2016-11-07 Locky "Scanned image from MX2310U"

1. 2016-11-07: #locky email phishing campaign "Scanned image from MX2310U"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------------------------
5. From: "office@[REDACTED]" <office@[REDACTED]>
6. To: [REDACTED]
7. Subject: Scanned image from MX2310U@[REDACTED]
8. Date: Mon, 07 Nov 2016 13:43:48 -0200
9.  
10. Reply to: office@[REDACTED] <office@[REDACTED]>
11. Device Name: MX2310U@[REDACTED]
12. Device Model: MX-2310U
13. Location: Reception
14.  
15. File Format: PDF MMR(G4)
16. Resolution: 200dpi x 200dpi
17.  
18. Attached file is scanned image in PDF format(RAR archive).
19. Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
20. Adobe(R)Reader(R) can be downloaded from the following URL:
21. Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other countries.
22.  
23. http://www.adobe.com
24.  
25. Attachment: "office@[REDACTED]_20161107_134348.zip"
26. ---------------------------------------------------------------------------------------------------------------
27. - sender address is office@<recipient's domain>
28. - subject is "Scanned image from MX2310U@<recipient's domain>
29. - attached file "office@<recipeint's domain>_20161107_<6 digits>.zip" contains file "<3 uppercase chars><5 digits>-<4 digits>.js", a JScript downloader
30.  
31. Download sites (actual URLs contain suffix ?<random>=<random> which does not influence download):
32. http://365aiwu.net/hgf65g
33. http://adriandomini.com.ar/hgf65g
34. http://agorarestaurant.ro/hgf65g
35. http://anagrual.es/hgf65g
36. http://arrefrigeracao.com.br/hgf65g
37. http://arxaggelos.com/hgf65g
38. http://asiawing.com/hgf65g
39. http://asirio.es/hgf65g
40. http://atforum.pl/hgf65g
41. http://avon2you.ru/hgf65g
42. http://ayurvedic.by/hgf65g
43. http://bajkowedekoracje.pl/hgf65g
44. http://bappeda.palangkaraya.go.id/hgf65g
45. http://beautyexpress.com.au/hgf65g
46. http://bielpak.pl/hgf65g
47. http://bogaziciradyo.com/hgf65g
48. http://casaxavier.com.mx/hgf65g
49. http://certop.hu/hgf65g
50. http://chandrphen.com/hgf65g
51. http://cheedellahousing.com/hgf65g
52. http://chinaeyes.net/hgf65g
53. http://city-hospital.com/hgf65g
54. http://comovan.t5.com.br/hgf65g
55. http://corinnenewton.ca/hgf65g
56. http://cozyculmy.com/hgf65g
57. http://dannyvanleeuwen.nl/hgf65g
58. http://diandiandx.com/hgf65g
59. http://drmulchandani.com/hgf65g
60. http://dtfxggsc.com/hgf65g
61. http://dwcell.com/hgf65g
62. http://dzwiekowe.com/hgf65g
63. http://edubit.eu/hgf65g
64. http://efabryka.net/hgf65g
65. http://eldamennska.is/hgf65g
66. http://eribusiness.com/hgf65g
67. http://eroger.be/hgf65g
68. http://esustentables.com.ar/hgf65g
69. http://fashioncheer.com/hgf65g
70. http://fibrotek.com/hgf65g
71. http://flirtkurs.ch/hgf65g
72. http://freemailguide.com/hgf65g
73. http://frejasvej.dk/hgf65g
74. http://frumiel.cl/hgf65g
75. http://furniturefactory.lk/hgf65g
76. http://g2cteknoloji.com/hgf65g
77. http://g2el.com/hgf65g
78. http://ge3epmup.ru/hgf65g
79. http://geist.fr/hgf65g
80. http://gerardfetter.com/hgf65g
81. http://gestuet-sterzer.de/hgf65g
82. http://globalem.asia/hgf65g
83. http://globissys.co.id/hgf65g
84. http://goedvanstart.nu/hgf65g
85. http://gokmasan.com/hgf65g
86. http://goldensad.ru/hgf65g
87. http://gossipsjunction.com/hgf65g
88. http://gpsoft.pl/hgf65g
89. http://groundfloorelevator.com/hgf65g
90. http://guusdam.nl/hgf65g
91. http://hairflicksmodelphotography.co.uk/hgf65g
92. http://hanami.cz/hgf65g
93. http://happyhands.ru/hgf65g
94. http://hayber.com/hgf65g
95. http://henrytye.com/hgf65g
96. http://hgssyouth.com/hgf65g
97. http://hogsmeade.ru/hgf65g
98. http://holmebjerg.dk/hgf65g
99. http://magical-connection.com/hgf65g
100. http://mospi.ru/hgf65g
101. http://pillorydowncommercials.co.uk/hgf65g
102. http://termoskan.ru/hgf65g
103. http://tw.wapv.net/hgf65g
104.  
105. UPDATED:
106. http://bst.tw/hgf65g
107. http://codanuscorp.com/hgf65g
108. http://gruppoeslabon.com.ph/hgf65g
109. http://gzzzsm.com/hgf65g
110. http://happymedia.vn/hgf65g
111. http://hjarne.dk/hgf65g
112. http://m.geology.kg/hgf65g
113. http://nsrcconsulting.com/hgf65g
114. http://pastelesallegro.mx/hgf65g
115. http://xiguacity.com/hgf65g
116.  
117.  
118. Malware:
119. - encoded on download, SHA256 e755250d252922ff8111d59c0cb929dc3933d57d4fa26ac542fca192285cb81b, MD5 d21cf8c4a6afe9ff540d94a4a78c1f4b
120. - decoded SHA256 9ceca8d84f947b713910ce4b7a961e875e63284ca0f913bec845b65fedd4730f, MD5 b137f7d1acc5928664e2c5ae361be8df
121. - executed by "rundll32.exe %TEMP%\<dll_name>,SetText"
122. - samples:
123. https://www.reverse.it/sample/42463692f4dba0a50fb1e457632295b83f829b413aef68f7e4f8ba533aec6317?environmentId=100
124. https://www.reverse.it/sample/e74efba840482806095911cc907d0694f2ac8c9c1b76cbf9ae5d9e95388b8554?environmentId=100
125. https://malwr.com/analysis/ZjNlNWY0Y2UwMmZlNDc2N2FjNzdkZDU2OTM1NTZmYjM/
126.  
127. C2:
128. POST 81.177.27.222:80/message.php
129. POST 176.103.56.120:80/message.php
130. POST 81.177.180.53:80/message.php
131. akufldsjlcyntbtq.biz
132. pdqgefjnekpydy.su
133. cscdomk.ru
134. gowcifwxytc.biz
135. xcvrhfingmenyt.su
136. thexaiugfckdpdr.ru
137. sfsljbulrimpk.su
138. upepdgqcxrtsjxu.pw
139. bappeda.palangkaraya.go.id
140. kcjgdxep.pw
141. rqppmufvesfrs.org
142. fwyecrapmwiescamb.info