Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-09-01: #locky email phishing campaign "New voice message"
- Samples: 549
- Email sample:
- -----------------------------------------------------------------------------------------------------------------------
- From: "Voicemail Service" <vmservice@[REDACTED]>
- To: [REDACTED]
- Subject: New voice message 14919581557 in mailbox 149195815571 from "14919581557" <6149529104>
- Date: Fri, 01 Sep 2017 15:43:33 +0530
- Dear user:
- just wanted to let you know you were just left a 0:13 long message (number 14919581557)
- in mailbox 149195815571 from "14919581557" <6149529104>, on Fri, 01 Sep 2017 15:43:33 +0530
- so you might want to check it when you get a chance. Thanks!
- --Voicemail Service
- Attachment: MSG0000000099.7z ->
- -----------------------------------------------------------------------------------------------------------------------
- - sender is "Voicemail Service" <vmservice@[recipient's domain]>
- - subject is "New voice message <11 digits> in mailbox <12 digits> from "<11 digits>" <10 digits>"
- - attached file "MSG0000000<3 digits>.7z" contains file "MSG0000000<3 digits>.vbs", a VBScript downloader which will download encoded malware from:
- Download sites:
- http://autoecole-jeanpierre.com/jhbvDjs0267
- http://clazbrokerageservices.com/jhbvDjs0267
- http://expresopanama.com/jhbvDjs0267
- http://fls-portal.co.uk/jhbvDjs0267
- http://greenerlivingca.com/jhbvDjs0267
- http://henweekendsbirmingham.co.uk/jhbvDjs0267
- http://paben.co.uk/jhbvDjs0267
- http://rampagida.com.tr/jhbvDjs0267
- http://richarddrakeconstruction.com/jhbvDjs0267
- http://rs-consultores.pt/jhbvDjs0267
- http://saunaesofmansatis.net/jhbvDjs0267
- http://sindeval.es/jhbvDjs0267
- http://telesolutionsconsultants.com/jhbvDjs0267
- http://terae-lumiere.com/jhbvDjs0267
- http://tractament-imatges.com/jhbvDjs0267
- http://vinneydropmodorfosius.net/af/jhbvDjs0267
- Malware:
- - Locky, lukitus variant
- - encoded on download, SHA256 d98a03d050232868e7990f5f5351cb27dee87044f524e15e8854c64c0bfc2b45, MD5 bd514d7c0102ef91bfccfeebdaa2109d
- - decode by XORing with "wHIPx3Yg61EQPp0WWfE33TIdtOCRENrF"
- - decoded SHA256 9c6db2a1c10359554978f5410a8bfc0a1edb9b02ce368a69a6ecc72aa4ebf53a, MD5 9a7b1125663fda90031be892d2d5f39e
- - VT: https://www.virustotal.com/file/9c6db2a1c10359554978f5410a8bfc0a1edb9b02ce368a69a6ecc72aa4ebf53a/analysis/1504260662/
- - HA: https://www.hybrid-analysis.com/sample/9c6db2a1c10359554978f5410a8bfc0a1edb9b02ce368a69a6ecc72aa4ebf53a?environmentId=100
- - C2: POST 82.202.221.108:80//imageload.cgi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement