SHARE
TWEET

2016-12-19 Locky "Tracking Sheet"

Racco42 Dec 19th, 2016 (edited) 261 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-19: #locky email phishing campaign "Tracking Sheet"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------------
  5. From: "luisa wallinger" <luisa.wallinger@overheadthealbatross.com>
  6. To: [REDACTED]
  7. Subject: Tracking Sheet
  8. Date: Tue, 20 Dec 2016 05:37:07 +0700
  9.  
  10. Dear all
  11.  
  12. please find attached sheet
  13.  
  14. Thanks
  15.  
  16. Attachment: Sheet 20-12-2016-9254.zip -> 24905681401.jse
  17. -----------------------------------------------------------------------------------------------------------------------
  18. - sender varies between emails
  19. - subject is "Tracking Sheet"
  20. - attached file "Sheet 20-12-2016-<4-6 digits>.zip" contains file "<11-12 digits>.jse", a JScript downloader (downloader is not encrypted as .jse would suggest, just plain .js)
  21.  
  22. Download sites (actual URL contains suffix ?<random>=<random> which does not influence download):
  23. http://alavatotal.com/byt4g3
  24. http://autonoom.org/byt4g3
  25. http://boyni.ru/byt4g3
  26. http://bummeln-um-die-welt.de/byt4g3
  27. http://canbal.net/byt4g3
  28. http://chmedonline.com/byt4g3
  29. http://conor.com.mx/byt4g3
  30. http://designerdogwear.com/byt4g3
  31. http://digital1.50webs.com/byt4g3
  32. http://drareum.com/byt4g3
  33. http://dream-road.jp/byt4g3
  34. http://drzalai.hu/byt4g3
  35. http://elfrasha.com/byt4g3
  36. http://followme.si/byt4g3
  37. http://forhealthatividadesfisicas.com/byt4g3
  38. http://hanavanpools.com/byt4g3
  39. http://hiveapps.co/byt4g3
  40. http://jira.fastfine.ru/byt4g3
  41. http://lib.yoll.net/byt4g3
  42. http://lombardimobili.it/byt4g3
  43. http://www.celoinvest.eu/byt4g3
  44. http://www.galerie-idees.fr/byt4g3
  45. http://www.garrox.com/byt4g3
  46. http://www.heartofchina.org/byt4g3
  47.  
  48. UPDATED:
  49. http://apocrif.ru/byt4g3
  50. http://cltserve.org/byt4g3
  51. http://cosita.awardspace.info/byt4g3
  52. http://crownfinancialsolutions.org/byt4g3
  53. http://culturepick.com/byt4g3
  54. http://cusushi.com/byt4g3
  55. http://dobrinin.ru/byt4g3
  56. http://dspace.us/byt4g3
  57. http://ecocredowoning.nl/byt4g3
  58. http://furniturlab.com/byt4g3
  59. http://galaxy-cosmetics.com/byt4g3
  60. http://gozovipsite.50webs.com/byt4g3
  61. http://hansfilz.de/byt4g3
  62. http://hennesseywelding.com/byt4g3
  63. http://www.dvdpostal.net/byt4g3
  64. http://www.falconriver.com/byt4g3
  65.  
  66. UPDATED:
  67. http://acp-dom.ru/byt4g3
  68. http://buzzardsroost.com/byt4g3
  69. http://bybeephoto.com/byt4g3
  70. http://cdsp.pl/byt4g3
  71. http://cherry-pik.com/byt4g3
  72. http://chinepromotions.com/byt4g3
  73. http://chmk.ca/byt4g3
  74. http://dechihuahuas.be/byt4g3
  75. http://deltaclub.org/byt4g3
  76. http://demail.eu/byt4g3
  77. http://directprotectsolutions.co.uk/byt4g3
  78. http://ellsley.com/byt4g3
  79. http://faithfull.kdm.pl/byt4g3
  80. http://gerkar.pl/byt4g3
  81. http://hongikmediaplus.com/byt4g3
  82. http://hootys.biz/byt4g3
  83. http://htocvt.org/byt4g3
  84. http://nui.tokyo/byt4g3
  85. http://rosenblut4u.de/byt4g3
  86. http://shema.org.ua/byt4g3
  87. http://www.bewustbv.nl/byt4g3
  88. http://www.cryoniq.com/byt4g3
  89.  
  90. Malware:
  91. - encoded on download SHA256 8a328f1550262db73c43be692e1a73ff06110dbaa39dbd90d95969c26cfa42ae, MD5 3fa1c27cbfda98a0ffb4171c3d25e40e
  92. - decoded SHA256 893fb7f67a397efcea2235dfd3ecc5d6b90fd6b151186e1440ee228b7dd6c7be, MD5 599713d3b9ad1607bd70f227e204fc84
  93. - executed by "rundll32.exe %TEMP%\<dll_name>.dll,novo"
  94. - sample https://www.virustotal.com/file/893fb7f67a397efcea2235dfd3ecc5d6b90fd6b151186e1440ee228b7dd6c7be/analysis/1482188508/
  95.  
  96. C2:
  97. POST http://176.121.14.95/checkupdate
  98. POST http://188.127.239.48/checkupdate
  99. POST http://193.201.225.124/checkupdate
  100. POST http://91.203.5.144/checkupdate
  101. POST http://91.223.180.3/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top