2017-10-18 Locky "Message from xxxxxxxxxx"

1. 2017-10-18: #locky email phishing campaign "Message from xxxxxxxxxx"
2.  
3. Email sample:
4. ----------------------------------------------------------------------------------------------------------------------------
5. From: "Voice Message Server" <server@9455091376.[REDACTED]>
6. To: [REDACTED]
7. Subject: Message from 02083355385
8. Date: Wed, 18 Oct 2017 14:07:31 -0400
9.  
10. 18/10/2017, 14:07:31 PM
11. 61,{rndnum(1,1)}}-second message deposited by 02083355385
12.  
13. Attachment: Voice Message(02083355385.7z -> F641319669.vbs
14. ----------------------------------------------------------------------------------------------------------------------------
15. - sender address is forged to come from "Voice Message Server", from same domain as recipient - server@<10 digits>.<domain>
16. - subject is "Message from <10 digits
17. - body contain unexploded expression "{rndnum(1,1)}}"
18. - attached file "Voice Message(<11 digits>.7z" contains file "F<9-10 digits>.vbs" a VBScript downloader which will download from:
19.  
20. Download sites:
21. http://jeangurunlian.com/3g76fh
22. http://peopleiknow.org/3g76fh
23. http://petrochemus.com/3g76fh
24. http://rateventrithathen.infov/p66/3g76fh
25. http://stemcellenhancementresearch.com/3g76fh
26.  
27. Malware:
28. - locky ransomware, offline .asasin variant
29. - SHA256: 3fd66cbb34e75cf5a0cf2b12d34de68ff51794ae033208c42ac0eaa7f68cf6e3, MD5: c0a4db485d6759fdaab0175157909e23
30. - VT: https://www.virustotal.com/file/3fd66cbb34e75cf5a0cf2b12d34de68ff51794ae033208c42ac0eaa7f68cf6e3/analysis/1508346407/
31. - HA: https://www.hybrid-analysis.com/sample/3fd66cbb34e75cf5a0cf2b12d34de68ff51794ae033208c42ac0eaa7f68cf6e3?environmentId=100