2016-12-16 Locky "Subscription Details"

1. 2016-12-16: #locky email phishing campaign "Subscription Details"
2.  
3. Email sample:
4. -------------------------------------------------------------------------------------------------------------------
5. From: "Jannie Mclean" <Mclean.Jannie@emailland.worldonline.co.uk>
6. To: [REDACTED]
7. Subject: Subscription Details
8. Date: Fri, 16 Dec 2016 18:11:51 +0700
9.  
10. Dear [REDACTED], thank for you for subscribing to our service!
11. All payment and ID details are in the attachment.
12.  
13. Attachment: user5532298.zip -> ~_0BN7RGB_~.js
14. -------------------------------------------------------------------------------------------------------------------
15. - sender varies between emails
16. - subject is "Subscription Details"
17. - attached file "user<7 digits>.zip" contains file "~_<5-7 uppercase chars and digits>_~.js", a JScript downloader
18.  
19. Download sites:
20. http://2picme.com/jxiatuol
21. http://aacom.pl/rgk4aoc
22. http://agyemang.com/9drunmpi
23. http://analypia.com/21cm54hm
24. http://banhang123.com/kscg7
25. http://brighttrading.net/a7uszjh3o
26. http://brookstonemanuals.com/ycabkjgdv
27. http://calderon.com.mx/qwpnqxwkl
28. http://dcareug.com/3ts0v
29. http://easylation.com/wekocn6kmg
30. http://ecnffa.za.pl/yslx59h
31. http://facerecognition.com.ba/fjem4
32. http://fiddlefire.net/hvkoxidq
33. http://gallery.mohammadtarighi.ir/gdiclpgq
34. http://gunungsari.co.id/9ssqssvnw
35. http://image.ddianle.com/g56bmsie3h
36. http://inside.dljtjt.com/0gufg
37. http://inzt.net/rba6g3nnxq
38. http://ivibohoc.url.ph/xqkoziuxvk
39. http://kathymerrill.com/hqnfsc
40. http://kh2.co.uk/5sibczx4gx
41. http://kirulya.com/scfv1ofdh
42. http://kserwis.pl/lozyg
43. http://ktlelektro.cz/1jenzg25wy
44. http://kurou.bokunenjin.com/undi59e
45. http://medianisprint.com/woarfryxsw
46. http://minis2.com/yrjwmun8
47. http://mprotectcorp.com/opudc
48. http://msveletiny.cz/ftcvd
49. http://pcflame.com.au/ngihv
50. http://perspektive-fuer-kinder.de/1e1dip
51. http://promgazenergo34.ru/onlj99szd
52. http://rdsc-seminar.com/jlb4fdxt
53. http://rondurkin.com/c6w5pscmc
54. http://s393640255.onlinehome.us/ygls8gycs
55. http://seaf.ch/s7lyen4j
56. http://shomesofa.com/jnobn54
57. http://stoneofliberty.com/fvjhcy
58. http://taladm.ru/myqqrzzndi
59. http://v-english.com/gfnb3r
60. http://vivvn.com/rafd5un
61. http://webfutures.net/cuxdyilq
62. http://weegee.fr/2d3xb74cif
63. http://www.dazzle-events.be/qal8lxme
64. http://www.enhansit.com/z2lgjv
65. http://www.lauraleedonnelly.com/qjiwhmrx
66. http://www.mywoc.ca/p29t8
67. http://www.ninthdistrict.org/wkvmds
68. http://www.servipisos.com.ar/sn2ugvyws
69. http://www.sitivisibili.it/jckudg0
70. http://www.stavros.ca/4woi2zlse
71. http://www.stavros.ca/c1ehjm
72. http://www.thepasobueno.com/usrcgntw
73. http://www.tourist-car.ru/v0uiwotu
74. http://www.zscio.com/uutfjime
75. http://xiaojinsong.com/0igjg
76. http://yellowstudio.pl/u7ky2cyi
77.  
78. Malware:
79. - encoded on download
80. 38bb8b18491c56b7f1273abd07898c91466506043bbc218d174121a4503cdd8f http___2picme.com_jxiatuol
81. c46833c1da432a21198e6ad39b570457a7bb1c5855bfd5867ff324dd609a9fc9 http___agyemang.com_9drunmpi
82. 3f106de384b8c5c335169162fbb6964967c682b32b611f2626748ed04111ddf8 http___analypia.com_21cm54hm
83. 6381dd3ee58c3fe718edb8daf372bb8f78a81bd6eead864f75a32f4055c2b508 http___banhang123.com_kscg7
84. 70f77228a85a3b99320663ed5da81e8eeec875b5e7c1a81abcdbdf127f061a4e http___brookstonemanuals.com_ycabkjgdv
85. 563fd681f256b89937cbba86011768cba316aa53cf25e4465d6d6dd32fc5faa9 http___calderon.com.mx_qwpnqxwkl
86. 52f8d69b3c6663e33d48fe28715a006a5a85616bca7223bd9a8fd6672a0d1afb http___easylation.com_wekocn6kmg
87. c79463ed7bb3dd3454cd0882b5ce874bbfc3cca4bc649d64a5a288169dac36c8 http___facerecognition.com.ba_fjem4
88. 051d9c8d521b035d5c83a56a9c82efefadbf00bf06f15faba48953751da01bb1 http___fiddlefire.net_hvkoxidq
89. 5a888b453d9391661e12bcd70d9ad9efb1313e68f3f8402ec6a203e2db1e0749 http___gallery.mohammadtarighi.ir_gdiclpgq
90. 3ba8e6dee40995c20ea7ac5d1e955a6ebf753ee0e53847b73910ed1ee2d4a8ba http___gunungsari.co.id_9ssqssvnw
91. d00f6105bb4fd735b9b265c3b6cfad846284dd4841fda17720ad585d4596c802 http___image.ddianle.com_g56bmsie3h [4]
92. 248170ffdc031a62635c35d05a049919cd8bab3838cf67cbe04053935927bf1d http___inside.dljtjt.com_0gufg [6]
93. cfb1874527f2bbeb708d9470e3ec586f1939d9c4f97f812fb0400db6c38da912 http___inzt.net_rba6g3nnxq
94. 9fb164f44c9b78c8ba96e1af0084acfc714789ecc635e02fe4e5e937d07c1d44 http___kathymerrill.com_hqnfsc
95. 21232fda5192f9802f7a3515e2ac806ff9335dfd71b90d35df84a141bcd41519 http___kh2.co.uk_5sibczx4gx
96. 8409d004dcee3b2a569f84ed2eeb244a0dcbe32828a7a1416f7c80641714c73a http___kirulya.com_scfv1ofdh
97. 9d9cfdea6437efad02bbae08e20dbccaa8c4129a5110dc7aa0e8331060d651f1 http___kserwis.pl_lozyg
98. 8b50ad3642efb7093eef3a8916fee6f901995ff89802d973ed0475cd0e1cd546 http___ktlelektro.cz_1jenzg25wy [3]
99. e856a302261d293e750a54a9a323d79acb5befc32ac2e8a363c0242e01fa007f http___kurou.bokunenjin.com_undi59e
100. 8edcf8f62678e2dbfee243523d2df7259bb2a6fd813fa515d8bfc5d98062bd59 http___medianisprint.com_woarfryxsw
101. 08e2628d0cf85e020e161ada7c0f0c009be4590940aef412f81641be0d7c609b http___minis2.com_yrjwmun8
102. 35df8a88fa8bd8343e97da1b396916695e6ee4a114fba26b13635ee3a1173952 http___mprotectcorp.com_opudc
103. b0484548b5174a127b0f1efbc1080410016d774845f54084db1bfd36f6cde54e http___pcflame.com.au_ngihv
104. f3dc0e61590ff55d0c564bb181d6d2b0f27fe6702579e3dfcd10762ea7e03e61 http___perspektive-fuer-kinder.de_1e1dip
105. 47e2289bf78b6f9ce653215f520cbea2b580d4a49dabdbc02d0264c3edadbde4 http___promgazenergo34.ru_onlj99szd
106. a5fa1f5b7ac00bc6ad41797e3c878b987e3ef498adc7e288b6ed33bd4ab173a7 http___rdsc-seminar.com_jlb4fdxt
107. 4156a19772b65efaf81ebf25b2db977389c04d0424a150e4e289544e46a94761 http___rondurkin.com_c6w5pscmc
108. 2579861043d9a045327f987fad07d2ba9961bffe3ffcb6001ad1068e8c422b91 http___s393640255.onlinehome.us_ygls8gycs
109. cfe25a30a3e387f50e3ff4b5e8ca33c15c5de85cc5ed1d4397cce4c0b829b19e http___seaf.ch_s7lyen4j
110. b62512a51c63a85b0b674d2800fb68579bfd2ff364ca4be6debdc3e581b3d6cd http___shomesofa.com_jnobn54 [5]
111. 36f2808090a679130dd9cf2c4e88bf7657f3a84f07eb8a1050d7242baf4f6a2d http___stoneofliberty.com_fvjhcy [1]
112. a1230526836ae5e88d4dc106838b9bd0657d7272082c7fe2db62ba238dc73266 http___taladm.ru_myqqrzzndi
113. ec603e5b385baf25bcf9f766a7c294c19602c06d2d5cf63b064c0e53cefc3460 http___v-english.com_gfnb3r
114. 10d8fd5cd80e4f290aab3061efc0966bd56241667d515015b9c69ca233b79c3c http___vivvn.com_rafd5un
115. bb9e9be4d33f5092a7faf967437293bac8478a38c91383514799a65ddeecbbed http___webfutures.net_cuxdyilq
116. dc73f63fc6075b3985190ab9633f662cfb92407f60e44c390ee54b9d74ef6d39 http___weegee.fr_2d3xb74cif
117. c3b777cb817cf5785c589bd08432d8e466f92f8cb23c4cfcf7407f61fdf732cb http___www.dazzle-events.be_qal8lxme
118. 97b95e14bdd6890f2aeb9d730bcedc86e17aae181ad4039f07b00675a1569a0e http___www.enhansit.com_z2lgjv
119. e651644bb90c84d682f48a91d84617a99035d4e1d1dec477bb6fe50f244e8d0c http___www.lauraleedonnelly.com_qjiwhmrx
120. ce5fc1fe43fab3494c383d9374dc88ee9c86c06f90e6f0891feeb72b20f780d2 http___www.mywoc.ca_p29t8
121. 2f519292cde78c075c5a0bd28d744a945669e5d42010a5473b00af1d79d2dcc0 http___www.ninthdistrict.org_wkvmds
122. 4ba5fecd779e5fff8702a5ad1d4a4d89d107f7e7d7bfa7c89c73304e19224624 http___www.servipisos.com.ar_sn2ugvyws
123. 12b377a9bd819105a51aa9aab5522e4a2ac802cc00bc811a25758b7bdfcea55d http___www.stavros.ca_4woi2zlse
124. 6c8dc070346dcdf5048987f3e346f8ca4fcdddde984a563abd25359216db792d http___www.stavros.ca_c1ehjm [2]
125. eb2dae77c46345f717d1534631a8b37172db39b1b933fa5a3d363874c107533f http___www.thepasobueno.com_usrcgntw
126. 895f09d1c6da4ff8b9786cfa8b999652f86292f9fc27d04bc7461d3f328da121 http___www.tourist-car.ru_v0uiwotu
127. e5b7dc13c4d88299793b41ee20b3a787bffbeaa6eda5ea15281767edd3a8a444 http___www.zscio.com_uutfjime
128. d5f3e4c0b7f98d07138ac60a7b6cb6b6427e19b08ab1a016e77b2878c6f0213d http___xiaojinsong.com_0igjg
129. a9d1604b2b2e8ec56695bb05a14609e7e4ff8540d932c81e72b083a743fb1583 http___yellowstudio.pl_u7ky2cyi
130. - decoded
131. d48c5242f2c264829ef2acf7b2dd9567125c0602baaf23b8c21a014e1c8247e6 [1]
132. 1af3dfa7989e1081c99e6b2a676d0ada2808ca9758f2dbc6e1eadb76a5c80970 [2]
133. 2dc5b81fd272de4b0c06ec725bda86320f5fa5558e5b9ff19b9c319627349ab0 [3]
134. 1b4294dfd90a073ae4a1820db9127fc562448160a4a53b56db9abffb6a7ee3d6 [4]
135. ae1ade6559d774dc9103ed9da3ac8d454bd6e612dd9b66711e39eec33bbda0d9 [5]
136. 184d0e4a0d8e07ea9a7ea8323fbc5a121004619f0c3810ebb1314c5464a83af6 [6]
137. - executed by "rundll32.exe %TEMP%\<filename>.ZK,ss4UauNfMNMcIepOTL3ZMr"
138. - samples
139. https://www.virustotal.com/file/d48c5242f2c264829ef2acf7b2dd9567125c0602baaf23b8c21a014e1c8247e6/analysis/1481890123/ [1]
140. https://www.virustotal.com/file/1af3dfa7989e1081c99e6b2a676d0ada2808ca9758f2dbc6e1eadb76a5c80970/analysis/1481890141/ [2]
141. https://www.virustotal.com/file/2dc5b81fd272de4b0c06ec725bda86320f5fa5558e5b9ff19b9c319627349ab0/analysis/1481890158/ [3]
142. https://www.virustotal.com/file/1b4294dfd90a073ae4a1820db9127fc562448160a4a53b56db9abffb6a7ee3d6/analysis/1481890176/ [4]
143. https://www.virustotal.com/file/ae1ade6559d774dc9103ed9da3ac8d454bd6e612dd9b66711e39eec33bbda0d9/analysis/1481890190/ [5]
144. https://www.virustotal.com/file/184d0e4a0d8e07ea9a7ea8323fbc5a121004619f0c3810ebb1314c5464a83af6/analysis/1481890204/ [6]
145.  
146. C2:
147. POST http://178.209.51.223/checkupdate
148. POST http://37.235.50.119/checkupdate
149. POST http://91.226.93.111/checkupdate