2016-09-23 Locky "Document from xxxxxx"

1. 2016-09-23 #locky email phishing camapaign "Document from xxxxxx"
2.  
3. Email:
4. --------------------------------------------------------------------------------------
5. From: Rosanna hockey <Rosanna7089@gmail.com>
6. To: [REDACTED]
7. Subject: [SUSPICIOUS MESSAGE] Document from Rosanna
8. Date: Fri, 23 Sep 2016 11:51:01 +0100
9.  
10. Attachment: DOC-20160923-WA00059.docm
11. --------------------------------------------------------------------------------------
12. - sender varies between emails, but the sender domain is always @gmail.com
13. - subject is "Document from <name matching sender>"
14. - body of the email is empty
15. - attached file "DOC-20160923-WA000<random number>.docm" is a macro-enabled Microsoft Word document that will download malware from:
16.  
17. Download sites:
18. http://alabamataskforce1.com/bdb37
19. http://altechleasing.com/bdb37
20. http://attractionhairandbeauty.com/bdb37
21. http://autorijschoolpedro.nl/bdb37
22. http://azerltd.com/bdb37
23. http://catcsr.com/bdb37
24. http://cignitech.com/bdb37
25. http://fcafrica.org/bdb37
26. http://giaythethaonike.com/bdb37
27. http://melbourneacousticduo.com/bdb37
28. http://rentalcartours.net/bdb37
29. http://teknodate.com/bdb37
30. http://ubonria.com/bdb37
31. http://umieki.net/bdb37
32. http://vmastera.ru/bdb37
33. http://welovekgc.com/bdb37
34. http://www.GANANDO.MX/bdb37
35. http://www.sikharaprojects.com/bdb37
36.  
37. UPDATE:
38. http://ecoledesalsa.com/bdb37
39. http://gokmasan.com/bdb37
40. http://sotorentals.com/bdb37
41.  
42. UPDATE2:
43. http://cynonnet.com/bdb37
44. http://demo.dhrutidesign.com/bdb37
45. http://ftpandina.atv.com.pe/bdb37
46. http://inanre.com/bdb37
47. http://mahboob-e-rehmani.com/bdb37
48. http://purebanquet.com/bdb37
49. http://reseat.us/bdb37
50. http://rutlandhall.com/bdb37
51.  
52. Malware
53. - encoded on download, SHA256 8c6da59e696bac4f9d5aa712afed5da22bfded628beac6d2f7f4da798cb5bed4, filesize 234496 bytes [1]
54. - encoded on download, SHA256 04ee6075f061022a342b1aee093feb552f554d7897b08e87588640d354519ca1, filesize 184320 bytes [2]
55. - decoded SHA256 8e00baff0d71259f7d1648871f1b135f76feed814782b438ccf0e7eaa43f6b05 [1]
56. - decoded SHA256 914a3f5c518087e4e49509610ea4367a9e9f3301b3a42682606616ace56215ab [2]
57. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
58. -samples
59. https://www.reverse.it/sample/9041479d72527f7dea6a8fe1a6f9786df7e8fcdb1e3aa5513b3e13c2f0c83c55?environmentId=100
60. https://www.reverse.it/sample/537870eb6ccd5dfade1d5366b9654716891b6bcb304bf3304b1fb0e9d0ac6fcb?environmentId=100
61. https://www.reverse.it/sample/462366a208b0739b01d71fb0d44bf09076820c0ccc3e181139dc2addac45b6a8?environmentId=100
62. https://www.reverse.it/sample/a35ef12e3019c1525b60d06bbd4aa3921a30b0a2b578e35ee4fb09b364bcd0ea?environmentId=100
63. https://www.reverse.it/sample/31a40251eac180b0a24d53a92f530cb8d6c61db2d6b3e9aac9b4d834bfeb0ba5?environmentId=100
64. https://www.reverse.it/sample/c34a253e6bf03692c180a028b0ac9643fc5f2b155566243a83039f5e6629456b?environmentId=100
65. https://www.reverse.it/sample/d9f73a4d39205954203c38dd7329703b4f83037785749d561eccb10655b0a421?environmentId=100
66. https://www.reverse.it/sample/98e5a7c94b419697156d19dbc2e34f7c3fda4949e6beed2309eb4dc434da8d2a?environmentId=100
67. https://www.reverse.it/sample/fd47c43f9f505a6f128b5265a20265093bb63ff8811ae4fd856f2bf3958f1b02?environmentId=100
68. https://www.reverse.it/sample/be0aaa382075b4aa72a8eb70f6bf44233ad2c494fb677677eafb23762093815d?environmentId=100
69. https://www.reverse.it/sample/d2a3c0a2f270a3f356d12c69dee292da7652ffe67a78e5e67cf21f50cd21d75d?environmentId=100
70.  
71. C2:
72. POST 158.255.6.129:80/data/info.php
73. POST 94.242.57.152:80/data/info.php
74. POST jfmiondv.xyz:80/data/info.php [91.239.235.130]
75. POST wnrgttsfmhfmmoqxm.biz:80/data/info.php [69.195.129.70]
76. POST eapsylykyvfkjbctn.biz:80/data/info.php [95.211.174.92]
77. POST tswsgajtwhqkosd.su:80/data/info.php [91.239.235.130]