2016-11-21 Locky "Receipt"

1. 2016-11-21 #locky email phishing campaign "Receipt"
2.  
3. Email sample:
4. ------------------------------------------------------------------------------------------------
5. From: "Kristopher Livingston" <Livingston.Kristopher@elementeight.com>
6. To: [REDACTED]
7. Subject: Receipt
8. Date: Mon, 21 Nov 2016 17:27:18 -0200
9.  
10. Hey there. I transferred money to your account. Please check it out at =
11. the earliest possible moment.
12. For that, open the receipt I've attached.
13.  
14. Later.
15.  
16. Attachment: transfer_[REDACTED].zip
17. ------------------------------------------------------------------------------------------------
18. - sender varies between emails
19. - subject is "Receipt"
20. - attached file "transfer_<recepient name>.zip" contains file "<random upcase chars>-<random upcase chars>.js", a JScript downloader
21.  
22. Download sites:
23. http://ablerkeawe.net/4sbcti9e
24. http://ablerkeawe.net/7bikbjivr
25. http://ablerkeawe.net/bmh9z8ek
26. http://ablerkeawe.net/n7coe
27. http://alamanconsulting.at/dhwe6and1
28. http://ayso722.org/yenon861
29. http://cuordicioccolata.com/zwxzq3d
30. http://dangdika.com/1besn
31. http://dangdika.com/mn3x8nkv0g
32. http://dangdika.com/xclh8ia
33. http://dangdika.com/xxdswup
34. http://doughdata.com/vbubkput29
35. http://edu02.ru/uzwjx
36. http://emdrozd.net/uwrecjic
37. http://espansioneimmobiliare.com/zq6xw3mi3y
38. http://fazendacristal.com/xcpidywxz
39. http://gerardfetter.com/vl8s7d0e
40. http://grandfm.com/zlhmy4dq
41. http://guymorgandaily.com/xjwgh
42. http://hfhhk.com/xaox8be
43. http://hosimin.com/l10nzv
44. http://hubis.ir/cd2tvfn
45. http://icnvcopa.com/byddwdjk
46. http://identita.dk/h0vxv8zxh
47. http://iliebike.ro/ogqztl8
48. http://iluzja.pl/0byxmqj
49. http://indirimtakibi.com/17k5n
50. http://inspireyouths.org/tg3kzh
51. http://intensivo.nl/c1klzfc
52. http://internationalservice.ro/leg893
53. http://introfm.com/f1s0y
54. http://ipiasarnano.it/cthwsd
55. http://iptravel.net/5h63oeoy
56. http://irnetshop.com/dfvltrouq
57. http://i-school-tutor.com/3phcz44v
58. http://jpbroker.es/oxqtzrqhm
59. http://kexinbuy.com/q8rvf1dzxr
60. http://kidpublish.com/ftk5zaqp
61. http://k-koubunsha.jp/5vb4zq
62. http://klautorent.com/hunv2qqm9t
63. http://konya.ocart.co/kvcwgeajv
64. http://krucekpokrucku.info/bhke02u
65. http://kzprojekt.pl/hb3az2xwye
66. http://lanehmontgomery.com/obqa0iwzj
67. http://langzhong8.com/bbxicl5h
68. http://laszloiparcikk.hu/fmgqm
69. http://lihunyihou.com/qjc9vxc69
70. http://lomtour.com/iziet4l3
71. http://lvyeqingtian.com/auntes
72. http://manhtienphat.com/5ko2h
73. http://marinaensenada.cl/izb2fj1gox
74. http://mice.co.th/n96w5nl8y7
75. http://mildreddeskinsjewelry.com/itlgzij
76. http://mileswebhosting.nl/0b0cyt
77. http://minigal.cz/k0v3sxvys
78. http://moswomen.ru/ilteiri
79. http://multicombs.com.au/fvmbusvz
80. http://mygfiltre.com/k8w97ku
81. http://naturalcode-thailand.com/5py26ttl
82. http://nnptrading.com/tbfr7
83. http://noahapparel.com/pxggxtk
84. http://phaleshop.com/wpcnm4
85. http://tafiathiol.net/19p1knzx
86. http://tafiathiol.net/jxirmy
87. http://tafiathiol.net/kebxo
88. http://tafiathiol.net/z3jo7fwzu
89. http://tapersk.sk/vhu3cs5lf
90. http://tupsorva.net/9eytfon9
91. http://tupsorva.net/db5z4a
92. http://tupsorva.net/mzjlk
93. http://tupsorva.net/py6gfd
94. http://vyingouch.com/9m0qcj
95. http://vyingouch.com/c0jnk6
96. http://vyingouch.com/hqeaas
97. http://vyingouch.com/nseam1uiq
98. http://www.dominoassociates.com/ysojeahx7t
99.  
100. Malware:
101. - encoded on download
102. ec2152dbd6a49a1468be5a888d0fdfb407af0730e60b58dfd375313f9d29bfb0 http___ablerkeawe.net_4sbcti9e
103. d323b5bb27c15e5b98d186219de19c0c1194e6b8e4560180f3acd5c9051ee600 http___ablerkeawe.net_7bikbjivr
104. bfa8907cf4c991df64a1d69420456292ad4c98562ea4814c8da5030951b83b85 http___ablerkeawe.net_bmh9z8ek
105. 1228fc8465ff2d15434eadea98673fcf615c762a2a1d7b7df12bc66313dd7f26 http___ablerkeawe.net_n7coe
106. 67c4ccb963d9f002903c4192a6bc1e30b4a6a87690c19075b81cc9a757483148 http___alamanconsulting.at_dhwe6and1
107. 2ce82d2cf066efdf70d01234589bb7d2ba1cd136b30eba14fee5c23bdeee4a49 http___ayso722.org_yenon861
108. cfaa5a7561c36f440e79a2e3c7fb5b4439caa4b8ff0a86fa44ac89f46183a960 http___cuordicioccolata.com_zwxzq3d
109. 70e4dc73b1cdcfb9cadd004f8da9d25534e8516e9e9e9fd019d149f85ede0575 http___dangdika.com_1besn
110. c191a6c87975bebcae8681f5146e8103969e5660644f9bd28d429df83720b5f6 http___dangdika.com_mn3x8nkv0g
111. 8f125e292f06c846c435aa25632ff424a33aa9f489b1458f139c6927cb48d606 http___dangdika.com_xclh8ia
112. b3ec70a1c6262547ecdc7ee0f4aab1ff048691991059a01560c64ba8d9f6ebbf http___dangdika.com_xxdswup
113. f487fe5e6c2298d5b2c55fe19f585cd8edd11658447286e98fa7a146dfe80950 http___doughdata.com_vbubkput29 [6]
114. 83ef2110643ce33355f711c504611060fb0d743e2ea106693be9c4d0b3c90cc9 http___emdrozd.net_uwrecjic
115. a2b5d0fe84fcc2d21e59d051f8afee62171d1a736d2bbfd00e9871a2cbc4a043 http___espansioneimmobiliare.com_zq6xw3mi3y
116. fd0648f7e2af9b0b22fc6592cece14c4be18c76afaef4dda03669333b35e2194 http___fazendacristal.com_xcpidywxz
117. 6283c966640460efa0c4ee74cb115a5226d9042fb23c0e235ae92fcae4a85d18 http___gerardfetter.com_vl8s7d0e
118. 81dbbddf6c427cd64f4d3c1b0100c927030d245f53a4dda0dc81263b5f389270 http___grandfm.com_zlhmy4dq
119. 29f43541021dd698cb9beea8e58431b0c5f69fb8d4ec7b8ab47256727e8dd3bb http___guymorgandaily.com_xjwgh [2]
120. 637be0bfd4618fbfba15024c39ccf21fbf5df729df06eabb908878ee3a47ad2b http___hfhhk.com_xaox8be
121. 47c68175a32018286d0831b51664c94bee8fee00088eb7708955210195f426b0 http___hosimin.com_l10nzv
122. 29af183c15b27a697631ce70e3cee13c2e7042363f33dcfb6936a3da22cff0cf http___hubis.ir_cd2tvfn
123. ad937024fab8a5eb20ab048c4eaa6b89fd2cd21019b60def39a3552cf02b50bc http___icnvcopa.com_byddwdjk
124. 70a4494db2a649f6936220f89acc10d54ceaa65116c7db03f390b88fb92987b5 http___identita.dk_h0vxv8zxh
125. 47557982b327cd3cd7f5cdfe3376228feda51ed2f1d6fddad26beebac3a19db7 http___iliebike.ro_ogqztl8
126. 3cf4dc7d0e7f34a1305880c703e3fc6f4432e47e8ef17b58bfa10b691140c436 http___iluzja.pl_0byxmqj
127. e6d7846070708485cb02c497c485da70f05259df2bd3bc024a2e750fc35ea464 http___indirimtakibi.com_17k5n
128. 7c6be0cf81f2207741745b87b315b99395360f5dd86fe7a6b0a66bdbf8dedeb0 http___inspireyouths.org_tg3kzh
129. 06680190d34f995cf2ed7ca5a4a3841c3ceddf135b41fcd94309eda1b1213e12 http___intensivo.nl_c1klzfc
130. 5b380a3cd7f5a3a5b26abc6aa54376af55707a3b6b3ae751ac522ef9deada37f http___internationalservice.ro_leg893
131. 7c45cfb9665f76c44b24a3ea614b04bad5afd95e98fc223e9d746c07acb541d6 http___ipiasarnano.it_cthwsd
132. c43b6bdd54b09f50f1f0a3f5b363359af145e3d1635d9a1cd1cf0bc7def8f03a http___iptravel.net_5h63oeoy
133. ea030cbb311979d840f266feaa14a77e6c733914f9696918aedcec548b38b931 http___irnetshop.com_dfvltrouq
134. 643e8ccf8ed6aa27ade6518b330c396d231cba8a9988337aa84401c34a90859d http___i-school-tutor.com_3phcz44v
135. 469122afca9f535d9e229790e6c8060aad68a541ea0ecbaaf0abe508e39d7e83 http___kexinbuy.com_q8rvf1dzxr
136. 77fd9ce2d5ba3aa6832f100c27abc0dd174be0c19568255d07c8653a8b93b000 http___k-koubunsha.jp_5vb4zq
137. 7de296a2077ebaef55249ab8fc6dffc12895e748bad1a821bd4a66e1d6feb49e http___kzprojekt.pl_hb3az2xwye
138. 477b47bbfacbe82f08f1fd76c2e35e0ccd2766fa0bf6530499353221446e4ac9 http___lanehmontgomery.com_obqa0iwzj [1]
139. fdd8bf39d5e0980f06c013b2c843cb9e760170a993480cb7ec9f7f6bd2280d87 http___langzhong8.com_bbxicl5h [5]
140. be082d79284f5865c30969ffb9a8108c167ca8a7aca1d8b4c58960ddbd79221e http___laszloiparcikk.hu_fmgqm
141. 13b1b9498e1239cb655c8495641295bfb0bdf711f9714f1e8a49b077346bb9b2 http___lihunyihou.com_qjc9vxc69
142. 0343d830107b9fd0723c9a6d977d909d4cf0d941011ffe246e72b3a592b7829a http___lomtour.com_iziet4l3
143. 17456ca41efd06c8baf8b1ff690f731e97ed18044369f18b327c92ba76de700c http___lvyeqingtian.com_auntes
144. c1fbffccdd9c97163e475f7062045b0bf62845ae06566e4e67b38dcf9bedc72d http___manhtienphat.com_5ko2h
145. 3efb883ccd841399f2787138da74ec867839c2360e67415d8d53583e8b4c5965 http___mice.co.th_n96w5nl8y7 [4]
146. ac66fcd1589bfa7fbd971f710cfb3957dc43c0b9fa3bbdc12e3b8a5787c19c99 http___mildreddeskinsjewelry.com_itlgzij
147. abcdc6fccc3fb8f52df03246e1b3f4f85a15c88c752b666eb4bcbb87605c6ee0 http___mileswebhosting.nl_0b0cyt
148. 73bfc8e3e58a7ea3cc458101caa42d1e23df12a56410cfd7c4f8ee6b459a62ed http___moswomen.ru_ilteiri
149. c412a98bc6a806fd11dcd4e67f304c6f35004269b926ad1cb62a8ccc5649e4de http___multicombs.com.au_fvmbusvz
150. 67ee8c8e25a646f8640da3ff8488363cf1f81ef7dfc83351c116807ff5e2f178 http___mygfiltre.com_k8w97ku
151. 8e294ef21824f95f10faa6e666bc6b33bdc322750c57c5841b243c75cfef7666 http___naturalcode-thailand.com_5py26ttl
152. 00f44bb0cefe0b5660f9c4f3d71e202199766164f87579165c654346c0402b9f http___nnptrading.com_tbfr7
153. c20b839424dc1e41b233d311059d83809790aa15a426c3998f49311edc48cb59 http___phaleshop.com_wpcnm4
154. 5744e6c41586b2fa21d02f6f9f6dbd2bbf57b0c1824173063f1e11d05288a4a8 http___tafiathiol.net_19p1knzx
155. 0f02254710286f0f186d2949978bfd1da31f365b0d5d520f5f35c390391278c9 http___tafiathiol.net_jxirmy
156. 028c17cd6c66e1ec229e75380cb26e93cda840a57719eb01c4714c8893b5a400 http___tafiathiol.net_kebxo
157. 842222b3d9fd1a9b46746708792e7c3274f446ac856462f487c3dcbe647fe72d http___tafiathiol.net_z3jo7fwzu
158. 129b5761cfbdcc44788cc42ebc17d57dd4fe2b06033873cc9bb0ff536e1b2c09 http___tapersk.sk_vhu3cs5lf
159. 5ef325ce390b6b85f32a41fe0fac7b9824780baa5a2d4a63c0ecda9584ccb897 http___tupsorva.net_9eytfon9 [3]
160. 5901ff8659003524f79d7534ada7fa0cf29176647c27d1e385ea5b53e0f83efb http___tupsorva.net_db5z4a
161. 2e19deb665591e99b6a8a78c4c94cba265b22c49a57cbeddb77983b8af1fd971 http___tupsorva.net_mzjlk
162. 3de5e376ea0bc2b6de801bd7e31737337a1578517956ce33a4c48afb22f75a08 http___tupsorva.net_py6gfd
163. c5c977ae292a35d5e8fab141a4fa78cd3daddfdca4d1aba8e86f35eddf54d7f6 http___vyingouch.com_9m0qcj
164. ee94b6594ef8542f18c6a8ba21c9eadec11de2397945211c60b1faa1ef2e2f9f http___vyingouch.com_c0jnk6
165. 3734a3132c466975e15a28efae36f28e72af25d57088d780e4108345b2b26ff2 http___vyingouch.com_hqeaas
166. fae778bd4817a407912630b3cc2d63fc0fc656211203019adf8c7a00bde86be9 http___vyingouch.com_nseam1uiq
167. 5d7ed96459ab54d4856b19e112df91b0c603d287c45e17b6e9c6a748481ffb74 http___www.dominoassociates.com_ysojeahx7t
168. - decoded
169. 27394c9b788ec784ce8a91922dcc8df10ac477c55ff0a54e31561bb9ec16a548 [1]
170. 493cd254ed8c615e6776224ed47395a843e1a1681581dda8abb7cb7603c4b743 [2]
171. a631b35a7c0e22aa4b41961af156c28693b49f6fde605efb569ac67dfaf9ed38 [3]
172. 7b148054f7b4cca7a62b584051a7503b05baecfaf555f75ba4fa94561053f315 [4]
173. 27e62fe1b81712e670d53c89a9efa2acb20c4435dc4da171e1c5b828e7020751 [5]
174. 930c07c559386b26172cedc5739d8596231c49e46816950de46351c90a1db28d [6]
175. - executed by "rundll32.exe %TEMP%\<dll_name>,oSFS"
176.  
177. C2:
178. POST http://213.32.66.16/information.cgi
179. POST http://91.201.202.130/information.cgi
180. POST http://95.213.186.93/information.cgi
181. POST http://eoitfjhwkftjxnuax.xyz/information.cgi
182. POST http://frlxomgynyrewlp.su/information.cgi
183. POST http://hagjykjefuxpkmbgc.biz/information.cgi
184. POST http://hnwndsekxujq.org/information.cgi
185. POST http://kfddxkhlrlgtebjyq.pw/information.cgi
186. POST http://kobtjrfwvwksbnn.ru/information.cgi
187. POST http://mhedsgwklsandm.info/information.cgi
188. POST http://qpflnpogocdkgfi.org/information.cgi
189. POST http://rgkkumpjxphe.click/information.cgi
190. POST http://snshjrocbpo.ru/information.cgi
191. POST http://vlvpkbioma.pl/information.cgi
192. POST http://yasqujdmfvgjukv.info/information.cgi