2016-11-09 Locky "unauthorized access"

1. 2016-11-09 #locky email phishing campaign "unauthorized access"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------------
5. From: "Technical Support" <Hart.Maryann@fotoimpress.com.br>
6. To: [REDACTED]
7. Subject: unauthorized access
8. Date: Thu, 10 Nov 2016 04:27:45 +0700
9.  
10.  
11. Our technical support service has detected unauthorized access to your account.
12.  
13. Due to that, we had to block your account until you confirm your personal information.
14. To do so, please follow the instructions in the attachment.
15.  
16. Best Regards,
17. Maryann Hart
18. Technical Support
19.  
20. Attachment: "account_[REDACTED].zip"
21. ---------------------------------------------------------------------------------------------------
22. - sender email varies between emails, but the display name is always "Technical Support"
23. - subject is "unauthorized access"
24. - attached file "account_<recepient name>.zip" contain file "-<11 random chars>-.js", a JScript downloader
25.  
26. Download sites:
27. http://activedd.net/jwajv6c
28. http://adultmagstore.co.uk/ni6qoy
29. http://awlandneedle.ca/stxx2p
30. http://coilgalvalumemurah.com/uhcsdnw
31. http://crapevadim.net/0smgqp
32. http://crapevadim.net/3i82mns
33. http://crapevadim.net/5rnyr6
34. http://crapevadim.net/8i2osnan
35. http://cussocrane.net/4wiuzb
36. http://cussocrane.net/6rpdgx88
37. http://cussocrane.net/8zvl7k
38. http://dalezohak.com/0n8cbc25
39. http://dalezohak.com/5icsxofi
40. http://dalezohak.com/87v266v1
41. http://droolunkin.net/1c0pazr
42. http://droolunkin.net/4s5zv504
43. http://flowersleds.com/hyf02dk
44. http://frisors.dk/njve2
45. http://fuchang888.com/slkji2u1
46. http://g2cteknoloji.com/vrirs
47. http://game18.info/j2r5m0l
48. http://gdakompressor.com/p7krg
49. http://geist.fr/uizvqih
50. http://gesund-fit-leben.com/p9a1t
51. http://globaldoctors.asia/lzsyu
52. http://globissys.co.id/thf9ev0
53. http://gokkusagidagitim.com.tr/j1kh8u2
54. http://gomelnaushnik.com/p5vaz3
55. http://gpsoft.pl/nmubtxj2
56. http://gruppoeslabon.com.ph/uxm7f6
57. http://hdtv9.com/ig2dmg
58. http://hexinjituan.com/mmbk7
59. http://hgssyouth.com/q4oc57
60. http://homecreations.co.nz/jyarha
61. http://imein.net/dhu6n6h
62. http://inter-choix.com/dqxo37
63. http://mesdan.biz/dul8ox
64. http://mirohosting.ru/djgpep
65. http://nancyabout.net/0g1ek1
66. http://nancyabout.net/5c5sq1cv
67. http://nancyabout.net/6zt2ter
68. http://oxbridgemedica.net/in4mojc4
69.  
70. UPDATED:
71. http://alraster.com/pwbm6t
72. http://bj-fzwb.com/jl19nc
73. http://clubtug.com/jaxiqp
74. http://cussocrane.net/303yaja2
75. http://dalezohak.com/36to6x8
76. http://droolunkin.net/68ebze29
77. http://droolunkin.net/8ynuj2z
78. http://flexdeal.net/jp5yb0x1
79. http://forpap.pl/ztwuvt
80. http://frejasvej.dk/krcd6tig
81. http://gerardfetter.com/y2hu80k
82. http://gestuet-sterzer.de/xa33wd
83. http://gmaster.eu/efnl2j0
84. http://goedvanstart.nu/y00rqs9n
85. http://gokmasan.com/vsw4fg
86. http://goldencars.com.ua/gd0b1twp
87. http://goldenroots.net/hv3q97
88. http://greatgoods2.bravepages.com/ogbzq
89. http://groundfloorelevator.com/pvpje4k
90. http://grupodaf.net/nwnbzcnk
91. http://hamersleynetball.com.au/pbowsbhd
92. http://hartphp.eu/p9bbjo1
93. http://henriksen.mobi/h38ls0v
94. http://henrytye.com/z00vxq3l
95. http://icelandnavigator.com/a8b24gt
96. http://inadcod.com/abza9hk
97. http://ingrena.com/c74qgz0
98. http://jcsservices.in/cjvrang
99. http://jinanlingshi.com/fwrs63tv
100. http://kemerealty.com/bremab
101. http://leadcapital.net/ea7udmx
102. http://lichtliebe.net/cdnutna
103. http://luckyway.kz/dihiks
104. http://motomoto.jp/a76bspo
105. http://mvd-gmbh.eu/a4y9ytdv
106. http://nancyabout.net/35jsji2
107.  
108. Malware:
109. - NOT encoded on download
110. 10386534960e48f323b7cb839b9cebedc42d4dcec5198f9f1b3fd07f526cbbc2 http___activedd.net_jwajv6c
111. 48a00cc10db662b823db773ce1236ed36ecc09fb7f9ee04ecbadddd67445e88f http___adultmagstore.co.uk_ni6qoy
112. b5d1a88f0ed6de9bdb6de39967d6a9a2511ab30471e957b3eeedf2f95e7ffaa9 http___awlandneedle.ca_stxx2p
113. 36f17d877157098d3aa79797111954945807e4abf46709d5a995bf78b33c1b11 http___coilgalvalumemurah.com_uhcsdnw
114. c138951bebbc842080a8c2543aac682198898fc473a29bc8c15eddfdfbfc9f3e http___crapevadim.net_0smgqp
115. 0f52c691c6654f23a5801817c195d09f6208afb8532c31f4d110e74e709b6a9c http___crapevadim.net_3i82mns
116. 9b33b592af5bc9cf7f3cbe14032b861918c9b70c5f0efd0ca44892ec91dfdc2f http___crapevadim.net_5rnyr6
117. 289fed5cd98a39ac91d3bcc145edd8074097c9c23756041430c9b92167b9a49d http___crapevadim.net_8i2osnan
118. 13e51799a66f7c9075b57d82628a679b83747cf871a262cf4060e09f35c14f71 http___cussocrane.net_4wiuzb
119. 68ba856fe19e924fe0eea32216ee4dd794785323413a9026199a26e2fa0101b7 http___cussocrane.net_6rpdgx88
120. a4d2bbde120b4f7720006d8c897d888f8053002edebff8dd3b57d997a38cc97c http___cussocrane.net_8zvl7k
121. 3b71e8716fca3ca6ee415d029cca7d35848283931f3184f87fe8ab968b8e644b http___dalezohak.com_0n8cbc25
122. c30527133c8a9db4760ddb292a68c1929287d5d36c09eb7f829c2bbb38312b3c http___dalezohak.com_5icsxofi
123. 6840a647f4b8bad1a379e4ab3752904416f0964099785a3a227a80576223bb7d http___dalezohak.com_87v266v1
124. c322f5f3adb082f5c01a647f095fed71fabb5965bc9c7efa1036e9b04e37094b http___droolunkin.net_1c0pazr
125. b028101fcf75ff4c1920161b6614da191528351c1ee7e81b98842333e086819e http___droolunkin.net_4s5zv504
126. 918e3af3075e2bfd15d13ed6d120518b0493c824348a94206fe810a7d49b88c5 http___flowersleds.com_hyf02dk
127. 12f383b2d460513b89041c7fd67d135abbee3c0ce8a89a92625528dedd7e383a http___frisors.dk_njve2
128. 49cbadd331cfb2003ef6066ba11584b86db9f744379ff25c6106fbd9fc037269 http___fuchang888.com_slkji2u1
129. 8bcbc8157569f028d987f28422b7c24bd9bb0144134b40ca4c85f21569b45ce0 http___g2cteknoloji.com_vrirs
130. 187e06602b462ea5e5126373c4ca07496cc985d79af08e8d71c08f1ce0d84d00 http___game18.info_j2r5m0l
131. 56243ccda4c596e023c7f4b5ea9544a9f031ead1dc5280733e5a3661839c2eb2 http___geist.fr_uizvqih
132. c722d59a5839a840b25936d03eda69304a48964a88ada5809483f056d6bdcb75 http___gesund-fit-leben.com_p9a1t
133. e566ed60dd4450fa68257c04b1dafbce24c35474db98eafd0ac123df3ebcdc99 http___globaldoctors.asia_lzsyu
134. cf143edc17fb2aa91bc20671ec5c00c45a69e6db58a0c23682420d2170aff87a http___globissys.co.id_thf9ev0
135. 8d7750e3da114145e20f2f1599bc641f93a0efb87f23231754d675a501578daa http___gokkusagidagitim.com.tr_j1kh8u2
136. ce7672c41472ef02a543f9bac0e0aa6c0c00c924c0b6e3bd2026c747454a76f9 http___gomelnaushnik.com_p5vaz3
137. 94294786a5ec828f2464073cbe0d1f43224074f41424ea804d3ac77a2cd66a0f http___gpsoft.pl_nmubtxj2
138. c086f00fddce72ddb1c83072922ca05ceb4d11e669fdf91678317a554d3145cb http___gruppoeslabon.com.ph_uxm7f6
139. da6c4f4df0a2339aebe3779f3871350313dcf3075909f1a38064ad27dd4c6d8a http___hdtv9.com_ig2dmg
140. 6485a4f49b73272d908644393e9216e097d92c38a3ce0909283c8a4e0ecfcc59 http___hexinjituan.com_mmbk7
141. 160664a9a725f9a181155463b27bf59f3490d4c103c5e6a1b54876e21f51a910 http___hgssyouth.com_q4oc57
142. e3a8a2073d57e068d3575cae0cc9e873e30db1e3e5ecd559b5b7caea10e558f5 http___homecreations.co.nz_jyarha
143. 2fa9e5067de2183a6a5afb001303350703741bd86fe7ae9eb67470d5fabe6b09 http___imein.net_dhu6n6h
144. 973b493866b9cf43bdca172a5b3d0acb9d0ca1dd07277d71888ae29c556eb0ea http___inter-choix.com_dqxo37
145. 7b8711def3e629796a80655e0506a920e7e31306437b4fad1cc364b210fc374c http___mesdan.biz_dul8ox
146. bb2f143e022ea4d69c02320c77b61c1fd9258a7b39c5207bc746f459b4d9f724 http___mirohosting.ru_djgpep
147. 6b40443469482a2a9a113bcead2bfdd05e3f0af6c4d07a10fa101f5765214b69 http___nancyabout.net_0g1ek1
148. 4b062c7928434a92682ab75945e123d0f89a1e30d642911b56814b19cf58cb19 http___nancyabout.net_5c5sq1cv
149. c103912a6b21ebc7a88279e6fa3342090900b4fc86f58edb1f2531e01f82db1f http___nancyabout.net_6zt2ter
150. efe597cca43915da6f592f54cc1a9eca45f0963487e024571ffed04c2bab851e http___oxbridgemedica.net_in4mojc4
151. UPDATE:
152. 303386fb96e437deac8ed15a21869f51005652800d7ed4570908dc9f31e5b2c8 http___alraster.com_pwbm6t
153. 9b7374de7d30c29daaaf8d9fe0342c54acbd060f3dcceb3ff5bb21d32627dbef http___bj-fzwb.com_jl19nc
154. e37d7cec7f32529ad866c313d57ce59083f59af6d31056fd3fde7a9c54e27fdd http___clubtug.com_jaxiqp
155. 8537e362e04d60c233831ab8d0481c8f6c3c6dd2acb5411169e77e0297ceec5f http___cussocrane.net_303yaja2
156. 8aa62aa84bebfa50b0bcfff1db388fea6294277895b247ccf5fba186412c87e8 http___dalezohak.com_36to6x8
157. ed798054893604c2ea65ab5f4cc7cf9205d374298d6d3e779fc772d0388098fc http___droolunkin.net_68ebze29
158. 422005f4f79fd8f126cc775271992deba3bf2aab89a996f6fd5fcd0d93f319e9 http___droolunkin.net_8ynuj2z
159. 63cb79c477a5a0a7c10cfd43a8b43be9e8018edea5b350770eb802f56defd954 http___flexdeal.net_jp5yb0x1
160. ca407e0a1ae3488dd7fa9b804dfe539eac905557c6174fb225bd75bb3bbff731 http___frejasvej.dk_krcd6tig
161. a119b1e0bb7105de10a54b6761a9aedda469a84cbb737eb9fbe9cb64faea3531 http___gerardfetter.com_y2hu80k
162. c43d4f32130b93aa72565ae03bcff5d5913d3c20d590597e7cee17e3c8fbc0c1 http___gestuet-sterzer.de_xa33wd
163. c7aa3997b44e6de9dfe24736beaad94f460c388b40d4ccf9f9b93c522c91c203 http___goedvanstart.nu_y00rqs9n
164. 0fd7e09fe65cb0df63f71aa0ef2288c10ac7bf8f49e424b5904ea34d6384568d http___gokmasan.com_vsw4fg
165. cfcd3a2ceb5d57a8b43e08d39cf46aedb699a6326d24a9e1adcf157eb4a981af http___goldencars.com.ua_gd0b1twp
166. 1c2a471f165cb79a235681e5dbc35f25d4e43c2dde0243c0162cef850eb64f8f http___goldenroots.net_hv3q97
167. ddd91171123f393fa0d193ffb560f886b113a2250eb4558a8783bda756feb6a6 http___greatgoods2.bravepages.com_ogbzq
168. 016d6c6ead0a9fcc949fd7463215f9ff9418761805c08bf2c1d1febb8e0fbd20 http___groundfloorelevator.com_pvpje4k
169. 9728cb024f0f90516afbfae69d4fa58ef52bf06294d476c7d001b30d2ea127ca http___grupodaf.net_nwnbzcnk
170. 42adaf89220e9dd0d722ca9ecfe7c92f8430b0a784e790b76e944a87bb221e81 http___hamersleynetball.com.au_pbowsbhd
171. fb15fbeb89bbdfacddb306e75cd54109deb3b7cdee116464db9a98b18d9dadb6 http___henriksen.mobi_h38ls0v
172. ff6d5294e3232068b251a4978a4555c664d4c7ee0dd7626e4114c4bcac4452cc http___icelandnavigator.com_a8b24gt
173. cc8ce9c3ab19d135cb3180542bafd9373034de85fc09d61a06016e9246fac628 http___inadcod.com_abza9hk
174. 355c9e4425ff8353ec83ab9c6d76d5dc8b5e80319b9d21eeb734e4c37d6a59bf http___ingrena.com_c74qgz0
175. 78e9c9296085aa796926d191341bdde0a5d8753366ba5f6a66e36477cda39da5 http___jinanlingshi.com_fwrs63tv
176. 269591f9e8fbb6e5931d95ad30d9928f31fbc402f5a893deae3fafa7b98e7573 http___kemerealty.com_bremab
177. 053ee7d88d55384822aba01e8465bea6215b952aa3d9b78c7ca52b8528a05d50 http___leadcapital.net_ea7udmx
178. 639d43ceed61ff0408f75e1f2045271dcdb9e7729f6dc3b0f328209d5218e856 http___luckyway.kz_dihiks
179. 94fa27bb05fbf24562b65518c8eda8c5a2f0cee8a5269307e97f568a25af7b6d http___motomoto.jp_a76bspo
180. c9a1ff5290cee77ed6a2d283c85aaef73933f3b4ecfc5fdac64fe5cbad4d215f http___nancyabout.net_35jsji2
181.  
182. - executed by "rundll32.exe %TEMP%\<dll_name>,0003"
183.  
184. C2:
185. POST http://185.118.164.125/message.php
186. POST http://46.8.29.174/message.php
187. POST http://81.177.26.136/message.php
188. POST http://95.46.8.109/message.php
189. POST http://adyadpnsjfu.pl/message.php
190. POST http://bjexrtqfwdttwmofi.ru/message.php
191. POST http://btbbbronwn.xyz/message.php
192. POST http://kgfwjikcth.work/message.php
193. POST http://mavxalkphi.pl/message.php
194. POST http://nhatceafy.pw/message.php
195. POST http://njlyfcodghtsl.pl/message.php
196. POST http://oghrrfjm.xyz/message.php
197. POST http://ukyfejjac.work/message.php
198. POST http://wcusjikv.info/message.php
199. POST http://yieorxrtjtqr.click/message.php
200. POST http://ypfbqtf.work/message.php