SHARE
TWEET

2016-12-13 Locky "a picture for you"

Racco42 Dec 13th, 2016 (edited) 235 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-13: #locky email phishing campaign "a picture for you"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------------------------------------------------
  5. From: Ronda <Ronda.16@theroyalparadise.com>
  6. To: [REDACTED]
  7. Subject: a picture for you
  8. Date: Tue, 13 Dec 2016 19:56:58 -0300
  9.  
  10. scanned
  11.  
  12. Attachment: 2016-12-623875.zip -> 2016-12-11225.jse
  13. ----------------------------------------------------------------------------------------------------------------------------------
  14. - sender varies between emails
  15. - subject is "a (image|photos|photo|picture) of you"
  16. - attached file "2016-12-<4-6 digits>.zip" contains file "2016-12-<4-7 digits>.jse", a JScript (plaintext .js, not encoded) downloader
  17.  
  18. Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
  19. http://00005ik.rcomhost.com/knby545
  20. http://1smart.nu/knby545
  21. http://203kitchen.com/knby545
  22. http://87.244.17.86/knby545
  23. http://88.150.144.236/knby545
  24. http://94.127.33.126/knby545
  25. http://abogalalmotors.com/knby545
  26. http://accademiamoda.com/knby545
  27. http://aidhanlogistics.com/knby545
  28. http://arc.com.pk/knby545
  29. http://armcoinfrared.com/knby545
  30. http://aspirekitchens.in/knby545
  31. http://batchmiami.com/knby545
  32. http://blog.webskitters.com/knby545
  33. http://bobyfrancisandpradeep.com/knby545
  34. http://brandappz.com/knby545
  35. http://brinktest.com/knby545
  36. http://c2sexpress.net/knby545
  37. http://caribbeachresort.com/knby545
  38. http://charlesworth.com.ng/knby545
  39. http://crewclaims-lubpi.com/knby545
  40. http://davepotterhonda.com.au/knby545
  41. http://dedicateddevelopers.us/knby545
  42. http://detrust888.com/knby545
  43. http://discoveryourevent.com/knby545
  44. http://dmg-properties.com/knby545
  45. http://dolutesisat.com/knby545
  46. http://dominatetheplate.com/knby545
  47. http://easyfooty.com/knby545
  48. http://ecolelavasa.edu.in/knby545
  49. http://ecommercedevelopment.us/knby545
  50. http://empirek9.com/knby545
  51. http://empmon.com/knby545
  52. http://entelligy.com/knby545
  53. http://excellentiasacademy.org/knby545
  54. http://fortuneprixgroup.com/knby545
  55. http://fshr.al/knby545
  56. http://gopa1.ru/knby545
  57. http://inventionsteel.com/knby545
  58. http://investps.com.au/knby545
  59. http://jasonvergara.com/knby545
  60. http://joomlaexpertdeveloper.com/knby545
  61. http://jrgolfbuddy.com/knby545
  62. http://keshamrit.com/knby545
  63. http://liftaccessory.com/knby545
  64. http://lmprojekte.de/knby545
  65. http://maheshpunjabi.com/knby545
  66. http://MedicalIsraelTourism.com/knby545
  67. http://modelpayments.net/knby545
  68. http://namemychild.cn/knby545
  69. http://nbjzpx.com/knby545
  70. http://newdawnexperience.com/knby545
  71. http://nixvector.com/knby545
  72. http://oakridge-realty.com/knby545
  73. http://oualili.org/knby545
  74. http://pandoracharm.ru/knby545
  75. http://pattumalamatha.com/knby545
  76. http://payserairan.com/knby545
  77. http://p-g-a.org/knby545
  78. http://prc.ub.ac.id/knby545
  79. http://projectprocurement.com.au/knby545
  80. http://pst-oil.com/knby545
  81. http://radiantstars.org/knby545
  82. http://reviewprimer.com/knby545
  83. http://rkanswers.com/knby545
  84. http://rktest.net/knby545
  85. http://rndled.com/knby545
  86. http://robekadevelopment.com/knby545
  87. http://site4.pulusajans.com/knby545
  88. http://socialcampaigns.co.in/knby545
  89. http://swarbandh.com/knby545
  90. http://tcmrecipe.com/knby545
  91. http://thungchang.go.th/knby545
  92. http://tradium.com.mx/knby545
  93. http://trustcarts.com/knby545
  94. http://turningpointdigital.com/knby545
  95. http://uberrito.com/knby545
  96. http://ukinhub.com/knby545
  97. http://uscpl.net/knby545
  98. http://uygoman.com/knby545
  99. http://velociter.in/knby545
  100. http://vibrantdeal.com/knby545
  101. http://vintageprintable.com/knby545
  102. http://visbymaklarna.se/knby545
  103. http://winawoof.com/knby545
  104. http://wordpress-developer.us/knby545
  105. http://www.cameracontrol.com/knby545
  106. http://www.designdepot.in/knby545
  107. http://zarasresort.com/knby545
  108. http://zist-konkur.ir/knby545
  109.  
  110. http://2picme.com/0h6br33
  111. http://aacom.pl/0h6br33
  112. http://aaryn.net/0h6br33
  113. http://abela.fr/0h6br33
  114. http://abogalalmotors.com/0h6br33
  115. http://alestes.hu/0h6br33
  116. http://alock.co/0h6br33
  117. http://banhang123.com/0h6br33
  118. http://billionsfamily.com/0h6br33
  119. http://brookstonemanuals.com/0h6br33
  120. http://clarkcomm.com-ext.com/0h6br33
  121. http://eastoncorporatefinance.com/0h6br33
  122. http://ebreckinteriors.com/0h6br33
  123. http://fiddlefire.net/0h6br33
  124. http://forexilla.ru/0h6br33
  125. http://galebtopola.com/0h6br33
  126. http://gallery.mohammadtarighi.ir/0h6br33
  127. http://ilasd.org/0h6br33
  128. http://inzt.net/0h6br33
  129. http://ivibohoc.url.ph/0h6br33
  130. http://kathymerrill.com/0h6br33
  131. http://kirulya.com/0h6br33
  132. http://knihovna-libeznice.hostuju.cz/0h6br33
  133. http://kserwis.pl/0h6br33
  134. http://kurou.bokunenjin.com/0h6br33
  135. http://k-wu.com/0h6br33
  136. http://lukepaige.com/0h6br33
  137. http://masonlodgestpeter.org/0h6br33
  138. http://medianisprint.com/0h6br33
  139. http://mgascca.com/0h6br33
  140. http://miki-bazar.cz/0h6br33
  141. http://minis2.com/0h6br33
  142. http://mprotectcorp.com/0h6br33
  143. http://msveletiny.cz/0h6br33
  144. http://nortra-cables.com/0h6br33
  145. http://otteryak.de/0h6br33
  146. http://pcflame.com.au/0h6br33
  147. http://pta-babel.net/0h6br33
  148. http://qe7.ca/0h6br33
  149. http://rdsc-seminar.com/0h6br33
  150. http://s393640255.onlinehome.us/0h6br33
  151. http://s435378127.online-home.ca/0h6br33
  152. http://s437702314.onlinehome.us/0h6br33
  153. http://shomesofa.com/0h6br33
  154. http://stoneofliberty.com/0h6br33
  155. http://taladm.ru/0h6br33
  156. http://thomas-christ.de/0h6br33
  157. http://ulli-greve.de/0h6br33
  158. http://v-english.com/0h6br33
  159. http://vivvn.com/0h6br33
  160. http://worldhost1.com/0h6br33
  161. http://www.agence-eclectik.fr/0h6br33
  162. http://www.dazzle-events.be/0h6br33
  163. http://www.enhansit.com/0h6br33
  164. http://www.lauraleedonnelly.com/0h6br33
  165. http://www.mywoc.ca/0h6br33
  166. http://www.ninthdistrict.org/0h6br33
  167. http://www.servipisos.com.ar/0h6br33
  168. http://www.sitivisibili.it/0h6br33
  169. http://www.socialmediaplanner.com.au/0h6br33
  170. http://www.thepasobueno.com/0h6br33
  171. http://www.tourist-car.ru/0h6br33
  172. http://yellowstudio.pl/0h6br33
  173.  
  174. UPDATE:
  175. http://akida.com/0h6br33
  176. http://archibaldmicrobrasserie.ca/0h6br33
  177. http://calderon.com.mx/0h6br33
  178. http://easylation.com/0h6br33
  179. http://promgazenergo34.ru/0h6br33
  180.  
  181. Malware:
  182. - encoded on download
  183. SHA256 a9478cfd511672b5ad8c39212d848d8ff12fd2dd437c9c3b765da7604084b359, MD5 41eb243c2775c74519f1643c871ef161 [knby545]
  184. SHA256 a6c2328b3807596f3199ec2db3e1463e13e979f75829ba73dd98a414493f9d3c, MD5 c951ecd088e3a043a0db6d60914adc14 [0h6br33]
  185. - decoded
  186. SHA256 fd33604dd1a4ccc3a3779b5769f5fbb58754a1f9152a72323ca6ebdc5d8d98b9, MD5 6534795c6f0ffb3835a1828abce36f88 [knby545]
  187. SHA256 9ce472a78b91fd79c707c090cb6cf49a4b0a0df5e50d31409346528b2fb2db7a, MD5 d0d014659cb27cb67b83eef360d3c39f [0h6br33]
  188. - executed by
  189. "rundll32.exe %TEMP%\<dll_name>,get_value" [knby545]
  190. "rundll32.exe %TEMP%\<dll_name>,set_value" [0h6br33]
  191. - samples
  192. https://www.virustotal.com/file/fd33604dd1a4ccc3a3779b5769f5fbb58754a1f9152a72323ca6ebdc5d8d98b9/analysis/1481672421/ [knby545]
  193. https://www.virustotal.com/file/9ce472a78b91fd79c707c090cb6cf49a4b0a0df5e50d31409346528b2fb2db7a/analysis/1481672458/ [0h6br33]
  194.  
  195. C2:
  196. POST http://176.121.14.95/checkupdate [knby545],[0h6br33]
  197. POST http://185.117.72.105/checkupdate [knby545],[0h6br33]
  198. POST http://193.124.185.187/checkupdate [0h6br33]
RAW Paste Data
Top