2016-12-15 Locky "Payment Processing Problem"

2016-12-15: #locky email phishing campaign "Payment Processing Problem"

Email sample:
---------------------------------------------------------------------------------------------------------------------
From: "Riley Henderson" <Henderson.Riley@clemocleckheaton.citroen.co.uk>
To: [REDACTED]
Subject: Payment Processing Problem
Date: Thu, 15 Dec 2016 23:29:43 +0200

Dear [REDACTED],

We have to inform you that a problem occured when processing your last payment (code: 3618289-M, $747.$63).
The receipt is in the attachment. Please study it and contact us.

-
King Regards,
Riley Henderson

Attachment: MPay3618289.zip -> ~_U4DQW_~.js
---------------------------------------------------------------------------------------------------------------------
- sender varies between emails
- subject is "Payment Processing Problem"
- attached file "MPay<7 digits>.zip" contains file "~_<5-7 uppercase chars and digits>_~.js", a JScript downloader

Download sites:
http://028cdxyk.com/mltxgc1
http://1688daigou.com/csuix
http://2lazy4u.de/ca4yq
http://adv-tech.ru/7p1jia
http://allan.multimediedesignerskive.dk/pohtr8mwl
http://amaniinitiative.org/ubaupn
http://antalyalaraklima.com/4qdytc9
http://artcoredesign.com/9ihg6by
http://atelier-coccolino.com/cvpphnaf7o
http://auto-zakaz.com.ua/phwcg
http://bantiki.me/hzzgidch
http://bikebrowse.com/qap3je2
http://blueprint-dsg.com/dtr22
http://bvntech.com/amrwwxei
http://chonamyoung.com/9vsdld
http://cprsim.com/h9o3msx
http://dealspari.com/r2jvx5h6kc
http://demo.ahost5.ru/dhvzqqbo
http://demo.pornuha4you.com/lba7ajvti
http://deutsch.awardspace.info/0zetkhmp
http://dicksmacker.com/qq4ctnrgc
http://dryerventexpress.com/pnpafot9g
http://elevationmusic.de/6gcg6
http://e-studiz.com/hn0hl7i
http://formatwerbung.de/axxlilgd
http://gieslerdavies.com/cjhwnit
http://goldenarms.myjino.ru/3wn40qkg
http://happyfeet.de/7rebctpqn5
http://hho68.com/hbowe
http://honestflooring.com/85i95u6vd
http://houssiere.daniel.formations-web.alsace/npqddd8b
http://infinitecorp.ca/to7jp7
http://kawagebook.com/5cbwdd5hap
http://kayamuh.sarf.com.tr/nou0chc
http://ledticket.com/pbmcdnx5rj
http://lucapotenziani.com/zjtguxf
http://mainlinecarriers.co.tz/ycj7o
http://martawyczynska.com/ilfvn
http://mbdvacations.com/ou8kkem
http://movewithgrace.ca/r8omwc
http://obccllc.com/tze5um3hh
http://old.strommarnas.se/yazezuw7og
http://seven-cards.com/xe2llygi
http://spikaflora.ru/zyubd6mlb
http://store.elixe.net/jltuvjpcsh
http://test1.zrise.top/isk90e
http://testlife.ruyigou.com/pv2ryezg7
http://theexcelconsultant.com/vp9u7tpa
http://thezenatwork.com/yd2c49vg0
http://topstoneisland.com/ud4jqd
http://tunca.bel.tr/uo3jnqkgxn
http://ustadhanif.com/q0w93lkrvp
http://www.boldrini.org.br/csneth51
http://www.chocolaterie-servant.com/1l38y2p
http://www.englishworld.it/w6ynmr
http://www.kottalgenealogy.com/vkwf5rll0s
http://www.sapol.it/ou8e1ftep
http://zapotech.com/sqagj4
http://zhongguanjiaoshi.com/mklu7

Malware:
- encoded on download
83b18bfa0f0ea4c91e06c7dededf0ffe1e47d03f96e5a443fd76af0a0ee2eab6  http___028cdxyk.com_mltxgc1
a1e9a3acab9b88f1b1b0163803447e2c88d7437b3fdfd02d5585c2de51957702  http___1688daigou.com_csuix
e5df90547f15ce224a4e393c70b19c01882e95a412f067441f047747bf41e1d1  http___2lazy4u.de_ca4yq
42ea0e10cf79a0723e67a0be8621c308306f5a2818589928cbf9f8b3997da946  http___allan.multimediedesignerskive.dk_pohtr8mwl
87fad71988400eefc2139cc3a3616fa21f683290b73247bc2b9ba37bba54e636  http___amaniinitiative.org_ubaupn
5740c7dc9879c655b313822517b709af884b7135a0696c0687b2c0874347d12b  http___antalyalaraklima.com_4qdytc9
99fbd9400b3d252f44384e4adda3d4816833d2d98b6e995097b99adf00bdf243  http___artcoredesign.com_9ihg6by
2cdacad8b8317da8e19021cd1e0dd04e7e15877d995df6cfcd2aad9c0af24e60  http___atelier-coccolino.com_cvpphnaf7o
f075b2cc9c2e44b06d8e0a5b3d30d0250d5f636c1683eb5275a87ab9ed35b2bc  http___auto-zakaz.com.ua_phwcg
94012941c43343097974d97763cff4356845607fdd468d84835c2b022f24b1ee  http___bantiki.me_hzzgidch
b1585999de7d1c355b4f24022dbdc35e3e4e29384b1b412cae5e80b2d0a2a83d  http___bikebrowse.com_qap3je2
5cd6f30355aa124ed87780c2dd9b3e9ccc125142a78c55da720fa8a598c47dbf  http___blueprint-dsg.com_dtr22
ab3d42819f39353b6eb45ce12e99d614caaa19efbf9900ab6720801167d49520  http___bvntech.com_amrwwxei
c8e81da73db72dd0e64901ab14b57b5f0e68c278d4affc503553e1cdd943eda3  http___chonamyoung.com_9vsdld
1a221f5f2d6f70f4b425e21556c2020929407d3f139db91e19521a9b8bbd28d0  http___cprsim.com_h9o3msx
c46c9072a3933dca5458db108873bdd64f3a1898d77ae4b52ef3c0c5ca8a3fd5  http___dealspari.com_r2jvx5h6kc
44a7c015e4873b23a31cbfb7fb9476d0df91e9d3cc3f7d5b855c87bbe8d084ef  http___demo.ahost5.ru_dhvzqqbo
4cc4b50d6c0ec3772cab4ea5a59cb0a3d5c36631c5e7b52951e1ccc6c2651318  http___demo.pornuha4you.com_lba7ajvti [1]
f3df4795deb7a7f36b79749dda7c97fd17ee4f6c976fb7c590eff1d344662ac9  http___dicksmacker.com_qq4ctnrgc
268ea8e8ff6fd6668db644cec2f195f58e24af29b4d34f196851ce5e40640b57  http___dryerventexpress.com_pnpafot9g
7ff08628dda6d07eb3d9f6aee9e0fd105d4df63fc0e704c140cc42750af63181  http___elevationmusic.de_6gcg6
d1b12518cdabcd6ae0736e96229b08297265ade16fe9a7e97b2061da300fc33a  http___e-studiz.com_hn0hl7i
ca023fab08bea5f800824e4804372276c2822676e0dd654305d43bb4e7fa1f4f  http___formatwerbung.de_axxlilgd
4b37957a5d57e4ca6f6a5491332c9f10e521e499140c103c11d24bf5b62c725a  http___gieslerdavies.com_cjhwnit
dc72d1f14d6fc34234e173cc003738f74b9deacda057a2c99f28f99f9c754d03  http___goldenarms.myjino.ru_3wn40qkg
ffd00735d289a3f92f2286fa5f4b2b861313617b1dc813ca039d151ca049ce88  http___happyfeet.de_7rebctpqn5
c6b1948217918aa929e0920ed4a0546c71e900ef707d480183f2846170adaba9  http___hho68.com_hbowe
9521dbca9670112fa588144fa5a4822293379cac99bb6a5c935df950d6971415  http___honestflooring.com_85i95u6vd
680ae74073a352a74bf87d314f4704927ec418a29fe8dd635cba28796cbf8294  http___houssiere.daniel.formations-web.alsace_npqddd8b
d44de2ea0d1333f4226ff49234fb8b2e151ee49afb94cb6fa0993920139a0360  http___infinitecorp.ca_to7jp7
9d527a9c9e64c1bf23b5e66a0f414026ff4c77ef3565c3dbcf0ece9a92cea77a  http___kawagebook.com_5cbwdd5hap [2]
3abc8bc9e5d8c05786b220f47d72fd75b8c752336381d25b9b8c29dafd119992  http___kayamuh.sarf.com.tr_nou0chc [5]
a95a109274b8528e758ff4fe0f4cc39c514e80c070d35115f1db0e9c27a89a20  http___ledticket.com_pbmcdnx5rj
26bd8f6888d688624c7c4b97a388b0c96c6318e0484a9dfb499c086434213513  http___lucapotenziani.com_zjtguxf
b2bd25d9a525245049b08a08e58c315e96ca149dc8c8b32a599eddb62941465d  http___mainlinecarriers.co.tz_ycj7o
c7afc0dab52159ce2ddcb182fc568875753287ab0eb84ce10d060fb29ed6c43d  http___martawyczynska.com_ilfvn
5d6468fb720fe48304d1ed0a39e3696193a96d44c2b58ff0a08e7493ca0fc175  http___mbdvacations.com_ou8kkem
7d49073e0fd3db7352e87b0ec905523840b9c6bf3917da3f8235fa797fba1056  http___movewithgrace.ca_r8omwc
9fa9ac0113a2e426ae27e0c260cb6700f179296513fdea1bbe7a4ce739008184  http___obccllc.com_tze5um3hh
4d63973d9c1a59c932e8706083c675bdea47c3c0151cdf0625c531c722565f60  http___old.strommarnas.se_yazezuw7og
5b827205964cebca51258d135dc99bc2adc5c429c9a165cb387623eca867dcb3  http___seven-cards.com_xe2llygi
7a000428f7b00040799906832759dd4a2845435bf38c057eff8b966dab825c10  http___spikaflora.ru_zyubd6mlb
154459b5c0f29ca104d9d212992764bb284d5cf3f1c9bec525b4ec8ff1a949a8  http___store.elixe.net_jltuvjpcsh
c87f1a31c7309760b7063ce94df46e29bb1e4b1ca5ed47e27a42f48710107e3f  http___test1.zrise.top_isk90e [4]
6b9bde2a9a64f5f4682fbe4164221c7f4dea5b85d1c065ef058c2e81965254e0  http___testlife.ruyigou.com_pv2ryezg7
a672a78794b972583ac80f99e8541e67e32cc5c3fefc891c40ba62d6495edb3c  http___theexcelconsultant.com_vp9u7tpa
d3ddaf001106c70c1b57c6f3147289c65a4340ca99f6490e85fa1657de1a188c  http___thezenatwork.com_yd2c49vg0
5b28f7104d734cb2f978fc0eca19afc77e085af0aae270ff9b6c1132f81117e8  http___topstoneisland.com_ud4jqd
58c243c30868f5487f7cc74713fb8d91833cbdd3fe35deb2a5e46e60aecae734  http___tunca.bel.tr_uo3jnqkgxn [3]
c0fcad199eeaec7779a8bace15a194df91c054bc1331ed0905f590ebeaad6f60  http___ustadhanif.com_q0w93lkrvp
cea33796e86f5fda0caac1d078085f05b9d02df7acdb385e701d1e577287ce8c  http___www.boldrini.org.br_csneth51
b383e22faef47aa78cb2fb23050893b5c020670d8c9257b0e85ddca87262070a  http___www.chocolaterie-servant.com_1l38y2p
96cfd93d259f3bc06ead97a0a62bdce6d3dc4607b96a374505c7cb7ab0663a20  http___www.englishworld.it_w6ynmr
b274f2e8e2abf4d0571f1f8736c46e584b49894ef6b25816aeb6cfbc62c18e8d  http___www.kottalgenealogy.com_vkwf5rll0s
0dbd5e95de3d1923cae17335d0b0035790ea7328762b741c60e8f23cca3630c8  http___www.sapol.it_ou8e1ftep
0dafd7df93c6db429329c971e91b8050e67a6aca1c8cec86ced2714b28bc9f45  http___zapotech.com_sqagj4
64fd485e3ab0e892703066c4d479c5f6709d48214fc8c0070743936394cb7a6f  http___zhongguanjiaoshi.com_mklu7
- decoded
1a8c0a8648ee8bb5822769e160e2d607614803c097c8884a7b144ccf00f780c4 [1]
18af5b240dec53a77e95982e39b08b6235bc235eb1e8267e2a93992eb66a1b19 [2]
f46923e5d6c9f23996b183fa5870a0daf0840ea06d4506abcd01d9ccf450f19c [3]
40614a8db9f111ec44c68f14e674f3e19c6da97f2844f249af563b4ad96a24eb [4]
01d3eb86fdfc9f90be328cae3bc37aaf97b568f569626db1a3b4a1830662dbad [5]
- executed by "rundll32.exe %TEMP%\<filename>.ZK,0QaQzdZN8Pft5YPfVEdEYu"
- samples
https://www.virustotal.com/file/1a8c0a8648ee8bb5822769e160e2d607614803c097c8884a7b144ccf00f780c4/analysis/1481887825/ [1]
https://www.virustotal.com/file/18af5b240dec53a77e95982e39b08b6235bc235eb1e8267e2a93992eb66a1b19/analysis/1481887832/ [2]
https://www.virustotal.com/file/f46923e5d6c9f23996b183fa5870a0daf0840ea06d4506abcd01d9ccf450f19c/analysis/1481887847/ [3]
https://www.virustotal.com/file/40614a8db9f111ec44c68f14e674f3e19c6da97f2844f249af563b4ad96a24eb/analysis/1481887855/ [4]
https://www.virustotal.com/file/01d3eb86fdfc9f90be328cae3bc37aaf97b568f569626db1a3b4a1830662dbad/analysis/1481887864/ [5]

C2:
POST http://178.209.51.223/checkupdate
POST http://185.129.148.56/checkupdate
POST http://37.235.50.119/checkupdate