SHOW:
|
|
- or go back to the newest paste.
| 1 | 2016-09-06 #locky email phishing campaign "Invoice INV0000xxxxx" | |
| 2 | ||
| 3 | Email: | |
| 4 | -------------------------------------------------------------------------------------------- | |
| 5 | From: "Willy aikman" <Willy38@perita.nl> | |
| 6 | To: [REDACTED] | |
| 7 | Subject: Invoice INV000073388 | |
| 8 | Date: Tue, 06 Sep 2016 19:54:13 +0700 | |
| 9 | ||
| 10 | Please find our invoice attached. | |
| 11 | ||
| 12 | Attachment: Invoice_INV000073388.zip | |
| 13 | -------------------------------------------------------------------------------------------- | |
| 14 | - sender varies | |
| 15 | - subject is "Invoice INV0000<number>" | |
| 16 | - attached file "Invoice INV0000<number>.zip" corresponds to subject | |
| 17 | - attached file contains file "<random chars>.wsf" containing a JScript downloader | |
| 18 | ||
| 19 | Download sites (actual URLs contain suffix ?<random>=<random> which does not influence download) | |
| 20 | http://209.41.183.242/j8fn3rg3 | |
| 21 | http://alians-ekb.ru/j8fn3rg3 | |
| 22 | http://andante-co.jp/j8fn3rg3 | |
| 23 | http://andreas414.republika.pl/j8fn3rg3 | |
| 24 | http://around4percent.web.fc2.com/j8fn3rg3 | |
| 25 | http://bostoncittyregenerww.com/js/j8fn3rg3 | |
| 26 | http://bushman-rest.com/j8fn3rg3 | |
| 27 | http://cmacos.com/j8fn3rg3 | |
| 28 | http://dashman.web.fc2.com/j8fn3rg3 | |
| 29 | http://fidelitas.heimat.eu/j8fn3rg3 | |
| 30 | http://gam-e20.it/j8fn3rg3 | |
| 31 | http://hotelimperium.go.ro/j8fn3rg3 | |
| 32 | http://josemedina.com/j8fn3rg3 | |
| 33 | http://kreativmanagement.homepage.t-online.de/j8fn3rg3 | |
| 34 | http://lacomete52.perso.sfr.fr/j8fn3rg3 | |
| 35 | http://lalarabbit.web.fc2.com/j8fn3rg3 | |
| 36 | http://marcotormento.de/j8fn3rg3 | |
| 37 | http://michik.web.fc2.com/j8fn3rg3 | |
| 38 | http://mixup0813.web.fc2.com/j8fn3rg3 | |
| 39 | http://ngenge.web.fc2.com/j8fn3rg3 | |
| 40 | http://onlineportal-2012.de/j8fn3rg3 | |
| 41 | http://pea5.cba.pl/j8fn3rg3 | |
| 42 | http://portadeenrolar.ind.br/j8fn3rg3 | |
| 43 | http://qualityacoustic.comcastbiz.net/j8fn3rg3 | |
| 44 | http://rosivani.go.ro/j8fn3rg3 | |
| 45 | http://sebangou8.xxxxxxxx.jp/j8fn3rg3 | |
| 46 | http://sitio655.vtrbandaancha.net/j8fn3rg3 | |
| 47 | http://sp-moto.ru/j8fn3rg3 | |
| 48 | http://tst-technik.de/j8fn3rg3 | |
| 49 | http://unimet.tmhandel.com/j8fn3rg3 | |
| 50 | http://w8kvpd5ib.homepage.t-online.de/j8fn3rg3 | |
| 51 | http://wccf.huuryuu.com/j8fn3rg3 | |
| 52 | http://wolffram.homepage.t-online.de/j8fn3rg3 | |
| 53 | http://www.aldesco.it/j8fn3rg3 | |
| 54 | http://www.alpstaxi.co.jp/j8fn3rg3 | |
| 55 | http://www.association-julescatoire.fr/j8fn3rg3 | |
| 56 | http://www.auret.at/j8fn3rg3 | |
| 57 | http://www.beniculturali.org/j8fn3rg3 | |
| 58 | http://www.bytove.jadro.szm.com/j8fn3rg3 | |
| 59 | http://www.ccnprodusenaturiste.home.ro/j8fn3rg3 | |
| 60 | http://www.cmg-ingegneria.it/j8fn3rg3 | |
| 61 | http://www.coropeppinumereu.it/j8fn3rg3 | |
| 62 | http://www.facturi.go.ro/j8fn3rg3 | |
| 63 | http://www.folkjuannepiu.it/j8fn3rg3 | |
| 64 | http://www.fpizzuto.eu/j8fn3rg3 | |
| 65 | http://www.gengokk.co.jp/j8fn3rg3 | |
| 66 | http://www.hestia-bewindvoering.nl/j8fn3rg3 | |
| 67 | http://www.hung-guan.com.tw/j8fn3rg3 | |
| 68 | http://www.keramikobjekt.de/j8fn3rg3 | |
| 69 | http://www.laribalta.org/j8fn3rg3 | |
| 70 | http://www.lindenkapelle.de/j8fn3rg3 | |
| 71 | http://www.lnowak.tkdami.net/j8fn3rg3 | |
| 72 | http://www.mikeg7hen.talktalk.net/j8fn3rg3 | |
| 73 | http://www.montegelato.it/j8fn3rg3 | |
| 74 | http://www.oltransservice.org/j8fn3rg3 | |
| 75 | http://www.one-clap.jp/j8fn3rg3 | |
| 76 | http://www.parrucchieriagiacomo.com/j8fn3rg3 | |
| 77 | http://www.peritiassicurativi.org/j8fn3rg3 | |
| 78 | http://www.pittorf.de/j8fn3rg3 | |
| 79 | http://www.planet-auto.go.ro/j8fn3rg3 | |
| 80 | http://www.plumbntile.talktalk.net/j8fn3rg3 | |
| 81 | http://www.porchettadicolledara.com/j8fn3rg3 | |
| 82 | http://www.radicegioielli.com/j8fn3rg3 | |
| 83 | http://www.roboticapc.com/j8fn3rg3 | |
| 84 | http://www.sieas.com/j8fn3rg3 | |
| 85 | http://www.spiritueelcentrumaum.net/j8fn3rg3 | |
| 86 | http://www.texelvakantiehuisje.nl/j8fn3rg3 | |
| 87 | http://www.threshold-online.co.uk/j8fn3rg3 | |
| 88 | http://www.vanetti.it/j8fn3rg3 | |
| 89 | http://www.vilastefania.go.ro/j8fn3rg3 | |
| 90 | http://www.wellworx.de/j8fn3rg3 | |
| 91 | http://www.whitakerpd.co.uk/j8fn3rg3 | |
| 92 | http://www.xolod-teplo.ru/j8fn3rg3 | |
| 93 | http://zse2.pl/j8fn3rg3 | |
| 94 | http://zui9reica.web.fc2.com/j8fn3rg3 | |
| 95 | ||
| 96 | Malware: | |
| 97 | - | - encoded on download, SHA256 b09fd941cf46fe994af6b88856969b860ab666dedfe198db4ff1ac49b788a870, filesize 76288 bytes |
| 97 | + | - encoded on download, SHA256 b09fd941cf46fe994af6b88856969b860ab666dedfe198db4ff1ac49b788a870, filesize 76288 bytes |
| 98 | - decoded SHA256 adc7cc912bd255e17431ead2dfa592f3176ddfa72cdc84cd3b78ab87f5a3f12d | |
| 99 | ||
| 100 | https://www.reverse.it/sample/40cfb75451d3c878c0d19de31f8ab29146cc3b17ee0ad1e8bea61d022f94abcf?environmentId=100 |
