Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-09-20: #locky email phishing campaign "New voice message"
- Email sample:
- -----------------------------------------------------------------------------------------------------------------------
- From: "Voicemail Service" <vmservice@[REDACTED]>
- To: "ah@[REDACTED]>
- Subject: New voice message 15256614735 in mailbox 152566147351 from "15256614735" <6692705038>
- Date: Wed, 20 Sep 2017 13:29:17 -0500
- Dear user:
- just wanted to let you know you were just left a 0:11 long message (number 15201136730)
- in mailbox 152011367301 from "15201136730" <8822315162>, on Wed, 20 Sep 2017 19:34:51 +0300
- so you might want to <a href="http://pickwick-poppins.com/voice.html>check</a> it when you get a chance. Thanks!
- --Voicemail Service
- Attachment: msg0434.7z -> IM9000338402.vbs
- -----------------------------------------------------------------------------------------------------------------------
- - sender address is forged to look like "Voicemail Service" vmservice@[recepient's domain]
- - subject is "New voice message <11 digits> in mailbox <12 digits> from "<11 digits>" <10 digits>"
- - body of the email contain a link to one of sites that contain redirector to malware script
- - attached file "msg<4 digits>.7z" contains file "IM<9-10 digits>.vbs", a VBScript downloader
- Redirector links:
- http://109.108.145.100.srvlist.ukfast.net/voice.html
- http://72.4f.354a.static.theplanet.com/voice.html
- http://alfixit.co.uk/voice.html
- http://altarweddingcars.co.uk/voice.html
- http://ammann-it.ch/voice.html
- http://arvinmoti.com/voice.html
- http://balzantruck.com/voice.html
- http://bigredsgeneralcontracting.com/voice.html
- http://brockmann-buecher.de/voice.html
- http://comtecav.co.uk/voice.html
- http://craigstrong.co.uk/voice.html
- http://danyaanderson.com/voice.html
- http://epse.pt/voice.html
- http://ernestoangiolini.com/voice.html
- http://ethersolutions.co.uk/voice.html
- http://felipedemarco.com/voice.html
- http://foleycrosscenter.org/voice.html
- http://formationdirecte.ca/voice.html
- http://france-vacance.dk/voice.html
- http://fredagskoret.dk/voice.html
- http://gpointrecords.bplaced.com/voice.html
- http://Grog.dk/voice.html
- http://grousespringsnursery.com/voice.html
- http://handsworthfencingservices.co.uk/voice.html
- http://iksy.za.pl/voice.html
- http://jsjp.nl/voice.html
- http://klinthult.com/voice.html
- http://kookserviceopmaat.nl/voice.html
- http://logistics.nazwa.pl/voice.html
- http://maitreandre.com/voice.html
- http://matthess-online.de/voice.html
- http://ministranten.bplaced.net/voice.html
- http://muzyczny.hitowy.pl/voice.html
- http://norskskovkatte.dk/voice.html
- http://osgood.me.uk/voice.html
- http://pickwick-poppins.com/voice.html
- http://pugfest.co.uk/voice.html
- http://radianthues.com/voice.html
- http://raku3.co.jp/voice.html
- http://rapidanplumbing.com/voice.html
- http://rscc.dk/voice.html
- http://science-magnets.co.uk/voice.html
- http://tanzcenter-graziosa.ch/voice.html
- http://tenconewengland.com/voice.html
- http://www.100kisses.org/voice.html
- http://www.gtCartographic.co.uk/voice.html
- http://www.matthewsittel.com/voice.html
- http://www.pizzelli.eu/voice.html
- http://www.reitverein-kaufbeuren.de/voice.html
- - will redirect via iframe to http://hemrolunsparred.info/msg.php, which will probably deliver the same file as in the attachment
- Malware download sites:
- http://121-psychic-reading.co.uk/slehGTexc
- http://2-wave.com/slehGTexc
- http://3e.com.pt/slehGTexc
- http://4advice-interactive.be/slehGTexc
- http://9ninewright.net/slehGTexc
- http://adaliyapi.com/slehGTexc
- http://a-host.co.uk/slehGTexc
- http://ahtwindowcleaning.co.uk/slehGTexc
- http://PamelaSparrowChilds.com/slehGTexc
- http://rasbery.co.uk/slehGTexc
- http://robinsonfun.pl/slehGTexc
- http://ryterorrephat.info/af/slehGTexc
- http://teck.fr/slehGTexc
- http://weddingcarsbury.co.uk/slehGTexc
- http://weddingcarsrochdale.co.uk/slehGTexc
- Malware:
- - locky, offline .ykcol variant
- - SHA256 302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418, MD5: 5dd7d5899168ac90325b350293c49ee2
- - VT: https://www.virustotal.com/en/file/302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418/analysis/1505926523/
- - HA: https://www.reverse.it/sample/302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418?environmentId=100
Add Comment
Please, Sign In to add comment