2016-11-11 Locky "Emailing: _xxxx_xxxx"

1. 2016-11-11 #locky email phishing campaign "Emailing: _xxxxx_xxxxx"
2.  
3. Sample email:
4. --------------------------------------------------------------------------------------------------------
5. From: "Deangelo" <Deangelo.edmondson0@promotive.net>
6. To: [REDACTED]
7. Subject: Emailing: _9097097_27631
8. Date: Fri, 11 Nov 2016 21:48:42 +0530
9.  
10. Your message is ready to be sent with the following file or link
11. attachments:
12.  
13. _9097097_27631
14.  
15. Note: To protect against computer viruses, e-mail programs may prevent
16. sending or receiving certain types of file attachments. Check your e-mail
17. security settings to determine how attachments are handled.
18.  
19. Attached: "_9097097_27631.zip"
20. --------------------------------------------------------------------------------------------------------
21. - sender varies between emails
22. - subject is "Emailing: _<digits>_<digits>
23. - attached file "_<digits>_<digits>.zip" contains file "_<digits>_<digits>.js", a JScript downloader
24.  
25. Download sites (actual URLs have suffix ?<random>=<random> which does not influence the download):
26. http://3.ihenan.com/487ygfh
27. http://asrcargo.ru/487ygfh
28. http://canidtrove.net/487ygfh
29. http://house-of-quality.com/487ygfh
30. http://hpdnet.com/487ygfh
31. http://iarelative.com/487ygfh
32. http://ibluegreen.com/487ygfh
33. http://imckart.com/487ygfh
34. http://inedinburgh.com/487ygfh
35. http://ingservice.ro/487ygfh
36. http://inspire-consultants.com.my/487ygfh
37. http://itemweb.fr/487ygfh
38. http://itrechtsanwalt.at/487ygfh
39. http://jerabel.net/487ygfh
40. http://jinghaishipin.com/487ygfh
41. http://jndszs.com/487ygfh
42. http://jobgroup.it/487ygfh
43. http://jsharvie.com/487ygfh
44. http://jsydjc.com/487ygfh
45. http://jumeioo.com/487ygfh
46. http://juran.pl/487ygfh
47. http://jyxiangqin.com/487ygfh
48. http://karayurt.nl/487ygfh
49. http://kreanova.fr/487ygfh
50. http://landauglobal.co.uk/487ygfh
51. http://laundryonwheels.ca/487ygfh
52. http://lightmusic.pl/487ygfh
53. http://lingyuanbbs.com/487ygfh
54. http://linneo.eu/487ygfh
55. http://livinghealthyworld.com/487ygfh
56. http://lkis.or.id/487ygfh
57. http://lqbaihua.com/487ygfh
58. http://lrbj.net/487ygfh
59. http://lubrinor.pt/487ygfh
60. http://magicaltouch.co/487ygfh
61. http://malamalamak9.net/487ygfh
62. http://marketingnatural.net/487ygfh
63. http://mavisehirrotaract.org/487ygfh
64. http://maximumauction.com/487ygfh
65. http://mei-mei.jp/487ygfh
66. http://mervereklam.com.tr/487ygfh
67. http://midwaymetals.com.vn/487ygfh
68. http://minglian.ca/487ygfh
69. http://mohamedbelgaila.com/487ygfh
70. http://project-group.pro/487ygfh
71. http://relydorn.net/487ygfh
72. UPDATED:
73. http://luxurylivingph.com/487ygfh
74. http://microcontroller-cafe.com/487ygfh
75.  
76. Malware:
77. - encoded on download, SHA256 e28d23886e3b62fb9109fd74b836f92fd3dee31471b41db3c60bbf4a18f830d3, MD5 0c166763d7342acc2a36f5168ed9a866
78. - decoded SHA256 eb19e3967bca8a1e183aabb66684c97bc4798545e62d5ea51f57771af58f849a, MD5 844cd011920aa9d11b4ebbd4c800d2d8
79. - executed by "rundll32.exe %TEMP%\<dll_name>,app"
80.  
81. C2:
82. POST http://107.181.174.34/message.php
83. POST http://85.143.212.23/message.php
84. POST http://86.110.117.244/message.php
85. POST http://bnefhbdjcmsgv.info/message.php
86. POST http://flljyguqfd.org/message.php
87. POST http://hhhhjant.pl/message.php
88. POST http://hiuswnvgggbh.xyz/message.php
89. POST http://itupvhmnfieeqt.su/message.php
90. POST http://mqhscwgej.su/message.php
91. POST http://srdmhudpr.ru/message.php
92. POST http://wigcemgwepq.work/message.php
93. POST http://ynaqajdgxl.org/message.php