Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-16: #locky email phishing campaign "Attached document"
- Sample email:
- ------------------------------------------------------------------------------------------------------------------------------
- From: copier@[REDACTED]
- To: [REDACTED]
- Subject: Attached document
- Date: Fri, 16 Dec 2016 02:14:20 -0700
- Attachment: 9310_0038.docm
- ------------------------------------------------------------------------------------------------------------------------------
- - sender address is copier@<recipient's domain>
- - subject is "Attached document"
- - email body is empty
- - attached file "<4 digits>_<3-4 digits>.docm" is Microsoft Word file with autoopening macro which downloads malware
- Download sites:
- http://028cdxyk.com/hjg766
- http://aacom.pl/hjg766
- http://aaryn.net/hjg766
- http://akida.com/hjg766
- http://alock.co/hjg766
- http://amaniinitiative.org/hjg766
- http://archibaldmicrobrasserie.ca/hjg766
- http://auto-zakaz.com.ua/hjg766
- http://banhang123.com/hjg766
- http://billionsfamily.com/hjg766
- http://brookstonemanuals.com/hjg766
- http://calderon.com.mx/hjg766
- http://dealspari.com/hjg766
- http://demo.ahost5.ru/hjg766
- http://demo.pornuha4you.com/hjg766
- http://dicksmacker.com/hjg766
- http://dryerventexpress.com/hjg766
- http://ebreckinteriors.com/hjg766
- http://fiddlefire.net/hjg766
- http://gallery.mohammadtarighi.ir/hjg766
- http://hho68.com/hjg766
- http://houssiere.daniel.formations-web.alsace/hjg766
- http://ilasd.org/hjg766
- http://infinitecorp.ca/hjg766
- http://infosys.co.kr/hjg766
- http://inzt.net/hjg766
- http://ivibohoc.url.ph/hjg766
- http://kayamuh.sarf.com.tr/hjg766
- http://kirulya.com/hjg766
- http://kurou.bokunenjin.com/hjg766
- http://ledticket.com/hjg766
- http://lucapotenziani.com/hjg766
- http://mainlinecarriers.co.tz/hjg766
- http://masonlodgestpeter.org/hjg766
- http://mbdvacations.com/hjg766
- http://medianisprint.com/hjg766
- http://mgascca.com/hjg766
- http://movewithgrace.ca/hjg766
- http://mprotectcorp.com/hjg766
- http://msveletiny.cz/hjg766
- http://nonblockservice08.info/hjg766
- http://nortra-cables.com/hjg766
- http://obccllc.com/hjg766
- http://old.strommarnas.se/hjg766
- http://pcflame.com.au/hjg766
- http://perspektive-fuer-kinder.de/hjg766
- http://profitmonster.com/hjg766
- http://promgazenergo34.ru/hjg766
- http://pta-babel.net/hjg766
- http://qe7.ca/hjg766
- http://rdsc-seminar.com/hjg766
- http://s393640255.onlinehome.us/hjg766
- http://s435378127.online-home.ca/hjg766
- http://s437702314.onlinehome.us/hjg766
- http://shomesofa.com/hjg766
- http://smcga.ca/hjg766
- http://stoneofliberty.com/hjg766
- http://store.elixe.net/hjg766
- http://taladm.ru/hjg766
- http://test1.zrise.top/hjg766
- http://theexcelconsultant.com/hjg766
- http://thomas-christ.de/hjg766
- http://topstoneisland.com/hjg766
- http://tunca.bel.tr/hjg766
- http://www.dazzle-events.be/hjg766
- http://www.englishworld.it/hjg766
- http://www.enhansit.com/hjg766
- http://www.lauraleedonnelly.com/hjg766
- http://www.mywoc.ca/hjg766
- http://www.sapol.it/hjg766
- http://www.servipisos.com.ar/hjg766
- http://www.sitivisibili.it/hjg766
- http://www.thepasobueno.com/hjg766
- http://www.tourist-car.ru/hjg766
- http://yellowstudio.pl/hjg766
- UPDATE:
- http://allan.multimediedesignerskive.dk/hjg766
- http://bikebrowse.com/hjg766
- http://ustadhanif.com/hjg766
- Malware
- - encoded on download, SHA256 23fadcae84181af9773c3c4535a1fb2fc1d02ab1418c22750f100953ba324c2f, MD5 36cc79869bf6fb048a2c3bc274f36690
- - decoded SHA256 2c4ea27abe8f6199dbbc3f5de2b3bd181ffbfb2481ef307351b7fc4d8b5fdb99, MD5 7a3b10f987d635242370e0e2ef051a9b
- - executed by "rundll32.exe %TEMP%\<filename>.aww,GetMessage"
- - sample https://www.reverse.it/sample/02cec4ff4c794c358bdd25f15c38df2d52b659eba40c476bb15b42a4fab62eb0?environmentId=100
- C2:
- POST http://37.235.50.29/checkupdate
- POST http://176.121.14.95/checkupdate
- POST http://86.110.117.155/checkupdate
- POST http://83.220.172.182/checkupdate
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement