Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-21 #locky email phishing campaign "Payment approved"
- Email:
- --------------------------------------------------------------------------------------------------------
- From: "Daren Whitfield" <Whitfield.1377@spectranet.in>
- To: [REDACTED]
- Subject: Payment approved
- Date: Wed, 21 Sep 2016 11:17:30 -0700
- Dear [REDACTED],
- Your payment has been approved. Your account will be debited within two days.
- You can email us for any query regarding your account.
- Thank you.
- Daren Whitfield
- Support
- Attachment: 0b6916c3116.zip
- --------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "Payment approved"
- - attached file <random hexa chars>.zip contain two files:
- - one-letter named zero-filled junkfile
- - "payment details PDF ~<random hexa>~.js"- a JScript downloader
- Download sites (all hosted on 95.173.164.205, 190.147.38.2):
- http://alvussauna.com/eq7bpu
- http://alvussauna.com/xlacxlzd
- http://alvussauna.com/ybvo28z
- http://konakmomo.com/p9s2t
- http://konakmomo.com/pqoejxv
- http://konakmomo.com/uimjwsb
- http://savinobit.net/hgmsg41
- http://savinobit.net/vzz334b
- http://savinobit.net/xe1oc
- http://viewglenn.net/hk8rxr
- http://viewglenn.net/udungr
- http://viewglenn.net/zd2m51a7
- http://watersampi.net/9djkl
- http://watersampi.net/em66dz
- http://watersampi.net/ql1vl
- Malware
- - encoded on download, filesizes varies
- efb701f339b0c974f0e6aa15a7967e29e61e867524ea4cc04b370c09b947345c http___alvussauna.com_eq7bpu
- c3b718bed485eeda91be5a71e98ae944dbb5e252fbb85590d110c77b2f51c416 http___alvussauna.com_xlacxlzd
- 1ebbe6e9ed3b192ac35c379de6d2397f63d6931729b06721969b1fae3bec8b8e http___alvussauna.com_ybvo28z [3]
- 8ba5e39ceba6cd461c5fe03dda250aeaa5b6d5e7da622302341165a215bfd9f6 http___konakmomo.com_p9s2t
- f949dc8e550c23c0d1f752627aefbaec571c3e21af43d260db04a78babd30478 http___konakmomo.com_pqoejxv
- fa1b23f98405a963e7ad2cec8c74b3d9ae5fe0aa062e35c8759f9202a00a11d0 http___konakmomo.com_uimjwsb [4]
- f843548f6d80afd1d6eb6c2cd9fab9ecbd99f51ecbed41e069ad522d3f9e371e http___savinobit.net_hgmsg41
- 72835af02ca66c1e63b68d7d1e6033f193aca7e6634aded4776616c2f818f264 http___savinobit.net_vzz334b [1]
- c7a4abfd2574bd5ed83210a630800658ee56de20c6fdbaa6d6f3ccfe316a8d4e http___savinobit.net_xe1oc [6]
- a059606b721ad61a9ccd7e1b064d9e151b98d33b6f346009ef8ce15a1b8e088b http___viewglenn.net_hk8rxr
- 4700f7bd096e0ed34259d45d2b03ec4d635a44cfc64dea949d62d20e620b60b1 http___viewglenn.net_udungr [2]
- 126b90181c381ef829487e2177b55af889e414104ddf99cb1ae7feea2d1f4b2c http___viewglenn.net_zd2m51a7
- 06c5becdae351eadef74918250bab2c704b8844fc23d56f825eebf999f0e758e http___watersampi.net_9djkl [5]
- fa055afab7a0182fbaa2087fe6c989f919d0a3db9f9724ef92afa9f8a0e5ee34 http___watersampi.net_em66dz
- 2829309b0fbe57a7b432b834c13da95c57b4dcc1145d44c83a571bb34441dc65 http___watersampi.net_ql1vl [7]
- - decoded
- 5eeac2c253009778e5566007ca5be5ad77519b82d02abafe548229ffecaf08b6 [1]
- eac9cf643bc90d4a49235231623e722e574cfe7314efb35dc0b81919ff66132d [2]
- 4d50b0261adb605c40f99ee45d4493d268030414cc04c57bae479d193d22ab1a [3]
- 1b84ca6d58212c712d712f996d2bcbd1d3ae9779949378da5e557ae35f8a09af [4]
- 794c8f3adbb80ef951e361847ede460f66aa1e2716910185ae8690da79547070 [5]
- 97f8db454a4c4054c4b80a08b0df79c68a70992626f3228b8ac67f2f8e103706 [6]
- e70b0734a24f7e4c71f35bbdf3ba6c411887bbdde2b0d54be56346056b594349 [7]
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
- https://www.reverse.it/sample/a31a1dde0b2d683e4ae7fa3037209a425605b8e0a49f1607ea1dd02a4eaed267?environmentId=100
- https://www.reverse.it/sample/463dfcaf29b9ac9397a8aa120ccddf7420f61ae5168e9e55fbc7bd9a8f12f29e?environmentId=100
- https://www.reverse.it/sample/b913ca9b6976b1846b7d36cab5b8fc09147f8eda84e9fde77f0aab4dfe5a2ab3?environmentId=100
- https://www.reverse.it/sample/297192cd8fae5d95505cb18604722e0601f0501dbf05c4ef038a483e423ac9ed?environmentId=100
- https://www.reverse.it/sample/0ae44892f78e5b5ddfc07e6a23fb55469f21e12c45e74661ad81e61b07893ece?environmentId=100
- https://www.reverse.it/sample/65a3b19a64cb050873d52bd516ca57db71468c4346052295e621af81f90cb37a?environmentId=100
- C2:
- - no C2 communication visible, but it is likely that the samples did not detonate properly (either by erro in malware or by design)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement