2016-11-23 Locky "Attention Required"

1. 2016-11-23: #locky email phishing campaign "Attention required"
2.  
3. Email sample:
4. -------------------------------------------------------------------------------------------------------
5. From: "Jerrold Woodward" <Woodward.Jerrold@airtel.in>
6. To: [REDACTED]
7. Subject: Attention Required
8. Date: Thu, 24 Nov 2016 00:23:12 +0530
9.  
10. Dear [REDACTED], our HR Department told us they haven't received the receipt you'd promised to send them.
11. Fines may apply from the third party. We are sending you the details in the attachment.
12.  
13. Please check it out when possible.
14.  
15. Attachment: receipt_[REDACTED].zip -> QKB5D2772I3H3A7N.js
16. -------------------------------------------------------------------------------------------------------
17. - sender varies between emails
18. - subject is "Attention Required"
19. - attached file "receipt_<recipient name>.zip" contains file "<random upcase letters and digits>.js", a JScript downloader
20.  
21. Download sites:
22. http://4006600592.com/rqk0umu
23. http://asrcargo.ru/tk3na
24. http://chuzhang.net/e9ji7qa0
25. http://dhmodel.cz/gvkwiz0ht
26. http://focovi.cl/7trtuveg
27. http://frivill.hu/7g2kjrr
28. http://fu-k.jp/cmklw
29. http://gadgetdealz.net/pyq5v2rp
30. http://gigabothosting.com/kiltoonxqa
31. http://giochasach.com/gagqzjjnwe
32. http://golden-bereg.ru/dx1ltd
33. http://gold-or.ca/ap7yazjzlq
34. http://gpsfiles.nl/lywk0py
35. http://gpstrackerbali.com/fhhlgyh
36. http://grafian.pl/jaqn2ty
37. http://greentic.univcasa.ma/alzsxurzq
38. http://gremr.ma/hj4xku01
39. http://happyrushop.com/it1e5eav7c
40. http://hbmyzn.net/bbjnaw
41. http://heatsavingsystems.com/qvdson
42. http://helfter.fr/m7ud5qsmd
43. http://helpcomm.com/pfw9co
44. http://highlandsolar.ca/hlhc8jpj5y
45. http://hightradingfrequency.com/ehn4guw6
46. http://h-miyoshi.ed.jp/eggteyujbx
47. http://interprofil.no/imjsj7gh0
48. http://irinka.ru/vrsoiw7rw
49. http://islamhizmeti.com/4rn5re
50. http://i-solutions.cz/wdkdfg
51. http://ivocal.fr/tydqws08pe
52. http://iwebsdns.com/k0ais
53. http://janzwolinski.freehost.pl/v8xnbq
54. http://joelbodhi.com/pr1qz
55. http://joelbodhi.com/qalnt4t
56. http://joelbodhi.com/r94yyaty
57. http://joelbodhi.com/srcdv0jg
58. http://kleansys.com/y7oragomg
59. http://kolumbia.free.bg/trbwdtze
60. http://lecitron.org/rozculcvba
61. http://leliunion.net/e9nw7
62. http://leliunion.net/jhczf
63. http://leliunion.net/kwnlmbgrv6
64. http://leliunion.net/vt2dyzq
65. http://markscheffel.de/wqkgiuama
66. http://masterimob.ro/wbxglxsh
67. http://materlux.ru/qwn5gh
68. http://mdk-wear.ru/zwd98vmv
69. http://meshok.com.ua/vfaolaevk
70. http://mokinukai.lt/x4szqe
71. http://monster-high.com.ua/tah7tzqdfq
72. http://mufengzhai.com/yfnglx2
73. http://muricreklamcilik.com/6qycx
74. http://musicrecruiting.com/xjlecd5ju
75. http://mytourbid.com/5c32pzh
76. http://naruby.kvalitne.cz/t7h9qce6h
77. http://nicputeec.com/6rm6xf
78. http://noisecontrols.com/4nqceemivy
79. http://obsidian.cl/3zttsnxknq
80. http://oimeferio.net/glotrsefkp
81. http://oimeferio.net/sl60vc
82. http://oimeferio.net/u25orc
83. http://oimeferio.net/yjibxujt
84. http://ooomaksim.ru/591bwwbcu
85. http://orantpamir.net/el3w488r9
86. http://orantpamir.net/lyzj9ja1uh
87. http://orantpamir.net/om1twg
88. http://orantpamir.net/rtss2coyh
89. http://orthoskin.com/1e4mdliv
90. http://paddamar.net/0k0n5zjze
91. http://paddamar.net/gqmfsfvg
92. http://paddamar.net/irz4h
93. http://paddamar.net/w3l68g
94. http://panificadoraavenida.com/5ren2ksdu1
95. http://peruincoming.com/2asklonmy
96. http://rentalpark.com.ar/1useo
97. http://vikingradom.freehost.pl/jizvw5rg0u
98. http://wilson.ro/gghar9s
99.  
100. Malware:
101. - encoded on download:
102. 6a3caf52db3988c9b338770d24fc8b148754d61fdee687480975d4c292999501 http___4006600592.com_rqk0umu
103. 85ba230858a60558e7579b48c33e3d0058a43b85516dbecadeb432edcb1fcdd1 http___asrcargo.ru_tk3na [2]
104. 2be67e326ca41f85fcd0370ad7e8e84f0eaad3fd94be8f23322705ab940e0002 http___chuzhang.net_e9ji7qa0
105. de3442144d9c2888e3c2ea936c1a007491c56981c671706117baaa499693d1a2 http___dhmodel.cz_gvkwiz0ht
106. e018fe0973a93d7e73df096a08d0434be9d333e928b5b2036288241dddf61f55 http___frivill.hu_7g2kjrr
107. 17baaf09266604bc50ae832fcb6e68202a344721b7b26cad08c4717e3331af62 http___fu-k.jp_cmklw
108. e36c316668af7b2fbf4f3b2e8bcdef7c871559f5330ecd6b9889dd6f3aa03df8 http___gadgetdealz.net_pyq5v2rp
109. 334e2faf205ae3e368b2f62b9e111f197cb240f2fedc0d6ead4b87afe3a4b4e2 http___gigabothosting.com_kiltoonxqa
110. 6f411838276f97895ef5fe53be094163066d22fa6f45964089bc63c2e678bd6d http___giochasach.com_gagqzjjnwe
111. 14685c260e52c6e60ea9a13bd0d5a418d3308a670478d456390f0b5e73d9b665 http___golden-bereg.ru_dx1ltd
112. 3e6a365a7722962726e210173bef46d48222b1a545d818abcb5b08ef7c9f8607 http___gold-or.ca_ap7yazjzlq
113. 5f0cb614fa1ac4f724f6f0599f767b68c40ba1274cd26b2e6a3944e8beaebbd1 http___gpsfiles.nl_lywk0py [4]
114. 8a40092c2028fb9297f7219be1ea2800d470dd2b4e35c3325c7c7b1699215c4c http___gpstrackerbali.com_fhhlgyh
115. 9086490ed27e837653c12fa27986bebc55ac853b8170b5234c6ba7d6b206c940 http___grafian.pl_jaqn2ty
116. cc862d695280ee72ecf6d8a7482dfdc3c77ebd5723762284b9b0158cb1f0437e http___greentic.univcasa.ma_alzsxurzq
117. 0e3a8edf055dfeb6061e5254d4ac0c00c99aa8cffcee1848b4ab1d5e2c642e94 http___gremr.ma_hj4xku01
118. 47205c2faf771eefec043bb40d3c6f6827ba2142eca72c6c7f1e37b1804572cc http___happyrushop.com_it1e5eav7c
119. 8517c7f95dccb71551671f6f05b1d2f8308abf3a1d42a8387489dafa64dc2082 http___hbmyzn.net_bbjnaw
120. e89c5e4cc5f7f879a92bad328b140d7d60b6ca58aaf0e6d7e7626e5b81dcfd63 http___heatsavingsystems.com_qvdson
121. 2fa7a0182eddc4e65ae05344bf9b74ad71664fb0fea695497aced5823a46a8e2 http___helfter.fr_m7ud5qsmd
122. 656152d8c927126f956db1b33c7c227d39457fd1c45420e234fa1c44227e97a9 http___helpcomm.com_pfw9co
123. 90d4f681774542377bd4cb7d8ae5dfa8a520995342b5d1397e74635ba8d5562a http___highlandsolar.ca_hlhc8jpj5y
124. 27b0e0a71f1b6b825fb941e61b570a1633d89ac56678d09eee34f21469cb23ad http___hightradingfrequency.com_ehn4guw6
125. 99107c81f8e71985b0fba0f5b4a1fba336acd3d2c0b8c21ef4c4f9405e25ec50 http___h-miyoshi.ed.jp_eggteyujbx
126. cf556fd0c94d97b07592f7403f099250a0f756b78b04bf16b66d1eb94b074d4b http___interprofil.no_imjsj7gh0
127. b73c01a07ee58c6ac3898dd6d2a690739a124a4b084896b54ede3cc98e46d720 http___islamhizmeti.com_4rn5re
128. b102181376e7aeaeb093b0ec29adf0fc71176459be3ce42143836fd42f0a8590 http___ivocal.fr_tydqws08pe
129. d17be6532a28e663b4d636b13472e44d7157193fb62929b41b0fe583b0909379 http___iwebsdns.com_k0ais
130. 774d788a86ee1d4642ce5f9510936f5b8c9d8ba6d5f6fbfc728136b9e6cd443b http___janzwolinski.freehost.pl_v8xnbq
131. 99819236cd025c0854581c276c484160b6306e1a5007ea8adcfb36704e9062ad http___joelbodhi.com_pr1qz
132. 66de39c0fb972fca2dbd53e9e6923c29e796bb75a0af385884f7308958f70689 http___joelbodhi.com_qalnt4t
133. 7b8460c7f5f50e2064499febf255d9c54c6d3539461207f780eb100ffc9306fe http___joelbodhi.com_r94yyaty
134. 1876aa754208c0cfea4a5845636194dc0189ea418e1f3cd2e116de793637d567 http___joelbodhi.com_srcdv0jg
135. 2d5320f24da8f944b5b01de850712e2ce301d327fd9fbcb83f0a18310997dd52 http___kleansys.com_y7oragomg
136. 38fbb143a05a926bf67ef5300f17878516247b181f986833e0aad45ca5520b46 http___kolumbia.free.bg_trbwdtze
137. 7b7b59277a906e1f119d8e7626a270acf075c7580d765d9a7b3b79d1149f128e http___lecitron.org_rozculcvba
138. 0505b7b38f84e4cdb96a11e7ab510599563da4287ec378e88d90d2adfda5992c http___leliunion.net_e9nw7
139. 32d79e6bf7d478c6284dc0dcf3f1fcb4283901f2f5c41dcf35b359e1f45d28e8 http___leliunion.net_jhczf
140. ba9d36f9877879f15ed1df97c0e6b408571fa46539d2729253b1272bfbffc357 http___leliunion.net_kwnlmbgrv6
141. 1f4d611970785780090d5e0ea7408e7d7d2c3674a9d9a0c2ae280a889d92a313 http___leliunion.net_vt2dyzq
142. 93d46be040939f47878e678b5f59da039d1114612d2f57120e28d295cced9819 http___markscheffel.de_wqkgiuama
143. 59200c26621fb891fd97b643cf31c40c33c665b757878ff14d4d733ed8c379dd http___masterimob.ro_wbxglxsh
144. 115f600b26b5340fccfecf2ab5b296b80bed72b455680c310288bae294f26f8b http___materlux.ru_qwn5gh
145. 42429075dfe4f4bdc7b8054d9c8661f6936a91ec3c49413f4d76c78aff58b43d http___mdk-wear.ru_zwd98vmv
146. ecd462f1ca246f068786fc77407b87674c3c9fd8c4310064f06b81d6c5c86da6 http___mokinukai.lt_x4szqe
147. 78e87e0ae865e4c22f56d6f23a53f109a8054df02758df8bca10acb9096909c8 http___monster-high.com.ua_tah7tzqdfq
148. 8b7402f0b1f38a7cc51294a6f5c8ec109fea748b06c1ab7abc4afc347a972a45 http___mufengzhai.com_yfnglx2
149. bf276b6b98b3c1f9f30198f6dc9f6ba23e7638e1766fc940b5625966ec105bde http___muricreklamcilik.com_6qycx
150. 03816af40575d265b74a3a5970fbd41737adbde146c988eb778de6886dbb95a5 http___musicrecruiting.com_xjlecd5ju
151. 7356b4e4cf18288a3b4a7b67ffdd0f665b102c2b4d9c76f25616a54ddd7b6c6d http___mytourbid.com_5c32pzh
152. 50df3ba1f6a7b5f5945a86c065efb39226d242549445f8aedca8279395014395 http___naruby.kvalitne.cz_t7h9qce6h
153. 22d5ef4057b2322681b0fa7cdba0036be17947eaecddad792d812b7685dfcaa7 http___nicputeec.com_6rm6xf
154. 231d8c93a945cc33f2ccc3ef0b791f1f72c93f9ad78c57554db10933a1f02de8 http___noisecontrols.com_4nqceemivy [3]
155. 7dfa745be88dd7ed35e3b3890e8b1093dc5586c2ee479db31f2c29e9e56e1db9 http___obsidian.cl_3zttsnxknq
156. 63d384f015d6db7ca24afbd0ae992dd8d28ea1dd3034463e51090ef64c9dbf0b http___oimeferio.net_glotrsefkp
157. 698da725752063b7ff076cfa84f26c8a833e857e0c9fedf42282936ab3bf2088 http___oimeferio.net_sl60vc
158. 181e6406901afc79ea129299fbf432e2babde61241bb7acf8d6fb4c477c139f0 http___oimeferio.net_u25orc [1]
159. 7d1eb456f54ca5dd020f7b72ecffe7d06f1f87fec91fdae555f3098b73a410bb http___oimeferio.net_yjibxujt
160. 914770058a53342fe68b7964e59aee24ce74592ac631f9c5b2c0d809802f3427 http___ooomaksim.ru_591bwwbcu
161. 8fdc893a6b5ed48f97276d37bdf7d257148c867dcaa66f4f36a211ae499a9224 http___orantpamir.net_el3w488r9
162. 32508e66382ad7965d25e915cd6618705e41089b32b17513441eadc064b2e081 http___orantpamir.net_lyzj9ja1uh
163. 3799ee952595746696dbce8c0a485a375e1a591a848e639c3b57cdc85ca800c1 http___orantpamir.net_om1twg
164. 96ad734a215f075e710ca4987e15eb88e00375cc8467a9d77b44afd74611b476 http___orantpamir.net_rtss2coyh
165. 516e60d41089e6171c89647f021ee43ddaa25e58929e051e5a102aecd1177ac4 http___orthoskin.com_1e4mdliv
166. 71fe46858593083ad60a242d40a06dea5e47362ce542a9694a52d6baa8ae695a http___paddamar.net_0k0n5zjze
167. 00c7496a6b4ba948214735d6b04cc5f7f9dbf8225eb6cf2a57e884530d946eff http___paddamar.net_gqmfsfvg
168. 8219fbbebdc62340ff922bb4e2b64f67a26ffeb624d49831b4f24ebdbcfcd1c2 http___paddamar.net_irz4h
169. d333ede38b87b72fbefdbace6147d82d3949785fb485858848af62888e2fff4c http___paddamar.net_w3l68g [5]
170. 2e59b9a764f5a786d94a40a1544a5176a015e1e328a3d5af87c9cc4f275259d0 http___panificadoraavenida.com_5ren2ksdu1
171. 9927b60787ce1b660deb6a3f796d30d14773752009ee2d1298a280af3f218ca7 http___peruincoming.com_2asklonmy
172. 82520faed846998c544fac9bfdf25165890d15f3e76febfbfb7d7f83cf870385 http___rentalpark.com.ar_1useo
173. 651eda5f59a51c891634a53e16814425722fd15fa136debff721a84867d15e49 http___vikingradom.freehost.pl_jizvw5rg0u
174. - decoded
175. 1e38e8a161c2da46561eba97c86074546a7bc6d8fe820416e197a214815e4e6c [1]
176. 5e448e607111b4c1cd1bc34ccccfee32827bd06eacd04ccfb5f754245bbc0027 [2]
177. 4f7198f7a180ec0087d88f58b62af438ef4f3449edb6e925ce399664e61c9d76 [3]
178. 59b705084f23b382b8ff146bc5cc0ef42435bc9fb358c832974d5c6a534e74c4 [4]
179. 6a915350461d4b9452fe4261af91ff965e62d056471fea81644d49a8c6bd601f [5]
180. - executed by "rundll32.exe %TEMP%\<dll_name>,y600cBdKt5HYiTFVZ2d2zeKKA1n"
181.  
182. C2:
183. POST http://46.8.29.176/information.cgi
184. POST http://95.46.8.175/information.cgi
185. POST http://ayamspq.click/information.cgi
186. POST http://buhymxevtxw.su/information.cgi
187. POST http://cfenwdknibebspcv.pw/information.cgi
188. POST http://dtfnfxhapjy.su/information.cgi
189. POST http://gflmbdprdxfqkwffc.su/information.cgi
190. POST http://hbvgmensk.org/information.cgi
191. POST http://jtfirirnurnnopyd.ru/information.cgi
192. POST http://kmyllud.ru/information.cgi
193. POST http://ksyfkbebtdh.su/information.cgi
194. POST http://nglfueplskojeq.work/information.cgi
195. POST http://nqwsatjtjepmecc.xyz/information.cgi
196. POST http://ogqwjmgcejfsgfxbh.su/information.cgi
197. POST http://osohihqtjyvxte.ru/information.cgi
198. POST http://rhifaouxqbcvva.pl/information.cgi
199. POST http://swtfgrmkudtlcawkt.su/information.cgi
200. POST http://tufvchfnyfasfhyh.pl/information.cgi
201. POST http://wuismdvolqbhlrcm.click/information.cgi
202. POST http://xgjjaedtahckomf.click/information.cgi