2016-12-02 Locky "Please Pay Attention"

2016-12-02 #locky email phishing campaign "Please Pay Attention"

Email sample:
-----------------------------------------------------------------------------------------------------------------
From: "Roland Phillips" <Phillips.Roland@btopenworld.com>
To: [REDACTED]
Subject: Please Pay Attention
Date: Fri, 02 Dec 2016 10:33:37 +0100

Greetings! Informing you that the contractor requires including VAT in the service receipt.
Sending the new invoice and payment details in the attached file.
Please open and study it as soon as possible - we need your decision.

Attachment: SCAN_[REDACTED].zip -> -547m620v8fc00f5.js
-----------------------------------------------------------------------------------------------------------------
- sender varies between emails
- subject is "Please Pay Attention"
- attached file "SCAN_<recipient name>.zip" contains file "-<random lowercase chanrs and digits>.js", a JScript downloader

Download sites:
http://rgservice.dk/hsch9ggo
http://skazko.ru/tijaa
http://softpark.ru/rdohhuihjm
http://soliciel.com/phiafm
http://solopilates.dk/12fb95
http://sorrentokhonkaen.com/bs7bv
http://specimengear.com/n6xzw
http://specimengear.dk/kfcwp
http://sportsfoliorewards.com/eyuzq
http://stateoforigin.com.au/pdbto87abw
http://Stimmwissenschaften.de/rel1qh3o
http://stitch.com.ua/dn5jgs
http://stokmer.com/wnrsmbee4o
http://stonexp.cc/u70ev
http://stoutoniaonline.com/1ubwf9cdx
http://styr-bud.com/dwzhvaat
http://sukko-diona.ru/fykps1
http://sultan-pepper.com/qdsqdxbrdl
http://sundanceballoons.com/lgpot
http://sunmed.pl/bnpcnso5wg
http://supermarkety24.pl/levsyp8vp
http://sxfybjy.com/71ltb8n0ff
http://taianren.cn/xfb0xuv8
http://takipediliyoruz.com/hfu56
http://talk2win.com/mwcwwshdw
http://tangmocar.com/rsjfr4s8
http://taphaco.com/hwpskvk1
http://taskki.com/c86oa
http://tasmaew.com/ivkag7
http://tech-mark.co/9xflayfr
http://technolib.ru/gakjym0q
http://teekayu.com/q2q2j
http://tenney.cl/wezgxxo
http://textilewarehouse.com.au/muo69p
http://tfeambalaj.com/ryvpdr
http://tgr161.ru/tnjlpwmnw
http://thamtutuuytin.com/kn4mdmsfk
http://thanprints.com/pkovldxh
http://thcsgoxoai.com/efwjh3
http://tolgateker.com/guxintpw
http://topshop.ro/unwyavwq
http://touchstonelab.com/iw0ksm
http://travicoperu.com/do7akjpjbw
http://tsira.net/ssjrwd
http://unit11apps.com/r46sglhwl
http://universalwallpaper.com/qgoqud
http://veatripsandtours.com/pupom
http://vershina24.ru/w3vqtp
http://versols.com/coeh2
http://vipmarketing.co.il/dz42ua
http://visitfallonnv.com/omrvygf
http://vktechs.com/8ey2yv
http://www.stavros.ca/2c99e

Malware:
- encoded on download
c7a323d245d92281c2d7955c9c74e6d69cd7117fbf26f9f4aec2d9911bac682d  http___rgservice.dk_hsch9ggo
6e11aa9d5530ec7330f797c62cf46f7aad42779d60af8d5df859562b1007de56  http___skazko.ru_tijaa
9e0f0509d389b7216a5396667ad14968f943b95c8662b01a0cc5d539011c1636  http___softpark.ru_rdohhuihjm
23e86697d7d84d09c56390617d6e51c85d02a2d0a34a959f14a66ac2e176904c  http___soliciel.com_phiafm
f270db78ef2fe9b628b875488851340dbbd13df66bb420763474345e96a91fdf  http___solopilates.dk_12fb95
2062f8b1b6ee3d1bae91790b03d9610739e8af6f25f2b757fdb52947d0e00ddc  http___sorrentokhonkaen.com_bs7bv
6ef16059ad4c922765a548720f3a31f9c3e92ba4166929ba9267f41177c6ea17  http___specimengear.com_n6xzw
567d6bb0de9e58fddd426d934f6c58f84cc78dbd585bd253c74ee3dd2a8d17e8  http___specimengear.dk_kfcwp
ec38df6a965d95050f3ed0f918113c8d8a243acf31ec78e8cde58a8914b7fcc6  http___sportsfoliorewards.com_eyuzq
f7ff182498e4b35fa7dd36ce37828c830b2a8dcf37f07d758843fcddf8303eab  http___stateoforigin.com.au_pdbto87abw
a621b79223917c38721db3472cbee7170bc18764eca4f2bc4000acff8071179b  http___Stimmwissenschaften.de_rel1qh3o
0cbc3880c535817fba5e2e8b678588c885b6be94fcf05aa4e472d87eb2206925  http___stitch.com.ua_dn5jgs
8b46bf08f994494443ed514ae045027ac541e8972f62c3d45d834f9ff18613b5  http___stokmer.com_wnrsmbee4o
de091adf34544a934bc978717245067339cf435bf52ae114b5a138bd3e2e10fa  http___stonexp.cc_u70ev
0c1d65bef9bab5c2659429e7304d6451be960d4ee3d6051142660b5c972a9296  http___stoutoniaonline.com_1ubwf9cdx [3]
5f1e65020246674a39a5506b3a404fea39efc0103f07ed0490cb660f3d455fee  http___sukko-diona.ru_fykps1
7897c1a300226ca4882507fa851882b5483ca2904137578f57a94ca01b4e4430  http___sultan-pepper.com_qdsqdxbrdl
cad7f9d89995405fb002ab9c0b7c91263c2730014abe96f3c5a26085260ec7c0  http___sundanceballoons.com_lgpot
93d401890a0d9e8beecde2421c49cb5e64746f5044364dc2a2e248f79340250b  http___sunmed.pl_bnpcnso5wg
679a9bf0d652b5ccea1f5dbd486f5a9c51d6ffd38c3b47ce26da7c8a401ae6d0  http___sxfybjy.com_71ltb8n0ff
392e3d965c52fb9b035501a64672e32a9b2444eea310b8038b888e1f310e14c4  http___taianren.cn_xfb0xuv8
b156284da4fa2a1153e289aa1a1247ad0469f3cb56872c2b79e1ac55d867cfae  http___takipediliyoruz.com_hfu56
7d80769e969a721428e1f045b2933f1f1489d3437bbd6b68a9c8c96b41c0286e  http___talk2win.com_mwcwwshdw
1160deda48b733b34aa53893ac0690b4da76ed92e1464709dabf6e9614925ae0  http___tangmocar.com_rsjfr4s8
b57d52c4e8326e26fc57c01fb06dfc4eacbf48008dcb58261e1e41b65aa12474  http___taphaco.com_hwpskvk1
7e3a77d1c56e748ed7be39b069a54fa7eb36eb03687affa9844429cc8de2fdcd  http___taskki.com_c86oa
5f43df30ad1f3c296e05637c210eb15d807b96990a5e52a01c715a88440e8a23  http___tasmaew.com_ivkag7
5aa47c019590f70922f1efe455e770b53b10f055778cc3754ce131d465395adf  http___tech-mark.co_9xflayfr
6c4447f62cf2997547c5929ae2469c44848994f70787be75515981bf1fcb8c61  http___technolib.ru_gakjym0q
8de4c7c0f5311931dc60e93e44eb5514ca2cc6d2620cf17925e5d6810fdf705f  http___teekayu.com_q2q2j
efad1f97ee4d83ad52bcb7fbfdb17cca8a2d896e18d14df496596a68b5bedb23  http___tenney.cl_wezgxxo
a2c05488590a11e0ab52d831fa0f8a7e4e8ab8745011bbf2386dc31e6e4dd8b4  http___textilewarehouse.com.au_muo69p [4]
cf6dbac7a6198e54cbe46080dae5f4f9be1128285177cf5ff8211e0be72ddb22  http___tgr161.ru_tnjlpwmnw [2]
b2193a0fc158a4155da5b810ac480fc35aaf6b2905218b789600f9d2c6fbf611  http___thamtutuuytin.com_kn4mdmsfk
0b0b05117efd5037a374b33feb1be9041ce93ed72155bc150514ecc133ce6308  http___thanprints.com_pkovldxh
19913cf66b1d1788cc5e38461d588d145fee312c658b0cc7b4fa06dc6919fab3  http___thcsgoxoai.com_efwjh3
cbabdfbe830775cac4b579597f106c0ecc7e47d4dd57d8bf4bff201b01ecd940  http___tolgateker.com_guxintpw
aac19330ce1da2022ebfeb4400c95dbbd8a7f1df4423909db08174be0f5ed52c  http___topshop.ro_unwyavwq
8914439155aa85118a592bebbbdbd3dba436880c35aeee077b132317bc70b96a  http___touchstonelab.com_iw0ksm
f8935d0c5e0899fda1f6e62fa58e74f52b68af4f7ad365befd36d1ed83ba18f1  http___travicoperu.com_do7akjpjbw
3ad7d520dcb060bfd9f0761f8bb6a3a2bc93f39cc6c1eb37942291d9aee08a63  http___unit11apps.com_r46sglhwl
d89d772e725de9e7ce06a9c89f3f3296038bcdcaee4f81f32eb5bf3bb18750ba  http___universalwallpaper.com_qgoqud
4795ae50ae8b25169c878d05bad602d6bd212e7498dbe063adb6ab03653f37df  http___veatripsandtours.com_pupom [1]
d5afb9229f3103ec7a5907258e24d26a4c893721db0522ae35e5c332b2e9fad0  http___vershina24.ru_w3vqtp
479cf9d2a2d76c7af81002017f2926c7ba39c53f67a744c2d17305e23bb66041  http___versols.com_coeh2
4df355b23ca8d025f75b0c7f33d681b8e529aa381986db9aeda84ba8d34722bc  http___vipmarketing.co.il_dz42ua
3432c23dcbfedd5df26c6c100575b807875a35063446ff064bd9223a42f35f5f  http___vktechs.com_8ey2yv
7739ca6d237232fcf0b8da84c85600ac043cbe4bf7478563901c94857ce1e742  http___www.stavros.ca_2c99e
- decoded
0da3f3dde43003f407635d4140baf2f1e41cc5ddb5ec881daabf7b1317635e40 [1]
0bbe9bce3d1e72f93d4516eefc47e27f1674dfad20420590090c4a3fdced284f [2]
e534607c2a1c6c8da5ccda5c369026acdfd6388e84dd9fa340443f39c92e45ad [3]
b1064a5c4b30e85bf7d790e59fb91fcac51fa6dfc5795cff7a91a6542113ed09 [4]
- executed by "rundll32 %TEMP%<dll_name>.ZK, bfn35N3aI0ZQ"

C2:
POST http://46.8.29.173/information.cgi
POST http://91.201.41.145/information.cgi
POST http://95.46.98.25/information.cgi
POST http://aqhdswynqokn.xyz/information.cgi
POST http://cmcixuawryh.biz/information.cgi
POST http://dfppumthmgauwx.su/information.cgi
POST http://itoadnqgpbi.click/information.cgi
POST http://oqaxaeqq.su/information.cgi
POST http://saparsnjuyyfvq.click/information.cgi
POST http://tudnyxyatcyvle.pl/information.cgi
POST http://vpvmdcobxqdxcwha.pw/information.cgi
POST http://xnrixkvtlbdppp.ru/information.cgi