daily pastebin goal
46%
SHARE
TWEET

2016-12-06 Locky "Recent order"

Racco42 Dec 6th, 2016 (edited) 219 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-06 #locky email phishing campaign "Recent order"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------------
  5. From: "Martina Clarke" <Clarke.Martina@sabanet.ir>
  6. To: [REDACTED]
  7. Subject: Recent order
  8. Date: Tue, 06 Dec 2016 01:24:09 -0700
  9.  
  10. Dear [REDACTED],
  11.  
  12. The counteragent has conducted the checking and found no confirmed payment for the recent order.
  13. Please process the payment ($89307977709734936764340663590223817224101777922093860908195453921228256903435302543133345189781940410421180768810469329510005722611509783204471254902302977078504272733092560473925875872418536646314944362573629156533657076108607103807460326954716857037368604236090022222665681890599713969618046235880818448417380234802792720059389316696617214682010881294061577698172785540052074636092042671677282339136806743088887957717574248863378849143870993195576615033862364116088816558046189063289293699584335027538036272642538459175137079119834241614506102769676295712288880855843251370084909005323488331013448901807234707576661181754157469979328620294382100178337594514235463741358580820594963995408538372738977165056864200273195670927885364352124620192733447407586420216316476233887348151008622176284472878530487960646489160259652595214565535468659401186675488001692499322483427318695780038017801142677303904653441180111095245067146162411042266190514690385403344565617965652953319177413203111484393315319036121920182349912644888738300522454233871921559195019310467266583870612863108947824761709299088846342838150541485404641150377238893797725397045870253343602862643004861725436435207919072632144856821363321855780325300426645866872614704868011733456588260872703883697785892197563735546143894670027548511989067251341999474647271631016566438232946804987005037496973130928111697557184496957535592266648397626958309828958194813442100944742766046212089009030683109366737100984986900879030050311283763505488735057845844710477515111353752501847610378820804644836924940569376575918636393712450918426295592731717883116720828701437165349506246186459834670855707638575482392702668275300271432930326746070542235854888589507510850001656576954009288708711614195281855277506238866658886263426774446138120880572804703007172504160087449702686397028624187721541550749236060695517095472269780605451394119267267768585031745669295475289651104015687022765659687351312476731201719653010211718807369951273177294204052808590819 again. All details are in the attachment.
  14.  
  15. Feel free to email us if you have any inquiry.
  16.  
  17.  
  18. ----
  19. King Regards,
  20. Martina Clarke
  21.  
  22. Attachment: order4910521.zip -> ~8FX934T59F85.js
  23. -------------------------------------------------------------------------------------------------------------------
  24. - sender varies between emails
  25. - subject is "Recent order"
  26. - email body does contain a strange long number, yes :-)
  27. - attached file "order<7 digits>.zip" contains file "~<random uppercase letters and digis>", a JScript downloader
  28.  
  29.  
  30. Download sites:
  31. http://7thpower.com/yetgt1
  32. http://anjoman146.ir/06t14eim59
  33. http://aynuri.cn/pao8w9
  34. http://bel-stroymarket.ru/qzybv5xoj
  35. http://betrend.dk/rxal56tkc
  36. http://bookletta.com/nsb6sxsg
  37. http://comfortdiscovered.com.au/x0je0oyo
  38. http://eplotery.pl/mzcwjqad9
  39. http://experimentaloikos.com/xqx9nzroeg
  40. http://franklinhousetavern.net/ijh6i9qcwa
  41. http://fw-nes.de/xmtxufz
  42. http://gadanie.vgolovanov.ru/o2kkiww7q
  43. http://hawanur.com/w4f0t3n6mi
  44. http://hosting.spep.nl/ff0vuhhkha
  45. http://ischool.org/iobskh
  46. http://isikpeyzaj.com/yfutj8
  47. http://krosha.myjino.ru/pggzm
  48. http://lowcountryday.com/whvneqrjz
  49. http://mcclone.com/ywme2n
  50. http://mensa-edu.com/rrq08fz2hn
  51. http://m.figuren-spiele.de/qhnycc
  52. http://n2.by/hprahz
  53. http://new.sunmar.ca/wdut0yzm
  54. http://nonelikeit.com/ylvsic
  55. http://ns10.servidorprotegido.net/jeidn
  56. http://poised.co.in/lr5xojpdrx
  57. http://reefclub.ru/pbejg
  58. http://ruchengfcw.com/fskvi
  59. http://ruwechat.ru/a3qls
  60. http://saintsraw.com/9htfn95i
  61. http://scapin.de/uopqd
  62. http://servisix.com/1uwztx
  63. http://setoxy.com/dyfvvqp31
  64. http://shydnt.com/7dwige
  65. http://signumtte.net/cldwsmtea
  66. http://skladdomodedovo.ru/in6kx
  67. http://smartcandle.ie/7xltk7ga1x
  68. http://soonmarketing.com/hsjva
  69. http://spisek.freehost.pl/h16yw7fp8
  70. http://sp-tulun.ru/hp8c234aq
  71. http://square100.com/8rnr5wq
  72. http://sreekrishnatemple.com/agmzvm
  73. http://steffweb.dk/bkjybit
  74. http://stevetoulch.com/4pjzomy
  75. http://svastara.info/gtuphxz2
  76. http://svd-serv.sonmax.com.ua/nwl4ci8l1
  77. http://swkitchens.com.au/etgp6ndo
  78. http://tamsoon.net/ec1jyz3fu
  79. http://tasrdk.ru/jf1lh3onnd
  80. http://thermo.dk/8ukzvcxw
  81. http://tolga-tosun.com/bqtwi54d3n
  82. http://vastgoedconcept.be/8rarbjfj
  83. http://vsenabis.ru/ptvkgcpp6h
  84. http://www.02seo.com/iag7a
  85. http://www.demelkwegtuk.nl/ub4btafy96
  86. http://www.ebusiness-articles.com/clja9ztg0
  87. http://www.glutax-ori.com/l9woon
  88. http://www.icelandnavigator.com/ndt3al
  89. http://www.pgringette.ca/ngokspwr
  90. http://www.tutmacli.com/zunhdwvc
  91.  
  92. UPDATE:
  93. http://osawa.be/ji6vl8p
  94. http://petra-roebig.de/hqv4kz
  95. http://smarttrain.edu.vn/5iim4uhd
  96. http://studionero.com/4rjs9e1wkq
  97. http://ventrust.ro/5egp5rgwdo
  98.  
  99. Malware:
  100. - encoded on download
  101. 0f1ef6589e046c80ae4c1e93834d276a6560de7bc528b281f4f831a4bf4850c5  http___7thpower.com_yetgt1
  102. 5c4eb87ff2d1b2db6ae26df1de5851fcec10f333c31a15b0d57264e83cdb644d  http___anjoman146.ir_06t14eim59
  103. 9ebb0c7ea7c9257f697774eb7d7f966ab5894174d4bcb2f81582e713d3b06447  http___aynuri.cn_pao8w9
  104. 7a7ecc69fbccf01c4c9cc9a577df470c65f7bf3a582baa93b29310c8ca9456af  http___bel-stroymarket.ru_qzybv5xoj
  105. 880407a486217acef57a39e176654ab97e2d578ff05e1ac46db052cd7b52ae02  http___betrend.dk_rxal56tkc
  106. 76e0d8b323da67a2328b5ef9b3973814bc8bcb2840a89de31c46d3cd821011d1  http___bookletta.com_nsb6sxsg
  107. 5cc2752a8385cf3709d9eeeb107af05ed9399185c79335bebe2eb849ecbd7adb  http___comfortdiscovered.com.au_x0je0oyo
  108. 050ee6cab348f81e5ef196e8fa0d77d03919d58ffb0ce2759f40f5e4bf2e9563  http___eplotery.pl_mzcwjqad9 [2]
  109. 456a112e68014a44b64138877da76ecc0d9c7936a9a141f4e89de748e34dbf9f  http___experimentaloikos.com_xqx9nzroeg
  110. ea86f13d9e93d0e3df4a503d023ae73a19ef9e919bb54382283c162308d9155a  http___franklinhousetavern.net_ijh6i9qcwa
  111. 32a1f98b5a1fbc7d1da97259e25dae294d60b1ff6d5cccf418b0082be32dd2d7  http___gadanie.vgolovanov.ru_o2kkiww7q
  112. ee12ed508c31af2f27971d39a56650e8cd0e5e24ec92f4be194ecd03708433e8  http___hawanur.com_w4f0t3n6mi
  113. 7600db4ffcd96ba3a8cfb76dccffc3c16e76ed3028343aed761a1cfb92b2c6de  http___hosting.spep.nl_ff0vuhhkha
  114. 81ae3ea6311c240ccc68656f65314ed8c4bd51ee8c173760272c7bdbad3f8d5b  http___isikpeyzaj.com_yfutj8
  115. 75ebd122101651cc0b5d3170a425d2677a9cdf422bb89f68594f866889f1aaf2  http___lowcountryday.com_whvneqrjz
  116. 7690ad32fb17702f07e2c78eb6d3049b036d4183f9c271dcdfc62452ad29f2e3  http___mcclone.com_ywme2n
  117. 33a0a4956ee7a3a2dc001bc3c7761706dbf0a6839d313e80ffcd066dfd0312d5  http___mensa-edu.com_rrq08fz2hn
  118. 05aecf4fc11d93b3b06937da4239df24fb311916b3286733676bba1c3e6b4908  http___m.figuren-spiele.de_qhnycc
  119. 27d6e0ad477b4084f9053c0c5eb29de5ef0b35079edc5779ab4c6c698c75844e  http___n2.by_hprahz
  120. 7b49a34b1c10692ac75738ca042966ba2643d9d549336f9ef443e3fc8809919f  http___new.sunmar.ca_wdut0yzm
  121. c3ca81dedd22089a00247eb266bbc5f683e4ee894c3311baacdb3a4f13763343  http___nonelikeit.com_ylvsic
  122. 3d66a32ad313b6b8ba3a3aafa923a531e43cb70100ba706fcb6f97ef8274e280  http___ns10.servidorprotegido.net_jeidn
  123. b239c0079e2a0a3e5c942e079852af44bdce2a89e9634cc8234282aeaa51cc89  http___poised.co.in_lr5xojpdrx
  124. af7c16005f9cd9da9312159b414d0b0cbecb51dfb9b2d1d22f862469e8fe9862  http___reefclub.ru_pbejg
  125. ef9bb79e0665592c6ac043ab1c1f7da2724cda78a1c48cba05075724bcb62fd6  http___ruchengfcw.com_fskvi
  126. ba6ee69c50eb59cab886dc71ab07f0c81a7019053ecbccb9fcf5dc58284516b6  http___ruwechat.ru_a3qls
  127. 537c1d9fe635379d15482822bd2536858c3736938185cf545b6a3c288a48b7a0  http___saintsraw.com_9htfn95i
  128. 92a0a17452f66cd45775c662a544486124e305a7cfa451a2071dafadbcc955c5  http___servisix.com_1uwztx
  129. 7df6e0b353fc8225c7fbc4ead1e184f6c70183ecd560d8c08c77307278cc65d4  http___setoxy.com_dyfvvqp31
  130. 6f2e2a0093ec8561edc07d14e78536c8fcf4e36213edf9ef9e49341716e14274  http___shydnt.com_7dwige
  131. 717982ae70199cc0d9e69d7e2e89c00b7d2727a5b9132a01a9aa00c4e603f347  http___signumtte.net_cldwsmtea
  132. ff227ac5b2652091a2754b17e276a51eaeb75c14ca07d0ddf6fe70a39b840e6b  http___skladdomodedovo.ru_in6kx
  133. ee7b4285e57ba88ea44fa7e5c81e084a33ead38bb2ba0be591731ee168eb1f0e  http___smartcandle.ie_7xltk7ga1x
  134. 04345fec4e2f9f9245a1ee9ba483b45cef9a1f73c9d8b440bf1d23d9cd4aaa23  http___soonmarketing.com_hsjva
  135. 828ee66b1bb7055e75f2d03e90f284cd0ce8cf501fed6c2af45cf81ff8af76a3  http___spisek.freehost.pl_h16yw7fp8
  136. 7ad75eaa62ad77326dd2c57a51fc62173c67daa42e92f9d065e478bea2bc786c  http___sp-tulun.ru_hp8c234aq
  137. 4f053420dd59228fb6ebdaaed2774dcee648a38e7f7e521853dcc0ca496d0161  http___square100.com_8rnr5wq
  138. 3de42b5c8e45dba5f8c40f2495f44eb18b557a80373a48034f58148e9d9a6f38  http___sreekrishnatemple.com_agmzvm
  139. 85eebae03e595859f633ac5d416d91dae279b27b5de894b2ebde318fa026370a  http___steffweb.dk_bkjybit [1]
  140. 3df5834e4599d021f79523975c515f5c8747276f29ffe8f8c95a70ccabe4e7ad  http___stevetoulch.com_4pjzomy
  141. f164670a22c774732d3eda44f206ddc8dbc94905e0fb075af076c28629c0948d  http___svastara.info_gtuphxz2
  142. 26e5d743ee201f0df95182252ca55ff1ae3a4aa92983a56bd640c69f5636105f  http___svd-serv.sonmax.com.ua_nwl4ci8l1
  143. b4aa8bdefd431fef65b0007355681584b41fd8e3900d8dfcd66fea452a476f11  http___swkitchens.com.au_etgp6ndo [3]
  144. 71eab1718bf481215fb95ba28105cb6438c6af5e2d1e7d076bd760306c4bd85e  http___tamsoon.net_ec1jyz3fu
  145. a10bb2d4b62426da1f1622e2a78bd708431e9d66d6cb2a72a9f800df974f1e53  http___tasrdk.ru_jf1lh3onnd
  146. e57516e499dc23ff60ab44f829802627cab24e48ed64159a63f787f35b82329f  http___thermo.dk_8ukzvcxw
  147. 9b1139579004c5e4c9532998909df831f7f3047b504a1772b2718b2e8f0bdb35  http___tolga-tosun.com_bqtwi54d3n
  148. 177559c7018a40b0dbc3aafcd9f357275030ec236c451ce21e88c19d41ecace8  http___vastgoedconcept.be_8rarbjfj
  149. c4024c3aecb5cdd31f1f9ecc2c45b93c6214867e35ceb5aa22af167fc4489945  http___vsenabis.ru_ptvkgcpp6h
  150. e17f4ac42ffb63fe415d4c085304ade8b2bd98a76638fdddd4c9acf9aac9969b  http___www.02seo.com_iag7a
  151. d35a2747c81b34f29b83356a1f64a4277ef0459dfc4d443e941f297f75e3b3de  http___www.demelkwegtuk.nl_ub4btafy96
  152. 9ca5a6a6ba413ce35602c6f32335402c26792d0460c8f4790bb9616946566e75  http___www.icelandnavigator.com_ndt3al
  153. 07ba8cbb26893a2eea6ca9912423681bf552d5d25f311794c20da1afd5327533  http___www.pgringette.ca_ngokspwr
  154. f41387425bb7cf447d72d50a4d84c1362ad5aae308225c222253dff55619e2b5  http___www.tutmacli.com_zunhdwvc
  155. - decoded
  156. 954e1c5227e613c498cf8cbccd4ddd25daf678dcdf0a31f8ca2b30819a26173b [1]
  157. 1459d71c23109f30a297c19737b93d93fd2499d549e954cf589f749f9cb21349 [2]
  158. 1e5c09bfdc302cb2aae270e5c35a0ed88dcbef80c3ad637829f3dd4ecc2b0da3 [3]
  159. - executed by "rundll32.exev %Temp%\<filename>.ZK,FpNSZhx6K63bRJnIKaIiFS7Gid"
  160. - samples
  161. https://www.virustotal.com/file/954e1c5227e613c498cf8cbccd4ddd25daf678dcdf0a31f8ca2b30819a26173b/analysis/1481019156/ [1]
  162. https://www.virustotal.com/file/1459d71c23109f30a297c19737b93d93fd2499d549e954cf589f749f9cb21349/analysis/1481019163/ [2]
  163. https://www.virustotal.com/file/1e5c09bfdc302cb2aae270e5c35a0ed88dcbef80c3ad637829f3dd4ecc2b0da3/analysis/1481019174/ [3]
  164.  
  165. C2:
  166. POST http://176.112.219.101/checkupdate
  167. POST http://85.143.213.71/checkupdate
  168. POST http://91.203.5.176/checkupdate
  169. POST http://95.46.114.147/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top