Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-13 #locky email phishing campaign "Accounts Documentation - Invoices"
- Email:
- ---------------------------------------------------------------------------------------------------------
- From: <CreditControl@[REDACTED]>
- To: [REDACTED]
- Subject: Accounts Documentation - Invoices
- Date: Tue, 13 Sep 2016 11:22:52 +0200
- Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
- If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
- Alternatively if you do not know the name of the Credit Controller you can contact us at:
- CreditControl@[REDACTED]
- Please do not reply to this E-mail as this is a forwarding address only.
- Attachment: "~9605040057451.zip"
- ---------------------------------------------------------------------------------------------------------
- - sender address is CreditControl@<recepient's domain>
- - subject "Accounts Documentation - Invoices"
- - attached file "~<random number>.zip contains file "<random>.hta" which contains a JScript downloader
- Download sites (actual URLs contain suffix ?<random>=<random> which does not influence the download):
- http://agileprojects.ro/vdG76VUY76rjnu
- http://allcateringservices.in/vdG76VUY76rjnu
- http://anatoliamaket.com/vdG76VUY76rjnu
- http://aycilinsaat.com/vdG76VUY76rjnu
- http://biogreentech.in/vdG76VUY76rjnu
- http://cardimax.com.ph/vdG76VUY76rjnu
- http://cbautocare.com.au/vdG76VUY76rjnu
- http://citycollection.com.tr/vdG76VUY76rjnu
- http://cloudrepublic.com.au/vdG76VUY76rjnu
- http://cyndiandthedrums.com/vdG76VUY76rjnu
- http://dashingleather.com/vdG76VUY76rjnu
- http://eaglecorp.nl/vdG76VUY76rjnu
- http://factumtech.com/vdG76VUY76rjnu
- http://fashionpark-nakamichi.com/vdG76VUY76rjnu
- http://goldenladywedding.com/vdG76VUY76rjnu
- http://iandiinternational.com/vdG76VUY76rjnu
- http://icloudrepublic.com/vdG76VUY76rjnu
- http://jmetalloysllp.com/vdG76VUY76rjnu
- http://linosys.info/vdG76VUY76rjnu
- http://livewebsol.com/vdG76VUY76rjnu
- http://mimiphotography.com.au/vdG76VUY76rjnu
- http://nimantha.16mb.com/vdG76VUY76rjnu
- http://perfectfixuae.com/vdG76VUY76rjnu
- http://platformarchitects.com.au/vdG76VUY76rjnu
- http://rapiderbariyer.com/vdG76VUY76rjnu
- http://safiazsports.com/vdG76VUY76rjnu
- http://scottygooding.com.au/vdG76VUY76rjnu
- http://shagunproperty.com/vdG76VUY76rjnu
- http://sowhatresearch.com.au/vdG76VUY76rjnu
- http://stylecode.co.in/vdG76VUY76rjnu
- http://sulyok-t.hu/vdG76VUY76rjnu
- http://synergywaterproofing.com.au/vdG76VUY76rjnu
- http://thepodiatrycentre.com.au/vdG76VUY76rjnu
- http://tranzporthub.com/vdG76VUY76rjnu
- http://tscbearings.in/vdG76VUY76rjnu
- http://Ungelie.com/vdG76VUY76rjnu
- http://walkerandhall.co.uk/vdG76VUY76rjnu
- http://webdesignselite.com/vdG76VUY76rjnu
- http://www.alfajerdecor.com/vdG76VUY76rjnu
- http://www.jmetalloysllp.com/vdG76VUY76rjnu
- http://www.mehrabtech.ae/vdG76VUY76rjnu
- http://www.pstimes.com/vdG76VUY76rjnu
- http://yesiloglugrup.com/vdG76VUY76rjnu
- UPDATE:
- http://adasurgical.com/vdG76VUY76rjnu
- http://annurmaheshphotography.in/vdG76VUY76rjnu
- http://flexfitent.com/vdG76VUY76rjnu
- http://micaraland.com/vdG76VUY76rjnu
- http://mylespollard.com.au/vdG76VUY76rjnu
- http://onlinepurohit.com/vdG76VUY76rjnu
- http://sankyo-web.com/vdG76VUY76rjnu
- http://tipsforall.in/vdG76VUY76rjnu
- http://voihaircuts.com.au/vdG76VUY76rjnu
- Malware:
- - encoded on download, SHA256 53ef735d293aac618317c0e34ad4d8bbbd83b98fde13159df87e24047c726293, filesize 163840 bytes
- - decoded SHA256 5c4b6cf06bea41cd231d9131c6958e95664f72b65c124461fb879b866dde963f
- - executed by "rundll32.exe %TEMP%\OUJbeLSyX1.dll,qwerty"
- https://www.reverse.it/sample/16a3fbd434d9c2e98bd514ca48b40da499cf788a2ca62fdcda75003e0e969086?environmentId=100
- https://www.reverse.it/sample/4a0e0785a29ea5eda7ffb59ec5a7abfcd8ab1ab4d9f571a0d88126bb7bdd9ea7?environmentId=100
- https://www.reverse.it/sample/f8310d5b10c1883db1d253679911fe603bab32b64c8ad521a37b1a1916712ff8?environmentId=100
- https://www.reverse.it/sample/0371ac859a06d91a6c44000261c1ff3cc7c7bed0334fe7702627eaaa4e6e28dc?environmentId=100
- https://www.reverse.it/sample/3d91a6ffed8b038363a0ead0f8985d1bdf88ba543aff0bcab048819d70455073?environmentId=100
- C2:
- no C2 communication
Add Comment
Please, Sign In to add comment