From Kathryn Smith [kathryn@powersolutions.com]I do not know if there is any body text at present. Attached is a file with a name similar to Self Billing Statement_431.zip which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js)
Date Thu, 28 Jul 2016 16:21:41 +0530
Subject Self Billing Statement
Analysis by a trusted party shows that these scripts download a component from one of the following locations:
apachost.com/j988765
avon-beraterin-mank.de/j988765
cukiernia_izabela.republika.pl/j988765
dawstaw.cba.pl/j988765
gnetgnethouse.web.fc2.com/j988765
gumka.strefa.pl/j988765
kreacjonizm.cba.pl/j988765
levivanesch.nl/j988765
maka.ken-shin.net/j988765
okhtinka.ru.hoster-ok.com/j988765
robertstefan.home.ro/j988765
sardain.fr/j988765
sonomama.kan-be.com/j988765
taityou0615.web.fc2.com/j988765
tolearn.tora.ru/j988765
www.andyschwietzer.homepage.t-online.de/j988765
www.aspadeljaen.com/j988765
www.camelu.com/j988765
www.flagships.de/j988765
www.schwarzer-baer-kastl.de/j988765
www.uasm.de/j988765
This originally dropped this payload since updated to this payload, both of which are Locky ransomware. The C2 servers to block are exactly the same as found in this earlier spam run.
1 comment:
Please find attached your Self Billing Statement for commission earned
this month, payment will be made on or before the 15th of next month.
If you have any queries with the statement or any amendments to your
bank details please e-mail ap@powersolutions.com as soon as possible
to prevent any payment delays.
Regards
Body text
Post a Comment