c008d8589494eeb6eb3f01166b89ed3deeecb162fb6717524415d  http___muffben.net_n86rv07wep
  86. bc88be527b2cb944e555248406da945b0c4d9729d85cf40848f73e8a563edd25  http___puttechnologies.com_k0ncwuajq
  87. 6a719b381504cd4f948b42d160ece80ce5d423c257c6039712f34cbc111b37fa  http___repka.eu_tg2cyp
  88. f6cc7a3e27fc0a62170591a122f28c5836fe9b5b3c14b9fb3ab00dbed8d62c25  http___rerda.com_cqmgybvcf
  89. 459f9870e8b1a2c232298ebe8676d97b89614f3a4848cf120c4efdd8e6ad9dfb  http___ripalknurl.net_3jl4ewks
  90. 2bada8f9c6f4b7fe5593aa1370de1e3c8df03badaf313526e5a8a7d8bbfbc901  http___ripalknurl.net_e7u7dsirr
  91. f2dffcbeeafcf5fc8c9e7ddd3bd4abb9cde1323e28a1adc7f75bedab726fe603  http___ripalknurl.net_rwznknsrm4
  92. c4d5f5d47d5856cfc6bf70d221577cbd0b63937a933cbadd2d307310edfc38f7  http___ruangmobil.com_aykz8o5zzj
  93. 3dd0a39c162f0c093a1cd5d8308d560d381a38bc129ab785505c925731782ab7  http___satthachkhe.vn_oecdiyyxpz
  94. 001ba578dc09be5ac9596e6c5ab2b99c474f25d80352c286de04c296ecd51c26  http___shomesofa.com_gidg3gpe [6]
  95. ec1ab2ff1462b35e070895520713d101a0511abfbc0160c0b555b9a080de4b8c  http___signdepot.com.au_nj5eq
  96. c010fc54346a1f9d7a6d404d06793b46c48c7d13732fc1e64de7e7ad405eeeb3  http___slut-land.com_qjqxbo2n
  97. 3dac980a963d21f64298f7aad8c380ba9e46ca29c1ada6d7e5bedf7551c21265  http___sonajp.com_aklky4epuq [3]
  98. 673396fcb6ed1c30dfde555270b030f19cd7bd49b7da8f0aec9a67600d0ca4d9  http___sxxcjt.com_kmgppa4zj4 [2]
  99. 8b388636d9f5789e6564aeafd92ff0ad0565c3fd7edae50996da77135c04e56e  http___szycfj.com_egej4hc
  100. 58f6684c441e346062429a05790036eb269bd16d56ef30d0cc2155ade1a140a6  http___tasct.ru_gmwpep
  101. af914a6533be337935af4878b4e58ca1948944ef72ae8da95bb864464301ac40  http___todos.com.au_a2rjocg6
  102. 750bfa6667b655ca92d441a6323418f9480b1db645a2870d5d81f46b28d09f7c  http___tx318.com_sbg12g0d4
  103. 62502214027871221402576d443cbaa607a30e0d07957f6305be6d829fc3ba62  http___vanks.cl_plby8w55
  104. 86044467db3486c1a1305b55941813507bb469005811d53b82adddd16a096665  http___veritasresults.com_hpxw6g
  105. 013c2c958555469c2f6708b5d237fac827117503c1d82a3984462cf50d6e0057  http___vesan.info_dvwsp8v3f [1]
  106. 75a715e9678416822ce4ea908e0cb6c43fb30f3ebcfe4eec00c8921956bb6a66  http___vitreus.nl_hlap29
  107. - decoded
  108. b655611ad44b295140655e56311413635ad0784bbea6bd026c458b1e97b8e8c4 [1]
  109. 8f568b88eacdefd9333494a65182c21f3f29944650dbe43869a6057cba6ef67f [2]
  110. 6b49b2fbad7c0dc1262a35d63e3923845f2e15839386c63473af4bfe7a5702d6 [3]
  111. 07d59297eaee589bd65812938014af6c850f3db3e350993e763c5a764e9807b6 [4]
  112. f15ffe8512f16380370d9e45079f4e46f4cb732079aab63930a4be7265b1082a [5]
  113. 25e28798597b48064aa0eba975ec9d91c56f6c3016761e0bcaf05139216f7727 [6]
  114. - executed by "rundll32.exe %TEMP%\<filename>.TDB,g8EsBeS1yWtpEV1FM"
  115.  
  116. C2
  117. POST http://213.32.66.16/information.cgi
  118. POST http://89.108.118.180/information.cgi
  119. POST http://91.201.42.83/information.cgi
  120. POST http://apqkhilkoafapncu.pw/information.cgi
  121. POST http://bdfjnbd.xyz/information.cgi
  122. POST http://bpvpxjfnqyns.work/information.cgi
  123. POST http://ehxornkarekthggd.ru/information.cgi
  124. POST http://fjlpilrgdsxada.info/information.cgi
  125. POST http://hghpciy.su/information.cgi
  126. POST http://lvfyegi.su/information.cgi
  127. POST http://sklyioyw.pw/information.cgi
  128. POST http://udeajprtjafxodfyi.work/information.cgi
  129. POST http://wggmjmakcbdqj.click/information.cgi
  130. POST http://ywkwpybanwbhgwj.info/information.cgi
  131.  
  132. Downloaders:
  133. c8876aebcbab05a44a130cc91ebf7c3c07a77554cd9ac96c4ec2a8d65a8ec6bd  HQ03wjz60.js
  134. d7731cf4b16b05523c2e50e215a0296e29c36a8d2c84a87bf4f8850474303467  HQ0dm3tso1.js
  135. 3863c348e9d325187368073539c27594a2118e11e67d8c3e2357681b470758df  HQ0ef6n735.js
  136. 6252df21531a3844c77886dadb56c2e5678e83817169a4c9918d518e520727bc  HQ0xt0i55.js
  137. b5a3098fbcf650bc83665080b210d0f16c15ff5d65f071a535c5325d50fd91b4  HQ17ll8dl5j.js
  138. a77e68e292afe7424c4cf7ef70cdf287b09e87d69c723f1d7530eacdc82be3fc  HQ1chq4387.js
  139. 1d2ab5fb3ad6a86b455d9cab64b4a7b7c872dff563715506f6f54c65c3fc8d14  HQ2fsn696g5l.js
  140. ae928706919584430eaf3911195aabc2bb73d43433c4c3c068cb8a2210d43ed7  HQ2lvo22d.js
  141. 52c9828d1679eb40c365130402e2fb9cb2139b3f63e0bc722ae7ddbae98a93bd  HQ2mr66h33.js
  142. ea1d62c410a7f03350e831c92e7f314a0499f443ce31e3d590f1c1f996e905bf  HQ2v73gd.js
  143. 04a6254f9e2f5208345a6b4da0c755ef4285a6960eb056ae64e8643bf0528653  HQ33gf9p.js
  144. f9e006495c30cc248e7aba85fe554d5290646545e4e54b81e8b7f9078a4cc8ba  HQ3kqa34.js
  145. a63eea9bb72391b5df1838d788487a2f87ebd6d4c65dc43cbd30e5442d264d8d  HQ3my2k58js.js
  146. 4524ddfec652415b891ec9568ffc47700e3d8cda8d2ab9eaa11609011804d618  HQ3u6o57o2.js
  147. e23a50194e09139d6d281f425b5afa0797a83237bc56ad4eac8aa4dfa1d33dd8  HQ416juq.js
  148. 6a44e725872a7eb6d31c3359c20c201b1657c06df06db693d0b8b49c84c17ee2  HQ4b42nu.js
  149. 2633b3c14ff296ad8b4b5efde509f1dfe8ba80124b92c8977e84ae33489fd842  HQ4ot7vkx4.js
  150. 6572226960f48bfef5fe7c4feab27198d36d357c5c9bb64174d808f122da5f61  HQ54w3h8lq2n.js
  151. 05beaa40a02fe226e01d779ac4c7936143e62bf3c7c13a21e81ffa06179e8439  HQ59292pud.js
  152. 5154abfd701f847d0fab1d65f4103dd05a6d7c204dbaedf6781cded2abde60dc  HQ5o1ra2l.js
  153. fc33b7423af50cd10cf53d86f0adf8495a8ca02d6227d4f9f826c5c0d6256ebe  HQ5q97uu9s2.js
  154. bdf8ece71d64e2bb7b647f8bcf9bcb8b440a1951e0b51de1b739b6591f6f5037  HQ5r5rn66a4f.js
  155. 29f7aa30d13f367d45de137f13ea832cba3399425e03d20df81dac412ca13b5c  HQ65rn360i.js
  156. 50eee9e1761a1cd316e08af5d4c49d3ff06f85e38b6aef6ad93194762f3946af  HQ69s1lu76.js
  157. 9ced274bceb7fc9396363d880b5771bc5de512757efa6a169d6c53d1cd3a373f  HQ6lz19me.js
  158. 4d94da040fc29ffd07fd1f24bbc6ad32eef2f47892aabdb96dcd6d492c166e41  HQ6vi5p8y6.js
  159. a02a96f083bf148d04961db9bf6b0430847355c9f4439a50b5ae250f585f8115  HQ6y59b23n.js
  160. 544f146f360aeb976ff946f3ac1d635c99087d315265aa414440fc89716d8d31  HQ72y0xqf30.js
  161. f7f8ea0bbe0609a694b564c97f9f05b7983435e47131312b48c5dec9e646b39c  HQ76j15jt8ib.js
  162. cf6239f1a0344af330e66118d573cc05be089f63b64f2b412ece0d0803c431d0  HQ7d4mg37.js
  163. 1e54fab3a012bddca4e19bb3650a07491c607f005172532986378dfa7b623449  HQ7l8x1x9.js
  164. 48bb0caaf8b83b2dc3c9f118e087b19ad6465c52ae8a14cf48a10f8649bdd1e6  HQ7p387kl7.js
  165. 6f487bca40d74feb0fde4454aa58bfe26be5cf144a4133bf8671f638c06af6f1  HQ7va0c6ko.js
  166. 6e68f5b66ab427f18e63ddd400fea611b1fc5fbafd16e8bb02ffc86d600fa6b8  HQ7x81cn.js
  167. d7a0f3e761636252129ae1d1be29a5b7156597f27c26fb8d097d31f604c016af  HQ81x5ogo.js
  168. 7e9badfe45ea948962f28a85da4de81d84d82c25aefa575e969df326c6388796  HQ870wwf1hj6.js
  169. ca1d13512a086fd843cb1d8ed417848665dabea120e35ccf87fbf09429aa0bcb  HQ8aet34rj75.js
  170. fa89eccd67286f413497ff25562c9732f58de420c8916e541ad9c4ee0c09bd1c  HQ8n6rq8.js
  171. 64a0734e820f68b04c403a00ed6516af6152e568566d13b7d1f5a7449644e45e  HQ936cbrc84.js
  172. f0dbfc2e11aaab8ac5336f14db49a986d40d87ad67dcf7f774ec6bfc941181a2  HQ94ys3l8.js
  173. cee08e54c0e160ffb5460e51cd314c769456124c77b61f39b4b1181a0afaf7d7  HQ9t996g1v.js
  174. a675475df05c944ddc14d6b57cf1871aff8cf5138a7fb8bf957c061471faf2e3  HQa2pe95uq.js
  175. b74350d914b82c071ddd21041dcf372febe3df0615e62931be9d660db791e7d2  HQaxw1x13.js
  176. 58002f0c2bf580ce9be5f801b634ca964e496316ad3ff72f3a799bfa090d20a5  HQb071p1kq.js
  177. b1ef7a54e2585ba50fdd9519cb9a90939dbae09dfab248712f7f207c3f6b8c84  HQb33ez3x.js
  178. ba8df0e8fdcf1b196bf8f1208b40e38f3e8bb4228af28028a66c83e53945b613  HQb5c3178c.js
  179. 71194744ce73df3656f98238fe983a0c56ef211458f9cd6233eb210a8c09079d  HQc4qbj7a5.js
  180. 574f7b4e4d632847fa047e1ea36899e49356fb41e3506ae94ce48f8f17e8358a  HQd11ujt5f.js
  181. d5fe87d6c963bb40968ca39e22652f81a7b4cf8e14f5d80dd939a026e38cb4f9  HQdny786.js
  182. ecb9739da00e4b838cc7d74693a2aaad43e1b96e70617e7670fa2523383da86f  HQdq4j522.js
  183. ecc9dd5365ef22c9cc0f45372b4f9be317f1818a42eea2d621fa5751faf49e8c  HQdy87u93c.js
  184. bdbc997df2b4eeeaec2061dacd017fd277df0828ddc0a4fa1b5c62e755511543  HQemm95t077p.js
  185. 16c438d8ddbb482b000104e02df72bdb30a6dcd3a0471e2ecfb032a5b5c72a95  HQh28i5w1i4k.js
  186. 135411d1afe914c25ab71e2e875d53ec42c9229016d81d814c1a81c21a6f80a1  HQh9gs7x9o83.js
  187. a9ed6c56cb297ec9e6e7f7eacf795fecdd72dedd23dfb5400500206137a4e33f  HQhldd9t53.js
  188. 204ef244de7550f5ea8b5f1edda9f648b2e5faa359a179c5aa1fe4e2035d4e5f  HQly6h718.js
  189. 3bc6b2795e1d1761105060fa65a7a0b778b9414958bf813319508a968c4646cc  HQm5thj2766.js
  190. 3204baef064355e3bf50d3dc9abc2ece49b401bd7fa8701c6188fae27d8af84a  HQm850h0yee2.js
  191. 7c28e5d00cad49abdba7b0a18af7d0a0321a050f120e7dfa05e8d16916c761c4  HQn231rj0.js
  192. 157669310b20f1a75f59ea6c12e175a30e2bb62e27e38b68294e91e37ec00f63  HQn82z5jv3s.js
  193. 6d6aa7cbbd3a2278d1fdf23b7664ff45cb17c116e90fff19474dc1f96513eb00  HQor0l9u8.js
  194. 2c688092b8dad7468c9e3c0f31b75b4617a3fc17d07bb03c2121ab4409390464  HQq29g9f8.js
  195. 2d98bb62d50b91ef3729d35b5422dea0ba63cf6583b1e9696bdf2fc4d3b113a9  HQq3d9jd73.js
  196. 4b8e954d312d1d192e00f76d0ecf395de181969d09c537ecde1cfdf622b9c0a5  HQq948ta9j2.js
  197. a395ac02e29163fca874ab947c447e21539e8661934334a42e9d4a76b2480085  HQs3ce9ey1.js
  198. 9950e6e10b3cfb00a8a585c78b1fee09c29531b219a858955195ce21a0a493da  HQtfp5k87b.js
  199. 8bbb44385ff4a460af82ed51a45d3db9cb439935f47e0470ecec2ec6b7998c2c  HQu4a7v7.js
  200. 72f3e0e89888cdbe866621c7a98a46c671bbc594e7122aeb6370fbd815ac331b  HQx4dh0z4d.js
  201. 09c322c0dc034e7fb4a438f0da1beb11141e19373b5390b6185633f0b1825e19  HQx566a6b.js
  202. a648c1f0cea79f4588365634fd30b53a3e2a670606236a9d3a4c63b0816b627d  HQxc71x96n.js
  203. c96959b1fd13f1271527222a555330c4eef494b3f1c05e5eb36f1f3ecb3dc71c  HQyo0a00f0.js
  204. 0cabc02423f1e550e64ce301fab9d4ff3b3f498d0b612fcfd54476532d374582  HQz45g9e.js
RAW Paste Data
Top