API tools faq
paste
Advertisement
Racco42

2017-06-06 Jaff "Order"

Racco42
Jun 6th, 2017
2,696
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.12 KB | None | 0 0
raw download clone embed print report
  1. 2017-06-06 #jaff email phishing campaign "Order"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------
  5. From: "Lonnie sims" <Lonnie@dental-discount-plans-guide.com>
  6. To: [REDACTED]
  7. Subject: Order
  8. Date: Tue, 06 Jun 2017 15:14:35 +0600
  9.  
  10.  
  11. Attachment: MX-2310U_20170606_151435.pdf
  12. ------------------------------------------------------------------------------------------------------------
  13. - sender is random
  14. - subject is "Order"
  15. - email body is empty
  16. - attached file "MX-2310U_20170606_<6 digits>.pdf" contains embedded .docm file which contain macro that will download malware from one of the download sites:
  17.  
  18. Download sites:
  19. http://10minutesto1.net/jt7677g6
  20. http://cafe-bg.com/jt7677g6
  21. http://cifroshop.net/jt7677g6
  22. http://community-gaming.de/jt7677g6
  23. http://cor-huizer.nl/jt7677g6
  24. http://essentialnulidtro.com/af/jt7677g6
  25. http://lcpinternational.fr/jt7677g6
  26. http://luxurious-ss.com/jt7677g6
  27. http://makh.ch/jt7677g6
  28. http://marcelrahner.com/jt7677g6
  29. http://mciverpei.ca/jt7677g6
  30. http://mitservices.net/jt7677g6
  31. http://myinti.com/jt7677g6
  32. http://mymobimarketing.com/jt7677g6
  33. http://oneby1.jp/jt7677g6
  34. http://rhiannonwrites.com/jt7677g6
  35. http://sdmqgg.com/jt7677g6
  36. http://seoulhome.net/jt7677g6
  37. http://sextoygay.be/jt7677g6
  38. http://siddhashrampatrika.com/jt7677g6
  39. http://squidincdirect.com.au/jt7677g6
  40. http://stlawyers.ca/jt7677g6
  41. http://studyonazar.com/jt7677g6
  42. http://supplementsandfitness.com/jt7677g6
  43. http://zechsal.pl/jt7677g6
  44.  
  45. Malware:
  46. - encoded on download SHA256 eb5e237ba12a3179c7764a6137df4df314ba540ee6e7a96d6eff294f40b29a4b, MD5 76e150bceffaee4322fa70b2c48ced16
  47. - decode by XORing downloaded file with "ZID4uEPifSSuQCN32XMC7VOlV4Wu8BLn"
  48. - decoded SHA256 3377cbe4f2618e65f778d029e654a4cf07537c6cfb6b87c668ba2882d9bb4b44 ,MD5 5ca3d8cf1cde038e762b535ec4e905fe
  49. - VT: https://www.virustotal.com/file/3377cbe4f2618e65f778d029e654a4cf07537c6cfb6b87c668ba2882d9bb4b44/analysis/1496759309/
  50. - HA: https://www.reverse.it/sample/3377cbe4f2618e65f778d029e654a4cf07537c6cfb6b87c668ba2882d9bb4b44?environmentId=100
  51.  
  52. C2:
  53. GET http://whoisfoxxrobiouy.net/a5/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!