API tools faq
paste
Racco42

2016-09-27 Locky "27092016xxxxxx.pdf"

Racco42
Sep 27th, 2016
1,508
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.96 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-27 #locky email phishing camapign "27092016xxxxxx.pdf"
  2.  
  3. Email:
  4. ------------------------------------------------------------------------------------------------
  5. From: Dana vickers <Dana.vickers0549@wintersville5k.com>
  6. To: [REDACTED]
  7. Subject: 2709201615142997344892.pdf
  8. Date: Tue, 27 Sep 2016 15:14:29 +0500
  9.  
  10. Attachement: 2709201615142997344892.pdf.zip
  11. ------------------------------------------------------------------------------------------------
  12. - sender varies between emails
  13. - subject is with "27092016<random numbers>.pdf"
  14. - body of the email is empty
  15. - attached file with name aligned with subject "27092016<random numbers>.pdf" contains a <random chars>.wsf file, a JScript downloader
  16.  
  17. Download sites:
  18. http://akseko.ru/78hceef
  19. http://amsterdamrent.com/78hceef
  20. http://australiandesignerweddings.com/78hceef
  21. http://baitcalculator.com/78hceef
  22. http://bb-alarm.com/78hceef
  23. http://brambory.net/78hceef
  24. http://cg3dstudio.com/78hceef
  25. http://cimetieremontroyal.com/78hceef
  26. http://deadly-city.com/78hceef
  27. http://dealerjoin.com/78hceef
  28. http://diemsolutions.com/78hceef
  29. http://essennarose.com/78hceef
  30. http://eventbuzzuk.com/78hceef
  31. http://gharazi.com/78hceef
  32. http://gouri-gouri.com/78hceef
  33. http://grijspaardt.nl/78hceef
  34. http://haikhhoose.com/78hceef
  35. http://hedefosgb.com/78hceef
  36. http://hurbtrade.com/78hceef
  37. http://idealuze.com/78hceef
  38. http://intardesign.com/78hceef
  39. http://linbao.org/78hceef
  40. http://maxtherm.net/78hceef
  41. http://mediaalias.com/78hceef
  42. http://nerosk.ru/78hceef
  43. http://peryskop.biz/78hceef
  44. http://usedtextilemachinerylive.com/78hceef
  45. http://wssunhui.com/78hceef
  46.  
  47. UPDATED:
  48. http://art-asfalt.com/78hceef
  49. http://bezdeals.com/78hceef
  50. http://dashandling.com/78hceef
  51. http://fixturesexpress.com/78hceef
  52. http://profsonstage.com/78hceef
  53. http://upav.org/78hceef
  54. http://www.musicbarpriatelia.sk/78hceef
  55. http://xdesign-p.com/78hceef
  56.  
  57. Malware:
  58. - encoded on download, SHA256 caece04f3b1259ea66d603543480cc3c70db73f9d2b20b5095afa2126ef5dc33, filesize 229376 bytes
  59. - decoded SHA256 0e0cef2fdbccf410e238dc4a9fa7c5b04e674d76a2e78708854ffa5e1bf3d3f2
  60. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
  61. - samples
  62. https://www.reverse.it/sample/4a70494c8a680d415e8f511dc87fd2cc4b9785784d7ab60b263f014810e71fca?environmentId=100
  63. https://www.reverse.it/sample/4c372ca7b035de3ed35aad3fd2b74bed45fb3ff5af5e69194a057ccebbddce1e?environmentId=100
  64. https://www.reverse.it/sample/27809af0fc90727ed8c8ddf1a7814dcd0d4996c078bf8471a35e8e545beb8c50?environmentId=100
  65. https://www.reverse.it/sample/854531886dcd748b1e94f4fdbd7502ee140121f7123d1bec130b507b6b49a0fb?environmentId=100
  66. https://www.reverse.it/sample/da39201c73907a89c9caa668d555afd0c46ccaa1e9508952640c6583e71532d3?environmentId=100
  67.  
  68. C2:
  69. POST 62.173.154.240:80/apache_handler.php
  70. POST 5.196.200.247:80/apache_handler.php
  71. POST uiwaupjktqbiwcxr.xyz:80/apache_handler.php [86.110.118.114]
  72. POST rflqjuckvwsvsxx.click:80/apache_handler.php [86.110.118.114]
  73. POST dypvxigdwyf.org:80/apache_handler.php [69.195.129.70]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!