API tools faq
paste
Racco42

Locky "987nkjh8"

Racco42
Aug 30th, 2016
1,538
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.75 KB | None | 0 0
raw download clone embed print report
  1. 2016-08-30 #locky email phishing campaign "987nkjh8" / "Document, Image, Photo, Photos, Picture"
  2.  
  3. Email
  4. - sender address varies, but comes from same domain as recepient
  5. - subject can be one of - Document, Image, Photo, Photos, Picture
  6. - body of email is empty (just one = character)
  7. - attachment is as zip file "XX_20160830_AA_BB_CC_Pro.zip" (XX = DC, IG, PC, PH, WP)
  8. - inside a zipfile is a <random_chars>.wsf file containing JScript downloader
  9.  
  10. Download sites (actual URLs have suffix of ?<random>=<random>, but it has no effect on downloaded data):
  11. http://alians-ekb.ru/987nkjh8
  12. http://aptosruralescasadelaabuela.es/987nkjh8
  13. http://arcziuuucity.y0.pl/987nkjh8
  14. http://chwiladlaciebie.cba.pl/987nkjh8
  15. http://cmacos.com/987nkjh8
  16. http://earthkikaku.web.fc2.com/987nkjh8
  17. http://gastrohurt.neostrada.pl/987nkjh8
  18. http://gerochan.web.fc2.com/987nkjh8
  19. http://lacomete52.perso.sfr.fr/987nkjh8
  20. http://marronbridge.ina-ka.com/987nkjh8
  21. http://muellerfalk.homepage.t-online.de/987nkjh8
  22. http://nihilismus.web.fc2.com/987nkjh8
  23. http://nishinomiyaseijunkai.web.fc2.com/987nkjh8
  24. http://og-kaiserslautern-kft.de/987nkjh8
  25. http://onlineportal-2012.de/987nkjh8
  26. http://rmpst.republika.pl/987nkjh8
  27. http://rs-nordsee.de/987nkjh8
  28. http://stanflorin10.go.ro/987nkjh8
  29. http://wolffram.homepage.t-online.de/987nkjh8
  30. http://www.artx.strefa.pl/987nkjh8
  31. http://www.auret.at/987nkjh8
  32. http://www.dapaluda.it/987nkjh8
  33. http://www.facturi.go.ro/987nkjh8
  34. http://www.hiederer.de/987nkjh8
  35. http://www.lindenkapelle.de/987nkjh8
  36. http://www.lnowak.tkdami.net/987nkjh8
  37. http://www.peritiassicurativi.org/987nkjh8
  38. http://www.roboticapc.com/987nkjh8
  39. http://www.sand-mechanic.ru/987nkjh8
  40. http://www.shanty-chor-neuengoers.de/987nkjh8
  41. http://www.vilastefania.go.ro/987nkjh8
  42. http://www.welt-weit.info/987nkjh8
  43. http://zubimendi.com/987nkjh8
  44.  
  45. Malware encoded, SHA256 6e3e22e7b848c5034a9ea3dce086f2cdb7d038e083844f54193449e62b7e13c0, filesize 151552 bytes
  46. https://www.reverse.it/sample/6baf9d0ffc8b0b344ef27bda8ed11b9fb4df03eae9dca6d2d102472cd2a8327c?environmentId=100
  47. https://www.reverse.it/sample/ac6cd2254a5a154f5159bce915311d6db4e090709552600a2e714bea61d652e5?environmentId=100
  48. https://www.reverse.it/sample/d379523f1006ae288acb053fcbc5af74877ef6727fd10f1d0f6440fdb6a94f6f?environmentId=100
  49. https://www.reverse.it/sample/311c6f45435d9f3f730839aa89319dbdb663ca8d3b00a1a9077688784a4ce016?environmentId=100
  50. https://www.reverse.it/sample/333c5025abaca8435e7b5e72d8b39db4f8ebee9d8de38beee74fec64f1cefc72?environmentId=100
  51. https://www.reverse.it/sample/6982b27ae64fc7f26bf7a214ab185087b332cb251de9118ce0eb0184c1e99ebf?environmentId=100
  52. https://www.reverse.it/sample/58d4c607da7427ea3ec9a9174f01e086c09d69c42ce64ee0d5eb1bde1f7f164b?environmentId=100
  53.  
  54. C2s:
  55. 95.85.19.195:80/data/info.php
  56. 188.127.249.32:80/data/info.php
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!