Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-05 #locky email phishing campaign "Please Consider This"
- Email sample:
- --------------------------------------------------------------------------------------------------------------------
- From: "Terry Martin" <Martin.Terry@cacuocdoden.com>
- To: [REDACTED]
- Subject: Please Consider This
- Date: Mon, 05 Dec 2016 17:12:33 +0530
- Dear [REDACTED],
- Our accountants have noticed a mistake in the payment bill #DEC-1310239.
- The full information regarding the mistake, and further recommendations are in the attached document.
- Please confirm the amount and let us know if you have any questions.
- Attachment: bill1310239.zip -> -W16BV8R9A6.js
- --------------------------------------------------------------------------------------------------------------------
- - sender address varies between emails
- - subject is "Please Consider This"
- - attached file "bill<7 digits>.zip" contains file "-<7-10 uppercase chars and digits>.js" a JScript downloader
- Download sites:
- http://carrier-spb.ru/kyzmd
- http://neufweb.fr/zubnaox
- http://nickcatricala.com/zyqgn
- http://odmalicka.info/rmq9m8abj
- http://optistar.es/5vud8u5i2v
- http://ornline.com/tsbnyk
- http://orthanna.com/mtkvlp
- http://osawa.be/ji6vl8p
- http://oyunbee.com/yygcieumw8
- http://par-nikiti.com/rmqpeuzd
- http://petra-roebig.de/hqv4kz
- http://pierer.ch/z35pgbsw
- http://piotrprzewozy.pl/fjvktow
- http://pivno.com/zcyvylh1
- http://playtres.com.ar/rpqbbg3
- http://plusideaad.com/wrkd9ye5d
- http://porschewijzer.nl/zvbsgr
- http://portside.no/uddurk
- http://ppapmoozamiz.com/ti3yrigg
- http://psycoaching.fr/wtadfi
- http://quadrat.cz/uuq9svzcfq
- http://raregemsgroup.com/yc2bn4zba
- http://reiseagentur-klein.de/1j1njd
- http://rejtjel.hu/ya83t3xq
- http://rhyzrin.com/zop7ie3nq
- http://rollerhero.com/wdopv7q3
- http://sigmach.com/6dedsiwwe
- http://skillscollege.com.au/l3y1v7g
- http://skolickasovicka.cz/8af8dj
- http://smarttrain.edu.vn/5iim4uhd
- http://sobory.ru/n2k6gepo
- http://solubiz.com/mqupga
- http://sondenecker.fr/cbjbxnfj
- http://sosearch.co.uk/abfxu
- http://speelhuis.net/fqn3zxh
- http://speelhuis.net/ikmmh
- http://ste4you.at/leilmdz
- http://studionero.com/4rjs9e1wkq
- http://sunrise-painting.ca/ghrbjmf
- http://taddboxers.com/ittjnrcts
- http://tayangfood.com/q6doax
- http://tech2o.fr/jaumggko1
- http://tekyong.com/cmqoqqro22
- http://tellussys.com/l1bgzaw9o
- http://terfer.es/cqdbg
- http://test.joaopluis.pt/sfj1lqylpg
- http://theosis.ro/le4lh2di
- http://thephilanthropist.com/gg5ew3
- http://thethanhpc.com/qhnehjydvp
- http://thipkuakul.co.th/1dmchru
- http://toledo.pro/in6azd2tf6
- http://topura.com/8zrvktdqdk
- http://travelinsider.com.au/3db5e
- http://trendoor.com/lmwop0j
- http://tscase.net/c2df527
- http://uraltrak.hu/8cbbfw9g
- http://usbgiahung.com/bfjllh9r
- http://ventrust.ro/5egp5rgwdo
- http://vesti73.ru/33uxyw
- http://vishwasgroupindia.com/a0ytq
- Malware:
- - encoded on download
- b78f13db5abae4c5e424c4446d80a3236a446d665940b5c42132562134407870 http___carrier-spb.ru_kyzmd
- 4b1249d56788f11308df704334e1858ff44682f9d45dee15cbe4d2ec031d7d97 http___neufweb.fr_zubnaox
- 859b644cef82e3008e1dfc94f96c22e56e9870dd60572d34a4b6f301fbafa86a http___nickcatricala.com_zyqgn
- 479679c6c4cc0756de6a4a9abdcb500a9a12998090cc067537804b253714f5c4 http___orthanna.com_mtkvlp
- e150b98608ee480a28b1c3736539463103a9b240c200751537a27cc838fa52a6 http___osawa.be_ji6vl8p
- 597c3900d6ff6251ec19f32c1742881b89fd003307ec17e247043ca17cc76d1f http___oyunbee.com_yygcieumw8
- 6c63612fa96aec99729e5a114d18a72c5dea57ba69716b8511a95909634644b6 http___par-nikiti.com_rmqpeuzd
- 8d5c267770c7a58e384556bdd77b3afd602c41022b6254765df1bae31677c341 http___petra-roebig.de_hqv4kz
- 1863237cee653f214fbbb7c44852b2acdfdc4f89acdd579ac5591ef77d719374 http___pierer.ch_z35pgbsw
- 56b5e834f9e5eb4c2fda2ecfd019d137a95f0564851b1b6ce05183311fc4c084 http___piotrprzewozy.pl_fjvktow
- d7286ac758fb346781aa2157bbc17c07e1b51fcc6b7afbc4a416cc9759dd3ebd http___pivno.com_zcyvylh1
- 56b4b2398343e65b342a73b2c4597140b56142694ae0b333a94dc1ac4a12ea33 http___playtres.com.ar_rpqbbg3
- c1b0658737cbe8e38034e2b44b817f0d0deefbcc1445691c05f6f419a8d5f33f http___plusideaad.com_wrkd9ye5d
- 251d9920865316a5e823aa2a28fd8c6d03dfde710f7b9cfc5db6793517d32204 http___porschewijzer.nl_zvbsgr
- f732a5c5a3a481009a770fb9384c5d22c836ccf78ab0c9803afa37c125362924 http___portside.no_uddurk
- 6e37223ca4044364b7a0731ea9afac780b52101f83eef840c97286ee4f699e24 http___ppapmoozamiz.com_ti3yrigg
- aecd98f59985934226b96a7e33383da9f033777d624c964d2b9c7fb851933112 http___psycoaching.fr_wtadfi
- 5f7b9ca01f0fa8ac295748077d44c8e1af024316fe02bc3583c10c30783f2fb5 http___quadrat.cz_uuq9svzcfq
- 0197df95357d481cdf2909b428c6a5d518587a331d02c6389223203abb9e12da http___raregemsgroup.com_yc2bn4zba
- c2b89468b54cd43c77a2f77a01d272cfa02d5509dee20c873c33689992061000 http___reiseagentur-klein.de_1j1njd
- 240d8133993371b157e7eebf09bd672cdb6ee2e34ee37ec208325ae30523396e http___rejtjel.hu_ya83t3xq
- c6aa3c2caab7038dfd7a25cf36189d7008994496525eb9c5505bddbca3030faf http___rollerhero.com_wdopv7q3 [1]
- f1723e88d456d398253b7c86238cc149d2b795d7d5fe3bec8c18e21eb73142b7 http___sigmach.com_6dedsiwwe
- 5e31d2a8b590154ee51ae357eec28f254d0be0d31ba7d9cf856fd71760daf588 http___skillscollege.com.au_l3y1v7g
- a7778273168957d0ee5ca64a4a29b75b202ec6d96c2b7364ea05d10479c06ca4 http___skolickasovicka.cz_8af8dj
- 928d87bad9ff2b985318f6bef8adcde4b706d868535de965e5a674aa0191c7d3 http___sobory.ru_n2k6gepo
- 905eeabf51e8a9765eea8ae95fd37284725c464c25e49239539b3445c7a6cdce http___solubiz.com_mqupga
- 6c67e64350ef44addcc42aa6925ee5bab0a5adecf4763d169fffec74276b0379 http___sondenecker.fr_cbjbxnfj
- 896bb4fb1f6393f06852b7eb85b11f69b4f80a884e6cb435f019435dcb09de9d http___sosearch.co.uk_abfxu
- d0f3d88f05b9617709376b3d46bf0cb13f5ec06f8a804f0b6e719f3124d08c92 http___speelhuis.net_fqn3zxh
- 0d70d4206be490809fbb69d4880683118ee3c41ae5501b23caa597dcc336db74 http___speelhuis.net_ikmmh [2]
- 8665b818dbe74fc5eedcf7948c4c8afaa9db925e4a5711c831f22b6df49610b2 http___ste4you.at_leilmdz
- abe795f0c5ec38dd971d03a356286e0ec27662720bcd99b7643ab860f4bcf2ad http___studionero.com_4rjs9e1wkq
- bb2909ee46064a7a05d6069b621b32f0c2e65de3d7483d376c2c900202f0d7a6 http___sunrise-painting.ca_ghrbjmf
- 1886fa94515910179d4ae6b4ffc2846ac4e9c93dff41ddf3ed35433ee6acfaa2 http___taddboxers.com_ittjnrcts
- cf4324b0ca151acbd41746c34ee472bfde34177019ab2e67901f7a05e2ab0662 http___tayangfood.com_q6doax
- 68ae60d1e81c79943839ff468da0a5bce595197a9a8f55c7ee096f06603b7c43 http___tech2o.fr_jaumggko1
- 822dd2b0ab32ba952ab53f55c91b20cbcf542ac886472946f133b592ffaa6be0 http___tekyong.com_cmqoqqro22
- 1d8e9b99ace1ec9d6d0e6ffdaed661aa06266ba238017547c79a058956c3d0f4 http___tellussys.com_l1bgzaw9o
- 3adee5b54e4d4662cb0ab4348f9e8f6cce81525facf5c8bd12fd79b082841c30 http___terfer.es_cqdbg
- 10741fceeee8fee2651f64b183377885563799a2559c58b588e987be5cad2cb0 http___test.joaopluis.pt_sfj1lqylpg
- 24c014f7ee897b20f55620a20c2db57c3cecb3d1afffb5ab5f96c51adaf007e8 http___theosis.ro_le4lh2di
- d66862a81b8a01971e618755a79b9c16c9921cac4ea715f89a7c8ae81886aeb3 http___thephilanthropist.com_gg5ew3
- 99926845a764de7dd8f7d4e15da58818c493c521cc727f3b387e43351cc7f3ec http___thethanhpc.com_qhnehjydvp
- d7eebd353eaa2b9fb9ade44aea50e171370cbf6122e5aea5cabae92161d076ef http___thipkuakul.co.th_1dmchru
- b29c42ea4325df21bd97181d3519bdf3ca9cd0db042e115809eaf48e637d728c http___topura.com_8zrvktdqdk
- f158995afe2c5768d327c86f0373a370f94e29db7bce6887df5bb2bda8b461c3 http___travelinsider.com.au_3db5e
- e71679613c46aa9cee3aa1d635174b583b819046dccc4b9ab8c107540b94c217 http___trendoor.com_lmwop0j
- 3be66c6ee0e089cde8ef467d9e99948a989ce13cadd02f9b3cffba2bc5adb44e http___tscase.net_c2df527
- 1aaed92e3f94ca6b1777d2148ac7bbeca3185757a5da7fed5b598660e36f3fae http___uraltrak.hu_8cbbfw9g
- 4e24084d74e52f1b89d1218423742977b9064d3c21a3bee05bbeca6795dd7337 http___usbgiahung.com_bfjllh9r
- ddc724a00d52c5fcff5df925ff512a03d6ff47f80079cdb657c043431fc0d0bc http___vesti73.ru_33uxyw
- 66c7755412f6968446e32d72410e12f457a3adad087f5c505db4704dbdedc638 http___vishwasgroupindia.com_a0ytq
- - decoded
- 4e486c75e2738524732cb966582668a1862439a3b47f5a60727434ef6fa0ed0a [1]
- 473d1e97e53faf04b473e316827c16581a1288a5264b1506fc89bb49ba520769 [2]
- - executed by "rundll32.exe %TEMP%\<filename>.zk,iEdNvU2wnVOOwYPcED"
- C2:
- POST http://185.146.168.13/checkupdate
- POST http://185.22.173.122/checkupdate
Add Comment
Please, Sign In to add comment