2016-09-12 Locky "Please find attached invoice no xxxxx"

1. 2016-09-12 #locky email phishing campaign "Please find attached invoice no xxxxx"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------
5. From: <document@kingdomhomesrealty.com>
6. To: [REDACTED]
7. Subject: Please find attached invoice no: 1636918
8. Date: Mon, 12 Sep 2016 15:12:40 +0530
9.  
10. Attached is a Print Manager form.
11. Format =3D Portable Document Format File (PDF)
12. ________________________________
13.  
14. Disclaimer
15.  
16. This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
17.  
18. Attachment: pm4B0A43B7.zip
19. ---------------------------------------------------------------------------------------------
20. - Sender address is "document@<random domain>"
21. - Subject is "Please find attached invoice no: <random number>"
22. - Attachment name "pm<random hexa chars>.zip" contains file "<random chars>.wsf" a JScript downloader
23.  
24. Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
25. http://abcdraw.biz/8fh34f3
26. http://adasurgical.com/8fh34f3
27. http://agileprojects.ro/8fh34f3
28. http://annurmaheshphotography.in/8fh34f3
29. http://ativa3.tempsite.ws/8fh34f3
30. http://aycilinsaat.com/8fh34f3
31. http://bangbang55.com/8fh34f3
32. http://biogreentech.in/8fh34f3
33. http://cardimax.com.ph/8fh34f3
34. http://cbautocare.com.au/8fh34f3
35. http://clickroses.com/8fh34f3
36. http://craskart.com/8fh34f3
37. http://dashingleather.com/8fh34f3
38. http://demo.hubliclick.in/8fh34f3
39. http://eaglecorp.nl/8fh34f3
40. http://files.mostafaahmadi.ir/8fh34f3
41. http://gift2belgaum.com/8fh34f3
42. http://goldenladywedding.com/8fh34f3
43. http://gunturnayeebrahminemployees.com/8fh34f3
44. http://herosoft.biz/8fh34f3
45. http://hostit.co.in/8fh34f3
46. http://iandiinternational.com/8fh34f3
47. http://jmetalloysllp.com/8fh34f3
48. http://mimiphotography.com.au/8fh34f3
49. http://mylespollard.com.au/8fh34f3
50. http://nimantha.16mb.com/8fh34f3
51. http://npinfosoft.16mb.com/8fh34f3
52. http://onlinepurohit.com/8fh34f3
53. http://perfectfixuae.com/8fh34f3
54. http://platformarchitects.com.au/8fh34f3
55. http://platforms-root-technologies.com/8fh34f3
56. http://pmlojistik.com/8fh34f3
57. http://samssara.com/8fh34f3
58. http://sasmgs.org/8fh34f3
59. http://scpolytechnic.com/8fh34f3
60. http://site1382371826.provisorio.ws/8fh34f3
61. http://sowhatresearch.com.au/8fh34f3
62. http://syamasahithi.com/8fh34f3
63. http://synergywaterproofing.com.au/8fh34f3
64. http://thepodiatrycentre.com.au/8fh34f3
65. http://Ungelie.com/8fh34f3
66. http://utsavi.net/8fh34f3
67. http://vajrammatrimony.com/8fh34f3
68. http://wamasoftware.com/8fh34f3
69. http://www.alfajerdecor.com/8fh34f3
70. http://www.ausaf.pk/8fh34f3
71. http://www.jmetalloysllp.com/8fh34f3
72. http://www.mehrabtech.ae/8fh34f3
73. http://www.pstimes.com/8fh34f3
74. http://www.villakeratea.it/8fh34f3
75. http://yesiloglugrup.com/8fh34f3
76.  
77. UPDATE
78. http://adss30.net/8fh34f3
79. http://allcateringservices.in/7g6bubt7v
80. http://anatoliamaket.com/7g6bubt7v
81. http://biogreentech.in/7g6bubt7v
82. http://citycollection.com.tr/7g6bubt7v
83. http://clickhubli.com/8fh34f3
84. http://cloudrepublic.com.au/7g6bubt7v
85. http://dashingleather.com/7g6bubt7v
86. http://flexfitent.com/7g6bubt7v
87. http://jmetalloysllp.com/7g6bubt7v
88. http://kitsgnt.com/8fh34f3
89. http://livewebsol.com/7g6bubt7v
90. http://mysoregiftsflowers.com/8fh34f3
91. http://nysekolintsika.mg/8fh34f3
92. http://partyeazy.com/8fh34f3
93. http://safiazsports.com/7g6bubt7v
94. http://supperuploadtestspeed.ws/7g6bubt7v
95. http://thepodiatrycentre.com.au/7g6bubt7v
96. http://www.alfajerdecor.com/7g6bubt7v
97. http://www.jmetalloysllp.com/7g6bubt7v
98. http://www.mehrabtech.ae/7g6bubt7v
99. http://www.pstimes.com/7g6bubt7v
100. http://www.rajashekharkubasad.com/8fh34f3
101.  
102.  
103. Malware:
104. - encoded on download, SHA256 9aab0aad08ec9b196179bb1b194d37760799d08e089c388f6fb65df9b89a7b97, filesize 81920 bytes
105. - decoded SHA256 1e278e78a4261ebd65d2fc9b2d477bb8c19e15a22aea669947b531859cd12216
106.  
107. https://www.reverse.it/sample/69bbca6819987f751269dec8b8019a04e63c0d59cdc3c9c344cff0d8a0313835?environmentId=100
108. https://www.reverse.it/sample/151a35b7e546a56a717bf11c48ee19b705ef035d55e7444056d617b7f52ae928?environmentId=100
109. https://www.reverse.it/sample/9fc210ac919ba861819cb45f14f2ba5c58dc624d01ff2fb1a63de91d26ada074?environmentId=100
110. https://www.reverse.it/sample/063c0da1b3f06e1c6714ac94b782f1b7e82189ebea42e33cf9d753cb53959bfe?environmentId=100
111.  
112. Locky itself seems to be downloaded from http://shagunproperty.com/1.dll
113. https://www.reverse.it/sample/89e156f42cd465a1af2d927aa59a0d65789b2321ae1a45a0485801a6535a9fe7?environmentId=100