2016-09-28 Locky "Bill for ...."

1. 2016-09-28 #locky email phishing campaign "Bill for ..."
2.  
3. Email:
4. -----------------------------------------------------------------------------------------------------------
5. From: no-reply@hobbyshop.ch
6. To: [REDACTED]
7. Subject: Bill for papers 5581764-29-09-2016
8. Date: Thu, 29 Sep 2016 01:52:07 +0300
9.  
10. Attachement: Bill 5581764-29-09-2016.rar
11. -----------------------------------------------------------------------------------------------------------
12. - sender address is no-reply@<random domain>
13. - subject varies in format "Bill for <parcel|papers|document> <random number>-<28|29>-09-2016"
14. - body of email is empty
15. - attached file "Bill <number>-<28|29>-09-2016" contains file "Bill <number>-<number>.js", a JScript downloader
16.  
17. Download sites (actual URLs contains suffix ?<random>-<random> which does not influence the downloaded file):
18. http://81millstreet.nl/8g74crec
19. http://alamanconsulting.at/8g74crec
20. http://aseandates.com/8g74crec
21. http://bandbcreuse.com/8g74crec
22. http://baraderoteinforma.com.ar/8g74crec
23. http://birthstory.com/8g74crec
24. http://cafe-bg.com/8g74crec
25. http://cmcomunicacion.es/8g74crec
26. http://delphinph.com/8g74crec
27. http://droukulnad.com/8g74crec
28. http://econopaginas.com/8g74crec
29. http://eitanbehar.org/8g74crec
30. http://g2cteknoloji.com/8g74crec
31. http://gadget24.ro/8g74crec
32. http://globalremoteservices.com/8g74crec
33. http://gomelnaushnik.com/8g74crec
34. http://iachovski.com/8g74crec
35. http://ingpors.sk/8g74crec
36. http://kelownatownhomes.com/8g74crec
37. http://lafripouniere.com/8g74crec
38. http://mergrain.com/8g74crec
39. http://opmsk.ru/8g74crec
40. http://parentchildmothergoose.com/8g74crec
41. http://parroquiansg.org/8g74crec
42. http://pecschool.com/8g74crec
43. http://serenadacourt.com/8g74crec
44. http://sipcomponents.com/8g74crec
45. http://slaterarts.com/8g74crec
46. http://smokintech.com/8g74crec
47. http://spaciodentalrd.com/8g74crec
48. http://sundanceballoons.com/8g74crec
49. http://techsilicon.com/8g74crec
50. http://teothemes.com/8g74crec
51. http://travelinsider.com.au/8g74crec
52. http://undiaem.com/8g74crec
53. http://unforgettabletymes.com/8g74crec
54. http://veganvet.net/8g74crec
55. http://victorcasino.com/8g74crec
56. http://w3hostingserver.com/8g74crec
57. http://zdiaran.sk/8g74crec
58.  
59. UPDATED:
60. http://administrategia.com/8g74crec
61. http://disquesanciens.com/8g74crec
62. http://game6media.com/8g74crec
63. http://hollywoodjesus.com/8g74crec
64. http://mediumsize.org/8g74crec
65. http://parsasco.net/8g74crec
66. http://sonajp.com/8g74crec
67. http://unionathletica.com/8g74crec
68.  
69. Malware
70. - encoded on download, SHA256 d40871f1b996a7d2c296defbb6cc443be7e85edf88308663034fa4d09284b635, filesize 278528 bytes
71. - decoded SHA256 b7a32686fc6560314f211388e118294ee182384b02bb723ad0cd5322e4044a00
72. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
73. - samples
74. https://www.reverse.it/sample/dc03b431d057c3fd0be42f83d9173d62feecfd396081ffdde6816bbc8f6edbda?environmentId=100
75. https://www.reverse.it/sample/c4f4508f118ed036849c268b2bf15cab60efed9f19c03099fb05883849d45a42?environmentId=100
76. https://www.reverse.it/sample/98d3417568e89e6f8c2ca60b959328f040dc19bbaa118b2f5b38c0d802487060?environmentId=100
77.  
78. C2:
79. POST 194.67.208.69:80/apache_handler.php
80. POST 89.108.83.45:80/apache_handler.php
81. POST ehkhxyvvcpk.biz:80/apache_handler.php [45.63.98.158]
82. POST rluqypf.pw:80/apache_handler.php [86.110.118.114]
83. POST kgijxdracnyjxh.biz:80/apache_handler.php [69.195.129.70]