SHARE
TWEET

2017-09-20 Locky "New voice message"

Racco42 Sep 20th, 2017 275 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-09-20: #locky email phishing campaign "New voice message"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------------
  5. From: "Voicemail Service" <vmservice@[REDACTED]>
  6. To: "ah@[REDACTED]>
  7. Subject: New voice message 15256614735 in mailbox 152566147351 from "15256614735" <6692705038>
  8. Date: Wed, 20 Sep 2017 13:29:17 -0500
  9.  
  10. Dear user:
  11.  
  12. just wanted to let you know you were just left a 0:11 long message (number 15201136730)
  13. in mailbox 152011367301 from "15201136730" <8822315162>, on Wed, 20 Sep 2017 19:34:51 +0300
  14. so you might want to <a href="http://pickwick-poppins.com/voice.html>check</a> it when you get a chance.  Thanks!
  15.  
  16.                                 --Voicemail Service
  17.  
  18. Attachment: msg0434.7z -> IM9000338402.vbs
  19. -----------------------------------------------------------------------------------------------------------------------
  20. - sender address is forged to look like "Voicemail Service" vmservice@[recepient's domain]
  21. - subject is "New voice message <11 digits> in mailbox <12 digits> from "<11 digits>" <10 digits>"
  22. - body of the email contain a link to one of sites that contain redirector to malware script
  23. - attached file "msg<4 digits>.7z" contains file "IM<9-10 digits>.vbs", a VBScript downloader
  24.  
  25. Redirector links:
  26. http://109.108.145.100.srvlist.ukfast.net/voice.html
  27. http://72.4f.354a.static.theplanet.com/voice.html
  28. http://alfixit.co.uk/voice.html
  29. http://altarweddingcars.co.uk/voice.html
  30. http://ammann-it.ch/voice.html
  31. http://arvinmoti.com/voice.html
  32. http://balzantruck.com/voice.html
  33. http://bigredsgeneralcontracting.com/voice.html
  34. http://brockmann-buecher.de/voice.html
  35. http://comtecav.co.uk/voice.html
  36. http://craigstrong.co.uk/voice.html
  37. http://danyaanderson.com/voice.html
  38. http://epse.pt/voice.html
  39. http://ernestoangiolini.com/voice.html
  40. http://ethersolutions.co.uk/voice.html
  41. http://felipedemarco.com/voice.html
  42. http://foleycrosscenter.org/voice.html
  43. http://formationdirecte.ca/voice.html
  44. http://france-vacance.dk/voice.html
  45. http://fredagskoret.dk/voice.html
  46. http://gpointrecords.bplaced.com/voice.html
  47. http://Grog.dk/voice.html
  48. http://grousespringsnursery.com/voice.html
  49. http://handsworthfencingservices.co.uk/voice.html
  50. http://iksy.za.pl/voice.html
  51. http://jsjp.nl/voice.html
  52. http://klinthult.com/voice.html
  53. http://kookserviceopmaat.nl/voice.html
  54. http://logistics.nazwa.pl/voice.html
  55. http://maitreandre.com/voice.html
  56. http://matthess-online.de/voice.html
  57. http://ministranten.bplaced.net/voice.html
  58. http://muzyczny.hitowy.pl/voice.html
  59. http://norskskovkatte.dk/voice.html
  60. http://osgood.me.uk/voice.html
  61. http://pickwick-poppins.com/voice.html
  62. http://pugfest.co.uk/voice.html
  63. http://radianthues.com/voice.html
  64. http://raku3.co.jp/voice.html
  65. http://rapidanplumbing.com/voice.html
  66. http://rscc.dk/voice.html
  67. http://science-magnets.co.uk/voice.html
  68. http://tanzcenter-graziosa.ch/voice.html
  69. http://tenconewengland.com/voice.html
  70. http://www.100kisses.org/voice.html
  71. http://www.gtCartographic.co.uk/voice.html
  72. http://www.matthewsittel.com/voice.html
  73. http://www.pizzelli.eu/voice.html
  74. http://www.reitverein-kaufbeuren.de/voice.html
  75. - will redirect via iframe to http://hemrolunsparred.info/msg.php, which will probably deliver the same file as in the attachment
  76.  
  77. Malware download sites:
  78. http://121-psychic-reading.co.uk/slehGTexc
  79. http://2-wave.com/slehGTexc
  80. http://3e.com.pt/slehGTexc
  81. http://4advice-interactive.be/slehGTexc
  82. http://9ninewright.net/slehGTexc
  83. http://adaliyapi.com/slehGTexc
  84. http://a-host.co.uk/slehGTexc
  85. http://ahtwindowcleaning.co.uk/slehGTexc
  86. http://PamelaSparrowChilds.com/slehGTexc
  87. http://rasbery.co.uk/slehGTexc
  88. http://robinsonfun.pl/slehGTexc
  89. http://ryterorrephat.info/af/slehGTexc
  90. http://teck.fr/slehGTexc
  91. http://weddingcarsbury.co.uk/slehGTexc
  92. http://weddingcarsrochdale.co.uk/slehGTexc
  93.  
  94. Malware:
  95. - locky, offline .ykcol variant
  96. - SHA256 302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418, MD5: 5dd7d5899168ac90325b350293c49ee2
  97. - VT: https://www.virustotal.com/en/file/302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418/analysis/1505926523/
  98. - HA: https://www.reverse.it/sample/302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418?environmentId=100
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top