Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-27 #locky email phishing camapign "27092016xxxxxx.pdf"
- Email:
- ------------------------------------------------------------------------------------------------
- From: Dana vickers <Dana.vickers0549@wintersville5k.com>
- To: [REDACTED]
- Subject: 2709201615142997344892.pdf
- Date: Tue, 27 Sep 2016 15:14:29 +0500
- Attachement: 2709201615142997344892.pdf.zip
- ------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is with "27092016<random numbers>.pdf"
- - body of the email is empty
- - attached file with name aligned with subject "27092016<random numbers>.pdf" contains a <random chars>.wsf file, a JScript downloader
- Download sites:
- http://akseko.ru/78hceef
- http://amsterdamrent.com/78hceef
- http://australiandesignerweddings.com/78hceef
- http://baitcalculator.com/78hceef
- http://bb-alarm.com/78hceef
- http://brambory.net/78hceef
- http://cg3dstudio.com/78hceef
- http://cimetieremontroyal.com/78hceef
- http://deadly-city.com/78hceef
- http://dealerjoin.com/78hceef
- http://diemsolutions.com/78hceef
- http://essennarose.com/78hceef
- http://eventbuzzuk.com/78hceef
- http://gharazi.com/78hceef
- http://gouri-gouri.com/78hceef
- http://grijspaardt.nl/78hceef
- http://haikhhoose.com/78hceef
- http://hedefosgb.com/78hceef
- http://hurbtrade.com/78hceef
- http://idealuze.com/78hceef
- http://intardesign.com/78hceef
- http://linbao.org/78hceef
- http://maxtherm.net/78hceef
- http://mediaalias.com/78hceef
- http://nerosk.ru/78hceef
- http://peryskop.biz/78hceef
- http://usedtextilemachinerylive.com/78hceef
- http://wssunhui.com/78hceef
- UPDATED:
- http://art-asfalt.com/78hceef
- http://bezdeals.com/78hceef
- http://dashandling.com/78hceef
- http://fixturesexpress.com/78hceef
- http://profsonstage.com/78hceef
- http://upav.org/78hceef
- http://www.musicbarpriatelia.sk/78hceef
- http://xdesign-p.com/78hceef
- Malware:
- - encoded on download, SHA256 caece04f3b1259ea66d603543480cc3c70db73f9d2b20b5095afa2126ef5dc33, filesize 229376 bytes
- - decoded SHA256 0e0cef2fdbccf410e238dc4a9fa7c5b04e674d76a2e78708854ffa5e1bf3d3f2
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
- - samples
- https://www.reverse.it/sample/4a70494c8a680d415e8f511dc87fd2cc4b9785784d7ab60b263f014810e71fca?environmentId=100
- https://www.reverse.it/sample/4c372ca7b035de3ed35aad3fd2b74bed45fb3ff5af5e69194a057ccebbddce1e?environmentId=100
- https://www.reverse.it/sample/27809af0fc90727ed8c8ddf1a7814dcd0d4996c078bf8471a35e8e545beb8c50?environmentId=100
- https://www.reverse.it/sample/854531886dcd748b1e94f4fdbd7502ee140121f7123d1bec130b507b6b49a0fb?environmentId=100
- https://www.reverse.it/sample/da39201c73907a89c9caa668d555afd0c46ccaa1e9508952640c6583e71532d3?environmentId=100
- C2:
- POST 62.173.154.240:80/apache_handler.php
- POST 5.196.200.247:80/apache_handler.php
- POST uiwaupjktqbiwcxr.xyz:80/apache_handler.php [86.110.118.114]
- POST rflqjuckvwsvsxx.click:80/apache_handler.php [86.110.118.114]
- POST dypvxigdwyf.org:80/apache_handler.php [69.195.129.70]
Add Comment
Please, Sign In to add comment