Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-12: #locky email phishing run "Attached, Copy, Emailing, File"
- Email sample:
- ------------------------------------------------------------------------------------------------------------------------------
- From: "Beulah" <Beulah356@packstation.de>
- To: [REDACTED]
- Subject: File: Receipt_40
- Date: Mon, 12 Dec 2016 21:39:49 +0700
- Attachment: Receipt_40.zip -> Scan(757).jse
- ------------------------------------------------------------------------------------------------------------------------------
- - sender varies between emails, but sender domain is same as recipient's
- - subject is "<Attached|Copy|Emailing|File>: <Document|Receipt|Scan>_<1 or 2 digits>"
- - email body is empty
- - attached file "<Document|Scan|Receipt>_<1 or 2 digits>.zip" (same as second part of subject) contains file "Scan(<3 digits>).jse", a JScript downloader (the JScript is plaintext, not encoded as suffix suggests)
- Download sites:
- http://103.27.52.92/874ghv3
- http://117.239.70.228/874ghv3
- http://216.104.188.249/874ghv3
- http://54.93.178.21/874ghv3
- http://69.162.74.116/874ghv3
- http://absxpintranet.in/874ghv3
- http://angelwap.ro/874ghv3
- http://autorijschoolpedro.nl/874ghv3
- http://belovephoto.com/874ghv3
- http://cardbuilderplus.com/874ghv3
- http://cynosurejobs.net/874ghv3
- http://democro.com/874ghv3
- http://dreamtheatre.co/874ghv3
- http://dronetech.no/874ghv3
- http://envisorusa.com/874ghv3
- http://freedommobility.com.au/874ghv3
- http://galtechprojects.com/874ghv3
- http://gateste.sanatate.us/874ghv3
- http://gezgininpusulasi.com/874ghv3
- http://greenresist.com/874ghv3
- http://gudangg.com/874ghv3
- http://hooli.com.au/874ghv3
- http://ibfnetwork.com/874ghv3
- http://konoikevina.com.vn/874ghv3
- http://mebdco.com/874ghv3
- http://megapowercash.com/874ghv3
- http://mer-pro.com/874ghv3
- http://miel-maroc.com/874ghv3
- http://mstest2.co.uk/874ghv3
- http://muhammadmafazine.com/874ghv3
- http://mynamepixs.com/874ghv3
- http://omnibusiness-solutions.com/874ghv3
- http://onedotm.com/874ghv3
- http://ratchadaphoto.com/874ghv3
- http://socialandmovieapps.com/874ghv3
- http://sunwayautoparts.com/874ghv3
- http://sustainabletompkins.org/874ghv3
- http://therapymarketinginstitute.com/874ghv3
- http://thetbank.com/874ghv3
- http://thetravelbug.org/874ghv3
- http://tifa-awards.net/874ghv3
- http://tutorarabia.com/874ghv3
- http://tvctraffic.com/874ghv3
- http://waterplusmaroc.com/874ghv3
- http://workandplaytherapy.com/874ghv3
- http://www.bfsa.gov.bd/874ghv3
- http://www.icp.edu.pk/874ghv3
- http://www.ifs-b.org/874ghv3
- http://www.primeknittexltd.com/874ghv3
- http://www.pspmrsmag.com/874ghv3
- http://www.pspmrsmtumpat.com/874ghv3
- http://www.refereccu.com/874ghv3
- http://www.russwat.org/874ghv3
- http://zasm.info/874ghv3
- http://zocaloalminuto.com/874ghv3
- UPDATED:
- http://angorabric.org/874ghv3
- http://icclicks.com/874ghv3
- http://indiaclubdayton.org/874ghv3
- http://naacllc.com/874ghv3
- http://rewoza.smartsme.tv/874ghv3
- UPDATED:
- http://3ainstrument.com/874ghv3
- http://aiahelps.com/874ghv3
- http://filesdiamond.com/874ghv3
- http://indigenouspromotions.com.au/874ghv3
- http://soulanimtech.com/874ghv3
- http://stmerchandise.net/874ghv3
- http://thaitooling.net/874ghv3
- http://wkreation.com/874ghv3
- http://www.paradisecity.pk/874ghv3
- Malware:
- - encoded on download SHA256 5c112d02b8726e841bba19b9c7aabeff505f25bf833b83b4ccfd97bfd2e32207, MD5 822590912e835cfbcf80855aad3e67d1
- - decoded SHA256 77be68d55cc051d234dd24b9305e832ebc49bc8160ddc415919946f39fc0b265, MD5 399600fd83eee256ee6d404e3697adaa
- - executed by "rundll32.exe %TEMP%\<dll_name>,get_str"
- - sample https://www.virustotal.com/file/77be68d55cc051d234dd24b9305e832ebc49bc8160ddc415919946f39fc0b265/analysis/1481559253/
- C2:
- POST http://176.121.14.95/checkupdate
- POST http://88.214.236.218/checkupdate
- POST http://91.219.31.14/checkupdate
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement