2016-11-02 Locky "Fax transmission"

1. 2016-11-02: #locky email phishing campaign "Fax transmission"
2.  
3. Email sample:
4. -----------------------------------------------------------------------------------------------------------
5. From: iFax Service <emailsend@peace.ie>
6. To: [REDACTED]
7. Subject: Fax transmission: F-2508442352-1618776589-201611183312-5315.zip
8. Date: Wed, 02 Nov 2016 18:33:12 -0200
9.  
10. Please find attached to this email a facsimile transmission we have just received on your behalf
11.  
12. (Do not reply to this email as any reply will not be read by a real person)
13.  
14. Attachment: F-2508442352-1618776589-201611183312-5315.zip
15. -----------------------------------------------------------------------------------------------------------
16. - the sender varies between emails, the sender name is (iFax|NetFax|Fax|IVR) Service, email emailsend@<random domain>
17. - subject is "Fax transmission: F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip"
18. - attached file "Fax transmission: F-<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip" contains file "<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.js", a JScript downloader
19.  
20. Download sites (the URLs contain suffix ?<random>=<random> which does not influence the download):
21. http://028happy.com/kjg56f7
22. http://1140746.net/kjg56f7
23. http://abercrombiesales.com/kjg56f7
24. http://accenti.mx/kjg56f7
25. http://acrilion.ru/kjg56f7
26. http://ahmetaksan.com/kjg56f7
27. http://alphabureau.ma/kjg56f7
28. http://antivirus.co.th/kjg56f7
29. http://apidesign.ca/kjg56f7
30. http://asastaff.com/kjg56f7
31. http://auwm.ru/kjg56f7
32. http://babuandanji.jp/kjg56f7
33. http://babyparka.ca/kjg56f7
34. http://bazkomp.pl/kjg56f7
35. http://bemmart.net/kjg56f7
36. http://bepxep.com/kjg56f7
37. http://bilisimarsivi.com/kjg56f7
38. http://blakslee.com/kjg56f7
39. http://boraba.net/kjg56f7
40. http://brokerclub.lt/kjg56f7
41. http://budeanu.ro/kjg56f7
42. http://buh-uchet71.ru/kjg56f7
43. http://byensbilleje.dk/kjg56f7
44. http://canals.cn/kjg56f7
45. http://capitalintroductionservices.com/kjg56f7
46. http://chaturk.com/kjg56f7
47. http://chuandishe.com/kjg56f7
48. http://cip.edu.pk/kjg56f7
49. http://cluster09server.com/kjg56f7
50. http://concern-block.ru/kjg56f7
51. http://daivupaint.com/kjg56f7
52. http://damai0769.com/kjg56f7
53. http://dela-cruz.eu/kjg56f7
54. http://delfin-lait.ru/kjg56f7
55. http://dienmaykhanhhuy.com/kjg56f7
56. http://dinglihn.com/kjg56f7
57. http://ding.sk/kjg56f7
58. http://discuzshop.com/kjg56f7
59. http://dongwooclean.com/kjg56f7
60. http://donrigsby.com/kjg56f7
61. http://draiveris.lt/kjg56f7
62. http://drede.ro/kjg56f7
63. http://dudenman.net/kjg56f7
64. http://dunyam.ru/kjg56f7
65. http://earthboundpermaculture.org/kjg56f7
66. http://edrian.com/kjg56f7
67. http://efson.707.cz/kjg56f7
68. http://eplotery.pl/kjg56f7
69. http://ev-entertainment.nl/kjg56f7
70. http://fcarmida.ru/kjg56f7
71. http://fedsav.com/kjg56f7
72. http://guardrupia.com/kjg56f7
73. http://inzt.net/kjg56f7
74. http://lashouli.com/kjg56f7
75. http://morgkelly.net/kjg56f7
76.  
77. Malware:
78. - encoded on download, SHA256 c394698c92d5782dd0bc6d88aec2585c79155c69275f0c56aac8f65fcdf2680e, MD5 9857b8950dea8b1cda4cb7a4bc869b3f
79. - decoded SHA256 3e41f4340763dae1f988dd431174e172f981d789b61255f7189dbb8192082a11, MD5 8b08b261669f309933e48d3685ab155f
80. - executed by "rundll32.exe <dll_name>,runrun"
81.  
82. C2:
83. POST http://194.28.87.26/message.php
84. POST http://51.255.107.20/message.php
85. POST http://93.170.123.119/message.php
86. POST http://evhblsxym.org/message.php
87. POST http://kwdmkgfcnpnusr.su/message.php
88. POST http://kyppmprgjbatejs.biz/message.php
89. POST http://otsatxd.info/message.php
90. POST http://gynwalkangl.work/message.php
91. POST http://thrpjairul.pl/message.php
92. POST http://moqhmfrdmacog.pw/message.php
93. POST http://juykbsopyu.pw/message.php