Racco42

2017-09-20 Locky "New voice message"

Sep 20th, 2017
1,703
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.21 KB | None | 0 0
  1. 2017-09-20: #locky email phishing campaign "New voice message"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------------
  5. From: "Voicemail Service" <vmservice@[REDACTED]>
  6. To: "ah@[REDACTED]>
  7. Subject: New voice message 15256614735 in mailbox 152566147351 from "15256614735" <6692705038>
  8. Date: Wed, 20 Sep 2017 13:29:17 -0500
  9.  
  10. Dear user:
  11.  
  12. just wanted to let you know you were just left a 0:11 long message (number 15201136730)
  13. in mailbox 152011367301 from "15201136730" <8822315162>, on Wed, 20 Sep 2017 19:34:51 +0300
  14. so you might want to <a href="http://pickwick-poppins.com/voice.html>check</a> it when you get a chance. Thanks!
  15.  
  16. --Voicemail Service
  17.  
  18. Attachment: msg0434.7z -> IM9000338402.vbs
  19. -----------------------------------------------------------------------------------------------------------------------
  20. - sender address is forged to look like "Voicemail Service" vmservice@[recepient's domain]
  21. - subject is "New voice message <11 digits> in mailbox <12 digits> from "<11 digits>" <10 digits>"
  22. - body of the email contain a link to one of sites that contain redirector to malware script
  23. - attached file "msg<4 digits>.7z" contains file "IM<9-10 digits>.vbs", a VBScript downloader
  24.  
  25. Redirector links:
  26. http://109.108.145.100.srvlist.ukfast.net/voice.html
  27. http://72.4f.354a.static.theplanet.com/voice.html
  28. http://alfixit.co.uk/voice.html
  29. http://altarweddingcars.co.uk/voice.html
  30. http://ammann-it.ch/voice.html
  31. http://arvinmoti.com/voice.html
  32. http://balzantruck.com/voice.html
  33. http://bigredsgeneralcontracting.com/voice.html
  34. http://brockmann-buecher.de/voice.html
  35. http://comtecav.co.uk/voice.html
  36. http://craigstrong.co.uk/voice.html
  37. http://danyaanderson.com/voice.html
  38. http://epse.pt/voice.html
  39. http://ernestoangiolini.com/voice.html
  40. http://ethersolutions.co.uk/voice.html
  41. http://felipedemarco.com/voice.html
  42. http://foleycrosscenter.org/voice.html
  43. http://formationdirecte.ca/voice.html
  44. http://france-vacance.dk/voice.html
  45. http://fredagskoret.dk/voice.html
  46. http://gpointrecords.bplaced.com/voice.html
  47. http://Grog.dk/voice.html
  48. http://grousespringsnursery.com/voice.html
  49. http://handsworthfencingservices.co.uk/voice.html
  50. http://iksy.za.pl/voice.html
  51. http://jsjp.nl/voice.html
  52. http://klinthult.com/voice.html
  53. http://kookserviceopmaat.nl/voice.html
  54. http://logistics.nazwa.pl/voice.html
  55. http://maitreandre.com/voice.html
  56. http://matthess-online.de/voice.html
  57. http://ministranten.bplaced.net/voice.html
  58. http://muzyczny.hitowy.pl/voice.html
  59. http://norskskovkatte.dk/voice.html
  60. http://osgood.me.uk/voice.html
  61. http://pickwick-poppins.com/voice.html
  62. http://pugfest.co.uk/voice.html
  63. http://radianthues.com/voice.html
  64. http://raku3.co.jp/voice.html
  65. http://rapidanplumbing.com/voice.html
  66. http://rscc.dk/voice.html
  67. http://science-magnets.co.uk/voice.html
  68. http://tanzcenter-graziosa.ch/voice.html
  69. http://tenconewengland.com/voice.html
  70. http://www.100kisses.org/voice.html
  71. http://www.gtCartographic.co.uk/voice.html
  72. http://www.matthewsittel.com/voice.html
  73. http://www.pizzelli.eu/voice.html
  74. http://www.reitverein-kaufbeuren.de/voice.html
  75. - will redirect via iframe to http://hemrolunsparred.info/msg.php, which will probably deliver the same file as in the attachment
  76.  
  77. Malware download sites:
  78. http://121-psychic-reading.co.uk/slehGTexc
  79. http://2-wave.com/slehGTexc
  80. http://3e.com.pt/slehGTexc
  81. http://4advice-interactive.be/slehGTexc
  82. http://9ninewright.net/slehGTexc
  83. http://adaliyapi.com/slehGTexc
  84. http://a-host.co.uk/slehGTexc
  85. http://ahtwindowcleaning.co.uk/slehGTexc
  86. http://PamelaSparrowChilds.com/slehGTexc
  87. http://rasbery.co.uk/slehGTexc
  88. http://robinsonfun.pl/slehGTexc
  89. http://ryterorrephat.info/af/slehGTexc
  90. http://teck.fr/slehGTexc
  91. http://weddingcarsbury.co.uk/slehGTexc
  92. http://weddingcarsrochdale.co.uk/slehGTexc
  93.  
  94. Malware:
  95. - locky, offline .ykcol variant
  96. - SHA256 302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418, MD5: 5dd7d5899168ac90325b350293c49ee2
  97. - VT: https://www.virustotal.com/en/file/302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418/analysis/1505926523/
  98. - HA: https://www.reverse.it/sample/302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418?environmentId=100
Add Comment
Please, Sign In to add comment