Advertisement
Racco42

2017-06-06 Jaff "Order"

Jun 6th, 2017
2,903
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.12 KB | None | 0 0
  1. 2017-06-06 #jaff email phishing campaign "Order"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------
  5. From: "Lonnie sims" <Lonnie@dental-discount-plans-guide.com>
  6. To: [REDACTED]
  7. Subject: Order
  8. Date: Tue, 06 Jun 2017 15:14:35 +0600
  9.  
  10.  
  11. Attachment: MX-2310U_20170606_151435.pdf
  12. ------------------------------------------------------------------------------------------------------------
  13. - sender is random
  14. - subject is "Order"
  15. - email body is empty
  16. - attached file "MX-2310U_20170606_<6 digits>.pdf" contains embedded .docm file which contain macro that will download malware from one of the download sites:
  17.  
  18. Download sites:
  19. http://10minutesto1.net/jt7677g6
  20. http://cafe-bg.com/jt7677g6
  21. http://cifroshop.net/jt7677g6
  22. http://community-gaming.de/jt7677g6
  23. http://cor-huizer.nl/jt7677g6
  24. http://essentialnulidtro.com/af/jt7677g6
  25. http://lcpinternational.fr/jt7677g6
  26. http://luxurious-ss.com/jt7677g6
  27. http://makh.ch/jt7677g6
  28. http://marcelrahner.com/jt7677g6
  29. http://mciverpei.ca/jt7677g6
  30. http://mitservices.net/jt7677g6
  31. http://myinti.com/jt7677g6
  32. http://mymobimarketing.com/jt7677g6
  33. http://oneby1.jp/jt7677g6
  34. http://rhiannonwrites.com/jt7677g6
  35. http://sdmqgg.com/jt7677g6
  36. http://seoulhome.net/jt7677g6
  37. http://sextoygay.be/jt7677g6
  38. http://siddhashrampatrika.com/jt7677g6
  39. http://squidincdirect.com.au/jt7677g6
  40. http://stlawyers.ca/jt7677g6
  41. http://studyonazar.com/jt7677g6
  42. http://supplementsandfitness.com/jt7677g6
  43. http://zechsal.pl/jt7677g6
  44.  
  45. Malware:
  46. - encoded on download SHA256 eb5e237ba12a3179c7764a6137df4df314ba540ee6e7a96d6eff294f40b29a4b, MD5 76e150bceffaee4322fa70b2c48ced16
  47. - decode by XORing downloaded file with "ZID4uEPifSSuQCN32XMC7VOlV4Wu8BLn"
  48. - decoded SHA256 3377cbe4f2618e65f778d029e654a4cf07537c6cfb6b87c668ba2882d9bb4b44 ,MD5 5ca3d8cf1cde038e762b535ec4e905fe
  49. - VT: https://www.virustotal.com/file/3377cbe4f2618e65f778d029e654a4cf07537c6cfb6b87c668ba2882d9bb4b44/analysis/1496759309/
  50. - HA: https://www.reverse.it/sample/3377cbe4f2618e65f778d029e654a4cf07537c6cfb6b87c668ba2882d9bb4b44?environmentId=100
  51.  
  52. C2:
  53. GET http://whoisfoxxrobiouy.net/a5/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement