API tools faq
paste
Advertisement
Racco42

2016-11-11 Locky "Order"

Racco42
Nov 11th, 2016
1,483
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.77 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-11 #locky email phishing campaign "Order"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------------
  5. From: "Technical Support" <Sparks.Seymour@sijbers.eu>
  6. To: [REDACTED]
  7. Subject: Order
  8. Date: Fri, 11 Nov 2016 16:39:08 +0530
  9.  
  10. Dear Customer
  11.  
  12. The item you've ordered is on delay due to the unknown problem regarding =
  13. your bank account you paid from.
  14. Please check you data in the attachment as soon as you can.
  15.  
  16.  
  17. Best Wishes,
  18. Seymour Sparks
  19. Technical Support
  20.  
  21. Attachment: order_[REDACTED].zip
  22. -------------------------------------------------------------------------------------------------------------------
  23. - sender email address varies, but the display name is always "Technical Support"
  24. - subject of the email is "Order"
  25. - attached file "order_<recepient's name>.zip" contains file "-<11 characters>-.js" a JScript downloader
  26.  
  27. Download sites:
  28. http://g2el.com/grj2qqih
  29. http://globalem.asia/gg4j1ku
  30. http://godgetaways.com/pszyumi
  31. http://goldensad.ru/isnmhk7t
  32. http://gusi.biz/gu7h38t
  33. http://healwithbill.com/rqqi6skh
  34. http://herstedhus.dk/tpmh9k
  35. http://ijordantours.com/mikn2a
  36. http://injectorholder.com/p3lpm
  37. http://machamerfinancial.com/mcrpe0
  38. http://manshutang.com/zhiovlon
  39. http://mobilefashion.sg/z0u1biu
  40. http://modernimpex.ro/yxbf410e
  41. http://motefugue.com/35h1z
  42. http://mujtabatrading.com/ujfcw6aq
  43. http://musicfrombali.com/m5ahlo
  44. http://oatloyd.com/4g968lu
  45. http://oatloyd.com/6g8rpsz
  46. http://putidwipe.com/2w0dk1gx
  47. http://scupwail.com/a6lxavss
  48. http://sport-grace.by/j1tjmi
  49. http://termoskan.ru/i5f83m8
  50. http://thirlnak.net/5crdsr
  51. http://thirlnak.net/6i2lk
  52. http://thirlnak.net/84jcbenc
  53. http://www.meleather.com/uelt2xfr
  54.  
  55. Malware:
  56. - NOT encode on download
  57. 9696edf496836fd7fc28fdc0d73acfceb7f2cf789ee11f9aec55e8b9c97f7be8 http___g2el.com_grj2qqih
  58. c0d69e253e3a99b95c26cf96eaf63ae87a14ec0aca5d787b7f488eb9fb8810a8 http___globalem.asia_gg4j1ku
  59. 073b259eea6f1d7d597e8f0fdc04773b418a1889dbd967494192b509137137d1 http___godgetaways.com_pszyumi
  60. 2d9287fd5fd0bbc4a0cea1b9b0fd37c2370b15e4039459b2984e4dbb503926e9 http___goldensad.ru_isnmhk7t
  61. b70a21f04529382b1c07ff64af157957528368711d361976c6b0b45228364785 http___gusi.biz_gu7h38t
  62. 866624febe07a9053d8d0f1549e33feff05de6f89feeeeb80f6458aa31dfb90c http___healwithbill.com_rqqi6skh
  63. bf664d419cee5aa957a9ee0288222f1d9377d09c431f6731ec092999c9caccaf http___herstedhus.dk_tpmh9k
  64. 96cfd0410006b765f451e55973de75352c5437e37b2c434ab3940df1d7214fba http___ijordantours.com_mikn2a
  65. 88e543697410e6ffdaf544418a1a56fc90cd93c16d400bddc4aee0d727d6c2ce http___injectorholder.com_p3lpm
  66. e68ad45128d3ccd21eccc0942adbd67b2c85cdad23a72053fafc3bf9fb06e340 http___machamerfinancial.com_mcrpe0
  67. a253676812afb0ae6282828965a108137586828fee05d31aee55d00fb223fa93 http___manshutang.com_zhiovlon
  68. 12d7ec8eb1682f248f64ee3da7bec5cb847b0e713f8fdfd43cce0bd48c952fc7 http___mobilefashion.sg_z0u1biu
  69. 3331be7fc55dc5e8e31cac1f0875a4994218078d93573f4a3958805b4ad3e0f7 http___modernimpex.ro_yxbf410e
  70. 669d36d385da5db255ab7d9a0202c1f20d2edb1b49458b620e9411f8c8fd42b4 http___motefugue.com_35h1z
  71. 66baba90e0e2e2cee23f7597f96840e684055540dc625701c55bd5b54a9d794a http___mujtabatrading.com_ujfcw6aq
  72. 50742de0ddc6fa83db590120a8ee337f27bda2b208b98bf0a47a30239c9ea65e http___musicfrombali.com_m5ahlo
  73. 3c37c0140eade24b9ddc00c0b0b6b8a6a4752514380f314f912fce5bbdd6ba70 http___oatloyd.com_4g968lu
  74. 4fd2cfa9758ec860cf3d9bf64ce6459db5223f95e873ce1a7734114b872cb16f http___oatloyd.com_6g8rpsz
  75. 8504f1543d2bc14f22024eafd6786d6b0800c65011bfe4436b13d92ac6157383 http___putidwipe.com_2w0dk1gx
  76. 48bed013be9b7ecb2855f17f0988e7b7df3f17b3f0a140eb000443b738c871a1 http___scupwail.com_a6lxavss
  77. 72d6c698ce4b2d3edfbe17e9dcee48b6960d63a5fe14d0c7a4ef030279e1bb18 http___sport-grace.by_j1tjmi
  78. 48c92513c6a7be56f5e4a7ad27aa46acbbf11a22c0ca99499e588f887487c9c9 http___termoskan.ru_i5f83m8
  79. a136206c7f3e06cf461b5990b64c48575d5f8ad8ea42925361478d894cebd5ff http___thirlnak.net_5crdsr
  80. 0b93a6bb3ebd983b37740b33545249d310ee65e76cf692fb1ec8648afddebf23 http___thirlnak.net_6i2lk
  81. c6827f98629cd026d4543dc3cc493c35d6bbb56123419365b4f79e932fd7c17e http___thirlnak.net_84jcbenc
  82. e68150eedd082c16053d77d4318c2b37090145ac43789132d0858a9ea9eaf449 http___www.meleather.com_uelt2xfr
  83. - executed by "rundll32.exe %TEMP%\<dll_name>,0004"
  84.  
  85. C2:
  86. POST http://107.181.174.34/message.php
  87. POST http://185.66.12.209/message.php
  88. POST http://91.234.35.99/message.php
  89. POST http://bnefhbdjcmsgv.info/message.php
  90. POST http://ceukdin.pl/message.php
  91. POST http://dddegew.xyz/message.php
  92. POST http://gtxewahvvga.org/message.php
  93. POST http://hiuswnvgggbh.xyz/message.php
  94. POST http://lmiybsb.click/message.php
  95. POST http://srdmhudpr.ru/message.php
  96. POST http://uwslaeiuadqqtixs.xyz/message.php
  97. POST http://vccekcnrwg.ru/message.php
  98. POST http://wigcemgwepq.work/message.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!