Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-14 #locky email phishing campaign "Renewed License"
- Email:
- --------------------------------------------------------------------------------------------------------
- From: "Johnny Fleming" <Fleming.259@mobily.com.sa>
- To: [REDACTED]
- Subject: Renewed License
- Date: Wed, 14 Sep 2016 22:34:35 +0300
- Here is the company's renewed business license.
- Please see the attached license and send it to the head office.
- Best regards,
- Johnny Fleming
- License Manager
- Attachment: c2fcf5b4f7.zip
- --------------------------------------------------------------------------------------------------------
- - sender address vary
- - subject is "Renewed License"
- - attached file <random hexa char>.zip contains two identical files "renewed business license <random hexa chars>.wsf" and "renewed business license <random hexa chars> (copy).wsf" which contains JScript downloader
- Download sites:
- http://amrastacy.com/7bx49l
- http://moismdheri.net/jqpxub
- http://pawlrubia.net/9ioiv7
- http://pradran.com/5tff6xh
- http://rokerlelia.net/rbrpe
- http://tearyrecce.com/duv3l
- Malware:
- - encoded on download, filesize 191492 bytes
- b7754b3ae9660178964aa49b765f5f15a87f95430f921b8225a9c682c83a14a0 http___amrastacy.com_7bx49l
- 47583e9361456411469b6e44df9c4b967c9dcf4859cf49c6b28c5329319150c2 http___moismdheri.net_jqpxub
- 9b4c62d570f235538810e0cc410df183b3dc68ac5e706870a255feece122c0a3 http___pawlrubia.net_9ioiv7
- b6b01fea9b3ffdb9777e3fe520b61a0e2708aeadea0081ce7555bfbe283cafe1 http___pradran.com_5tff6xh
- 3d8cb8d5bad47fb15b8e6f8a859eb2d183e8a05e974f8b3703af9f63cfabd69a http___rokerlelia.net_rbrpe
- 861b752738f395c7dd40e80b954863c374a463ea1acca3caae3be024cd93a558 http___tearyrecce.com_duv3l
- - decoded filesize 191488 bytes
- 2e1b0b4ac4b0ce8612da84f84166596ae1804915cea0c0881684f03f81659a06 http___amrastacy.com_7bx49l
- a1623e14fb9d19eb8a523105ed972d191c30576a71b5267c8dc833e0b23bf4fa http___moismdheri.net_jqpxub
- 9492c69db65008f9f7653242a24c2cfb071ab6f7a00219627b480720594d0427 http___pradran.com_5tff6xh
- 54978022f05da79212f51cb83975378b4a5138b6b48d5cb94aecc4b9e8a6315a http___rokerlelia.net_rbrpe
- a1f9b8dffe37afa77605e12ff540346be58b1c39af494b2b8342e2653d961b55 http___pawlrubia.net_9ioiv7
- -executed by "rundll32.exe %TEMP%\u0y5E9H2.dll,qwerty 323"
- https://www.reverse.it/sample/6e02c709fac13e3812a49306a065e067ef884231245120b079575ec696772fde?environmentId=100
- https://www.reverse.it/sample/4f3856834113ad7cd7f4f4dfa0752ed58f6aeb77219bfe99f2ef59dd26e33f33?environmentId=100
- https://www.reverse.it/sample/7b4e716c301a14af4464f6c43e9081b9d437c6b009114279b910ad949df091aa?environmentId=100
- https://www.reverse.it/sample/d332a35cebcb4ddebb0a8509c7e032fb620463cba94c40bc76ff6d87d0d09f24?environmentId=100
- https://www.reverse.it/sample/c6cac56e02d3f1c7b02a9ef5c636be36ad87713d9dd67825d8c4d63998a50233?environmentId=100
- https://www.reverse.it/sample/0945c9674068494eb5768c8ebc6b4f142c5fad6a783ebed035c9f0f9218091de?environmentId=100
- https://www.reverse.it/sample/1436ff48f7810c90db24dabafd334b11ee5042150fdb7209c6d8964a209e045c?environmentId=100
- https://www.reverse.it/sample/eabeeac88f80e6c3820aecbea765184c50223db4a7020f900df041cb6ec081e3?environmentId=100
- https://www.reverse.it/sample/ab01fbee8e50771628a1da3792d068ce585ff80a0b6fe8385308bd5eeb06a5a4?environmentId=100
- https://www.reverse.it/sample/464ebb9ec9df9f0b5e3f7536f5c0079ae8cba3d097b2f2eeef5764d545b02da1?environmentId=100
- https://www.reverse.it/sample/32c47e680d3a389d0b6aedc0f59516d654a430c2bf0bbebae92ac9a1c70259d4?environmentId=100
- https://www.reverse.it/sample/cfef07d15ae07a47303aac4d98a820813e329bf423ce24511599632a779b4cc4?environmentId=100
- https://www.reverse.it/sample/613430c2ae49b95c28cd2fb4100fccdb15bb7f8ce45d1ff006d27268bb031ae3?environmentId=100
- C2:
- - no C2 communication, encryption keys are stored in locky's config
Add Comment
Please, Sign In to add comment