2016-11-24 Locky "It Is Important"

1. 2016-11-24 #locky email phishing campaign "It Is Important"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------------------------
5. From: "Johanna Lane" <Lane.Johanna@chello.pl>
6. To: [REDACTED]
7. Subject: It Is Important
8. Date: Thu, 24 Nov 2016 23:48:31 +0200
9.  
10.  
11. Dear [REDACTED], we received your invoice but couldn't pay, because your requisites were invalid.
12. Sending you the report of the problem - please open the attachment and check the data.
13.  
14. Attachment: INVOICE_[REDACTED].zip -> HQ5ny050un8d.js
15. ---------------------------------------------------------------------------------------------------------------
16. - sender varies between emails
17. - subject is "It Is Important"
18. - attached file "INVOICE_<recipient name>.zip" contains file "HQ<6-10 lowercase letters and digits>.js", a JScript downloader
19.  
20. Download sites:
21. http://3g.jspfjgw.com/wmzidibooy
22. http://bootyculla.com/b1mj2xqjk
23. http://bootyculla.com/nbuvz8xkm
24. http://bootyculla.com/ymuo2cer4d
25. http://cafiztarea.com/jtabjmaj
26. http://cafiztarea.com/mmxirkmk7
27. http://cafiztarea.com/yengb
28. http://facerecognition.com.ba/hat1oyh
29. http://goedkope-ledlamp.nl/xr3t4caar
30. http://hundeschulegoerg.de/1vtdm
31. http://hylegmassy.net/5b0fnjcsn
32. http://hylegmassy.net/ehv30ei
33. http://hylegmassy.net/k8wml
34. http://indospyshop.com/ztdxo
35. http://irangood.com/ului3
36. http://jinghaishipin.com/az83x
37. http://kyrre.cn/wrgbwvo
38. http://mavisehirrotaract.org/zvev0iep4
39. http://merchhora.com/9pbfgnvs
40. http://merchhora.com/fxzvpl
41. http://merchhora.com/t6z2sxx4l
42. http://merchhora.com/wzaho5ege
43. http://pivno.com/lya2n
44. http://placezebub.net/1cim89hw02
45. http://placezebub.net/9kzjlsgo
46. http://placezebub.net/jmctszw
47. http://placezebub.net/mmf90e
48. http://puttechnologies.com/jdhvq
49. http://rapidnet.ir/9r93z2o4h
50. http://repka.eu/rbbpv3
51. http://restauranttajmahal.ca/n1olvhzv
52. http://ruangmobil.com/69ch7cdotx
53. http://safedeal.pl/ebmagqp6
54. http://sanjustoshopping.com.ar/dknlgj
55. http://satthachkhe.vn/lb7wdbf1j5
56. http://secur.ph/52neky
57. http://shomesofa.com/hef8o
58. http://signdepot.com.au/ng5xtw
59. http://sitivisibili.it/oba8pydv5d
60. http://softgallery.dk/nnbl6hs
61. http://sonajp.com/8bbkhh
62. http://soulchance.com/in9r3aq
63. http://starbizz.de/bwvufbjt
64. http://stservis14.ru/dv8j7ssg
65. http://studio11.cz/nkqbin
66. http://sungbocne.com/tnqkloosom
67. http://svegev.ru/hbsojx
68. http://szgoland.net/02otaburm3
69. http://szycfj.com/c1a9g
70. http://tasct.ru/gx7ztgu
71. http://templeofrefuge.net/ohktld
72. http://thenomadhostel.com/ivxvu
73. http://thinx.net/pj01w
74. http://todos.com.au/5tcucsg5
75. http://tokomuslim354.com/cmbenp
76. http://tuurbo.be/fpw3vg
77. http://tx318.com/rdovdebb
78. http://tybor.hu/05to8h3n
79. http://use-inc.tv/5zzfgcvtgm
80. http://vanniersen.nl/qua34ymo
81. http://veinteproducciones.com.ar/0mq3ce
82. http://vesan.info/dqc4tvtrg
83. http://vitreus.nl/hu3sdurj
84. http://v-maxautos.nl/ntkv9j
85. http://vmg.jp/olnucf
86.  
87. Malware:
88. - encoded on download
89. cc9baf7090b19f6ac7e9570d2b751e5113fbeb7d33065b612f2494ac7b68ba79 http___bootyculla.com_nbuvz8xkm
90. 85056f50cd70fc3862d3a635d5366873f15116ee02ebf8d5f425dc23454e870a http___bootyculla.com_ymuo2cer4d
91. 86323006b3f07e0e6673405bc2c95feb789dda5da760dee1e20d5b0ce5854baf http___cafiztarea.com_jtabjmaj
92. 6dfdc2bcf7d4c622322a41443a75712e4f191039a6495989135e523854b86990 http___cafiztarea.com_mmxirkmk7
93. ee5334fe5ff2b072830514b2371398ae9e6c6f8ee1016f6766a5fbac1e73502a http___cafiztarea.com_yengb
94. 7dbd5eab44224edf2fbef12e604c36a8388c7e9dba16bdcdd06055611f9d5ce2 http___facerecognition.com.ba_hat1oyh
95. b0337e6243b5240566bc1e4ad6a32540b08f38ffaaa200cda7373e8be2ecf18e http___hundeschulegoerg.de_1vtdm
96. 07351493db12d50aae1ee595a2ed46658c9a3ec75b421ba5038ab1967d13ffa6 http___hylegmassy.net_5b0fnjcsn [1]
97. d67c692f34953d5c85c7c6831fc6a88cb6255aeab67586d58027d80fda776ba4 http___hylegmassy.net_ehv30ei [5]
98. a2ecc828524d3da3f71a8a5e347049bc4555c9375de43b49822e47c0a1cb8c16 http___hylegmassy.net_k8wml
99. c4b7548025eceae7f250ab3a7a4871a5f7550fa4cc88d57b50435c3f518114ae http___indospyshop.com_ztdxo
100. b6c0a86c01c6f7bb67b40af715815717629b3789779d9565b7ab2a396d7f3db7 http___irangood.com_ului3
101. 7d69b153a0bf8c44448f12f664b1c137231a3a8a548d272e51dd896a1eafc1e8 http___jinghaishipin.com_az83x
102. a7cec055ddfb96e651100510df38449b8857927983c5aa776544a5bdf5ba289e http___kyrre.cn_wrgbwvo [4]
103. 1a7ec167b97c6f80195a887bc93c8426bc43cf773b276cf3e770d2e5bfa6948d http___mavisehirrotaract.org_zvev0iep4
104. facebed5e5743fdaea986bb206065611ec83c496824a401d0b9de0615eee0e12 http___merchhora.com_9pbfgnvs
105. 46388a6d2240c40aa6457fe2698865cab4ba5e8be710c61d0f10525bd722d36c http___merchhora.com_fxzvpl
106. 7ce770ce96d8ab155d9ae9b77bbb6b8a72f0b832b21284466569c933b06558bd http___merchhora.com_t6z2sxx4l
107. 5d5ca2f48972e7288372c8116ff8ed293736904c6ebd8fb5376d0ef1daea5b6b http___merchhora.com_wzaho5ege
108. 28e4832273a18e78bc17c0e6118b39c1b245eaf427d0bf211ab5b1486cbf9145 http___pivno.com_lya2n
109. f53cd32b8fe4a5d3bba15c659040335ef3b454c1c82dcc9f1bb42f2df501f5fb http___placezebub.net_1cim89hw02
110. 2c48cd3dea61fbfb9f36700e801c25f0e1bda7bac8f34f76f212d525ac2f3bde http___placezebub.net_9kzjlsgo
111. 62c8fcf7a0e3bd5755a63a379a4b7524e5b0ec6412dc53c50f657ac94bd3e54c http___placezebub.net_jmctszw
112. 10286349ee48593c5f0e165dea68146a11d6b3958daecf0b73a67b5878e75db6 http___placezebub.net_mmf90e
113. cc329a34429d33b71ede4e0bad89a4472f76e1f53c50c3bf0dc136664886279d http___puttechnologies.com_jdhvq
114. c6f3b089191fc291db2b063f0bf5b55704f8b72ceb10e32c3b231e833805f719 http___rapidnet.ir_9r93z2o4h
115. f9f4729c54a17ddcc71d663b347e1e2989f0a5cdcd10cf5294bdde0cb3a49ad0 http___repka.eu_rbbpv3
116. 69d54428356afdc515610dd5b2f0b4000d30854482513bb88587b480a733472c http___restauranttajmahal.ca_n1olvhzv [2]
117. 7b3f71c16bdd6464495fad1464111b3b20d2d0849ff9dbc956a5fd0a0ebdae4c http___ruangmobil.com_69ch7cdotx
118. 8fd008552d902854c8678c63b465ee957d79ca0cf95a1799be609eb37ebacfb7 http___satthachkhe.vn_lb7wdbf1j5
119. 660bd99fdb348f5e81b024659dba9de2978f2866c71aa2063d34a25c55297739 http___secur.ph_52neky
120. 5aea84ed21f86af7c359850b6a41fc100e718a823ae88ee1a1cefaa149cb8cdd http___shomesofa.com_hef8o
121. f70cd92f0b153e17d31988b3148601b5cd2f17e12e4c2c80ec4e76682b4a8b10 http___signdepot.com.au_ng5xtw
122. 24c968a52d5ebad18ed4cc08318ac9eaf1225c190341a4da5e3660fc38a81a7b http___sitivisibili.it_oba8pydv5d
123. 0d81b58799281662cc4c29fa9826b9917cbeff9c827774415ecdff42c50c2d91 http___sonajp.com_8bbkhh
124. c7d399d798af2a28869f081ad31944628d5e2422d4c9703f3ea83e64317a3a95 http___soulchance.com_in9r3aq
125. c8ce4158dbcc0f9b8400dbd07cc69c88e257793efa3b205fec6f8a29fc463e2d http___starbizz.de_bwvufbjt
126. 5e37230034e664e1a68ea7c88c9c3aca3cbd8392a1718d4380f416c22f532934 http___stservis14.ru_dv8j7ssg
127. 0a684d2e31dc74d7468e39faf03560ff9049d63edc291afa93dad941da3faee2 http___sungbocne.com_tnqkloosom
128. 0966728fa346c02b6afa798b31bb7d45dfe1a6b00f68e4799a95dffc8d63c41d http___svegev.ru_hbsojx
129. e65a1a01ff549ddccd12c386716a9cb3f448c83ac7ba3c81568b4f5c3a197669 http___szgoland.net_02otaburm3
130. 44da6e326e4542527b572db4e3ae2882eccf4197497a796611b7edaecd13c4e6 http___szycfj.com_c1a9g
131. 61bc485a912d951388bf64991cd3439af8d68abb24550dd9a181a8659eeab3f5 http___tasct.ru_gx7ztgu
132. ec00b10818020180b9d6c3aebe28ebf657e9f1535b1a82b0eb259633c7e515c7 http___templeofrefuge.net_ohktld
133. de9cf1e2c2570c170d199ab65f9bc9dd61e7916af4816059c545cc2991779f2e http___thenomadhostel.com_ivxvu
134. a837cb97da8555032ac272d9308dcb7842672fb220f27e3fe3807a7cd8c20235 http___thinx.net_pj01w
135. f0dbd88352761884995c91316b7a5e766d7e049e21a88ed70d983c6c30869498 http___todos.com.au_5tcucsg5
136. 656753b6004dce131f598688f1b095a5f53dfeec506b50ff69682e0609908228 http___tuurbo.be_fpw3vg
137. ad14b9ab441a68f58eb726d16053a4d8bb26d185ec9176f161ebca6cfb98d7ab http___tx318.com_rdovdebb
138. aafd6c6b4cb3252b4f2a184c7a1335cee87f486795364f94c5055ca04a2faea1 http___tybor.hu_05to8h3n
139. 6c2f811a59a059fc91c67b910e80caa83a31f8d5c73621901bc9f0a48500f32f http___use-inc.tv_5zzfgcvtgm
140. 240a73794169a7ed2db5689e8075069d17ad16404ce034aaba7d8a294c61c990 http___vanniersen.nl_qua34ymo
141. fcdec3ab55de9ee43f40118ee04a8117d5084b39e26a5a7fd418c03ab300f59d http___veinteproducciones.com.ar_0mq3ce
142. 598e7785d3670b065c0a56d572624f2500b5ff996e46716eeb1f321261bca857 http___vesan.info_dqc4tvtrg
143. 2c03aad65df0bfe9937ca7a2ff3c5120e0a14ac7f42ac7ab0ddab50b5f5c50f2 http___vitreus.nl_hu3sdurj [3]
144. 4d65fa2a1095b437843a82e7eb3e8dc10775c9ac912631c5acc82bc463373eff http___vmg.jp_olnucf
145. - decoded
146. e39bd6b145ac646cf8c8460c1494fde246021318e18a5dbaf6794ee98956b418 [1]
147. 224b92da17c0cb840fac104c9f67db232ef80322d25e79234d6e8ad7847ccc26 [2]
148. 09ff1b77b8dd328911ab3ea26cda0e28b5915d2c9b8a9877660bf2650ae24aa6 [3]
149. 6568b42264f4fee73ce38f0dfff20c8e91a51ad46f816b848c406d3d6c68df44 [4]
150. b2f65e335daf974fe60721477b5d2dd50bb5cff112960fa9bcbef62fb16a81e2 [5]
151. - executed by "rundll32.exe %TEMP%\<filename>.TDB,XdOcCdlIifIMemtkFvwU"
152.  
153. C2:
154. POST http://213.32.66.16/information.cgi
155. POST http://31.41.47.48/information.cgi
156. POST http://89.108.118.180/information.cgi
157. POST http://dilligui.work/information.cgi
158. POST http://exteeesraces.pl/information.cgi
159. POST http://fqxuvkvewpbviyj.ru/information.cgi
160. POST http://fuysxitehsvvsfrm.su/information.cgi
161. POST http://krynwyjfuxkps.ru/information.cgi
162. POST http://lkcoblc.xyz/information.cgi
163. POST http://oiadbvb.pl/information.cgi
164. POST http://qlugdeggyymvijhk.su/information.cgi
165. POST http://tdaxctajqqm.biz/information.cgi
166. POST http://vmugcaannmix.work/information.cgi
167. POST http://xvkwjfhuen.pl/information.cgi
168. POST http://xxgudduntlgwhsf.pw/information.cgi