Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-22 #locky email phishing campaign "Invoice INV0000xxxxx"
- Email:
- -----------------------------------------------------------------------------------------------------------------
- From: "Eddie frau" <Eddie39@blairhowardphotography.com>
- To: [REDACTED]
- Subject: Invoice INV00004551013
- Date: Thu, 22 Sep 2016 18:04:07 +0530
- Please find our invoice attached.
- Attachment: Invoice_INV00004551013.zip
- -----------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "Invoice INV0000<random numbers>
- - attached file Invoice_INV0000<random number>.zip (name matches subject) contains file <random characters>.js, a JScript donwloader
- Download sites (the actual URLs contain suffix ?<random>=<random> which does not influence download):
- http://continentalgirbau.com/g38f3fg
- http://crescenttourstravels.com/g38f3fg
- http://darita-bg.com/g38f3fg
- http://dashingleather.com/g38f3fg
- http://deadlame.co.uk/g38f3fg
- http://dev.suetables.com/g38f3fg
- http://files.madamecoco.com/g38f3fg
- http://financialadvicefree.com/g38f3fg
- http://flexfitent.com/g38f3fg
- http://glanzcomfortwear.com/g38f3fg
- http://homeboutique.com/g38f3fg
- http://htk.com.vn/g38f3fg
- http://josephcarterministries.com/g38f3fg
- http://kothagudemtv.com/g38f3fg
- http://lakesatcenterra.com/g38f3fg
- http://phpdevteam.com/g38f3fg
- http://pollenconsultants.in/g38f3fg
- http://professionalyearcourses.com.au/g38f3fg
- http://s603253812.websitehome.co.uk/g38f3fg
- http://safecircle.org/g38f3fg
- http://saudplacementservices.com/g38f3fg
- http://shinalumen.com/g38f3fg
- http://shuklaenterprises.in/g38f3fg
- http://skiingvoyage.com/g38f3fg
- http://soft-bd.com/g38f3fg
- http://specialteedesigns.biz/g38f3fg
- http://stannscollege.co.in/g38f3fg
- http://stannscollegehyd.com/g38f3fg
- http://thelibralegal.com/g38f3fg
- http://uniqxprinting.com/g38f3fg
- http://unitedfashionwearltd.com/g38f3fg
- http://usa.suetables.com/g38f3fg
- http://valamaanatamizhagam.com/g38f3fg
- http://veterans-cms.purplebug.net/g38f3fg
- http://wigomania.com/g38f3fg
- http://www.5dprotection.com/g38f3fg
- http://www.amayalingerie.com/g38f3fg
- http://www.bfsa.gov.bd/g38f3fg
- http://www.bullypedia.net/g38f3fg
- http://www.eosbd.com/g38f3fg
- http://www.homeboutique.com/g38f3fg
- http://www.ifs-b.org/g38f3fg
- http://www.paintingoregon.com/g38f3fg
- http://www.smartporua.com/g38f3fg
- http://www.softbdltd.com/g38f3fg
- http://xaviaintl.com/g38f3fg
- Malware:
- - encoded on download, SHA256 bb39ae9ae9e383ff8154fb7475842dbf40d4f35e37af9144560a4904203c7b75, filesize 247808 bytes
- - decoded SHA256 899818264bc620c39932db8945fd98ff98e1cd6fff761d5424bd9860e62a5859
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
- - samples
- https://www.reverse.it/sample/9f34183f27725073af10f3dfb84acf686346905293debc6b51c45673622aa9aa?environmentId=100
- https://www.reverse.it/sample/ecc138625a7dee243e8cb7d822d0fb8d0ce80730f6587bc8875e531e8089ea11?environmentId=100
- https://www.reverse.it/sample/1fc3bfdea8b8b8d9da4bd8821aebda1f20faba7584da8204d29ea5fde0b8f2f4?environmentId=100
- https://www.reverse.it/sample/d9f4ff62536e38f0b5dfc6ea3cef6b192fccd9d44dce613f919ce360c1bdbec8?environmentId=100
- https://www.reverse.it/sample/f2da58038718229d27104f7ae265896013187bb6ea476da1541ff03de4507084?environmentId=100
- C2:
- 88.198.76.76:80/data/info.php
- 51.254.108.40:80/data/info.php
- tswsgajtwhqkosd.su/data/info.php [91.239.235.130]
- jfmiondv.xyz/data/info.php [91.239.235.130]
- wnrgttsfmhfmmoqxm.biz/data/info.php [69.195.129.70]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement