Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-08 #locky email phishing campaign "[Vigor2820 Series] New voice mail message from xxxxxxxx"
- https://myonlinesecurity.co.uk/vigor2820-series-new-voice-mail-message-from-random-telephone-number-on-20160823-210159-delivers-locky-zepto-ransomware/
- Email sample (sender address is faked to be from voicemail@<recipient's domain>):
- ------------------------------------------------------------------------------------------------
- From: voicemail@[REDACTED]
- To: [REDACTED]
- Subject: [Vigor2820 Series] New voice mail message from 01452422396 on 2016/09/08 13:23:20
- Dear [REDACTED] :
- There is a message for you from 01452422396, on 2016/09/08 13:23:20 .
- You might want to check it when you get a chance.Thanks!
- ------------------------------------------------------------------------------------------------
- Attached file "Message_from_<number>.wav.zip" contains "<random_chars>.wsf" which contains a JScript downloader
- Download sites (URL contains suffix ?<random>=<random>, which does not influence download):
- http://158.195.68.10/g76gyui
- http://209.41.183.242/g76gyui
- http://dashman.web.fc2.com/g76gyui
- http://dcqoutlet.es/g76gyui
- http://dpskaunas.puslapiai.lt/g76gyui
- http://fidelitas.heimat.eu/g76gyui
- http://gam-e20.it/g76gyui
- http://ghost-tony.com.es/g76gyui
- http://josemedina.com/g76gyui
- http://kreativmanagement.homepage.t-online.de/g76gyui
- http://ngenge.web.fc2.com/g76gyui
- http://olivier.coroenne.perso.sfr.fr/g76gyui
- http://portadeenrolar.ind.br/g76gyui
- http://sitio655.vtrbandaancha.net/g76gyui
- http://sp-moto.ru/g76gyui
- http://srxrun.nobody.jp/g76gyui
- http://thb-berlin.homepage.t-online.de/g76gyui
- http://toukontoutaukaiazalea.web.fc2.com/g76gyui
- http://tst-technik.de/g76gyui
- http://tujdaehn.homepage.t-online.de/g76gyui
- http://unimet.tmhandel.com/g76gyui
- http://www.agridiving.net/g76gyui
- http://www.alanmorgan.plus.com/g76gyui
- http://www.aldesco.it/g76gyui
- http://www.alpstaxi.co.jp/g76gyui
- http://www.association-julescatoire.fr/g76gyui
- http://www.bytove.jadro.szm.com/g76gyui
- http://www.ccnprodusenaturiste.home.ro/g76gyui
- http://www.gebrvanorsouw.nl/g76gyui
- http://www.gengokk.co.jp/g76gyui
- http://www.hung-guan.com.tw/g76gyui
- http://www.idiomestarradellas.com/g76gyui
- http://www.laribalta.org/g76gyui
- http://www.mikeg7hen.talktalk.net/g76gyui
- http://www.oltransservice.org/g76gyui
- http://www.one-clap.jp/g76gyui
- http://www.plumbntile.talktalk.net/g76gyui
- http://www.radicegioielli.com/g76gyui
- http://www.rioual.com/g76gyui
- http://www.spiritueelcentrumaum.net/g76gyui
- http://www.texelvakantiehuisje.nl/g76gyui
- http://www.threshold-online.co.uk/g76gyui
- http://www.whitakerpd.co.uk/g76gyui
- http://www.xolod-teplo.ru/g76gyui
- Malware:
- - encrypted on download, SHA256 e1c613422f144c88c3df517a4ba7dcd660939813c617f7ccc5a2ecfa29c05af9, filesize 159744 bytes
- - decoded SHA256 c761685e6d70149af0a3fd461a1bb9d61f93479e46428ca55ed546f85c1d28ef
- https://www.reverse.it/sample/6da27084917eb60c352701cc2129c1ec8d2d8486906ebd1fb40dc6a4a3db7b88?environmentId=100
- https://www.reverse.it/sample/0b3f1d2479351a107abdf49249cd1671c9e2ec0a3c2a2d784cb435061c76cc22?environmentId=100
- https://www.reverse.it/sample/6a7ec5fb2d236aaa3e00e16ed6ad5876b9aa55edc86d1b4eae057f22806fe45a?environmentId=100
- There is no visible C2 communication, RSA key is probably part of the config.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement