2016-12-15 Locky "Order Receipt"

1. 2016-12-15: #locky email phishing campaign "Order Receipt"
2.  
3. Email sample:
4. ----------------------------------------------------------------------------------------------------------------------
5. From: "Anna Hurst" <Hurst.Anna@jonasburkhalter.com>
6. To: [REDACTED]
7. Subject: Order Receipt
8. Date: Thu, 15 Dec 2016 10:54:57 -0200
9.  
10. Dear [REDACTED],
11. Thank you for making your order in our store!
12. The payment receipt and crucial payment information are in the attached document.
13.  
14. -
15. King Regards,
16. Anna Hurst
17. Sales Manager
18.  
19. Attachment: scan2967832.zip -> ~_NV6HY_~.js
20. ----------------------------------------------------------------------------------------------------------------------
21. - sender varies between emails
22. - subject is "Order Receipt"
23. - attached file "scan<7 digits>.zip" contains file "~_<5-7 uppercase chars and digits>_~.js", a JScript downloader
24.  
25. Download sites:
26. http://047688888.com/yfmmqd0
27. http://2h4u.com/5rkumb2
28. http://72mic.cn/q98yonpipk
29. http://aficar.es/dyap1
30. http://alexsoft.cn/lqxbccgvg
31. http://alfa-auto.pl/ltopxz
32. http://alteo-alumina.com/yqqw0sp3p3
33. http://ama119.jp/uxnvj
34. http://anhang-billsville.ca/d3j5l
35. http://arslan.pro/auuy3to00
36. http://asonoyamaboushi.com/q6n5nml
37. http://atakankasap.com/m2hmcizn
38. http://atwork.cn/t4kavmogc
39. http://bbdoutdoor.com/igfzq1sgg6
40. http://beinthesky.net/ad4ud12
41. http://bettydesign.cz/rfwmd
42. http://beumerkleinmetaal.nl/vzmg6rg
43. http://bigtreerecord.com/qvwjc
44. http://bigtrust.co.kr/0jpbwaf
45. http://biogoodland.com/ryrfcs
46. http://book.50webs.com/pkxwqfrg
47. http://candylee.com/f25syokvoc
48. http://chandelles-golf.com/sltl0nms
49. http://chuaiyue.com/xsttl
50. http://chuantu.net/ftb42ysmkh
51. http://communicore.biz/6evwetxcz
52. http://copiadorassharp.es/fzdxewt
53. http://coruspadel.es/n7kz5km
54. http://cuoder.org/to6nnme
55. http://dinamusfg.com/82hwv
56. http://dxhhbj.com/xgnhqsdq4
57. http://dykeselec.com/yjjvg
58. http://eflengu.ru/jmu1ix0
59. http://ekovizyonpeyzaj.com/aiw3cfjw
60. http://fanda-wesst.com/dvnelp1xx
61. http://fm1111.fr/4sl2rtd
62. http://foxhilltoyfoxterriers.com/ictrno0kyl
63. http://gallerisymbol.dk/dqaquyxl0
64. http://goodgate.tv/7m2vrub
65. http://greybruceinsurance.com/fn0z26pne
66. http://gtilite.jp/xphqbv
67. http://guardian-angels-diva.de/0cepvia
68. http://hitechsolinc.com/jhcby
69. http://hotelglobo.eu/jjsmb
70. http://interoffice-lb.com/3agmjt1
71. http://kathollowell.com/6obllz
72. http://laferwear.com/2xry1qp
73. http://legaladvice.50webs.com/sti23
74. http://mews-labo.com/vwxn1femb3
75. http://mtrk.ru/3rlflm8
76. http://pablopaz.com/6twklhtuu
77. http://sublimeshop.co.uk/4umz2
78. http://teen.deep-ice.com/nzw9cp6ooj
79. http://untitled.50webs.com/ncsuspx4
80. http://untitled.50webs.com/v06afm
81. http://waat.co.uk/68uitnl
82. http://www.angeljob.com/sgdijtu
83. http://www.bds-1.com/gfftte3uv
84. http://www.elevation.com.cn/xno8wx
85. http://zophotos.com/0fmnqv
86.  
87. Shared from "Amount Payable"
88. http://0668.com/k5bhgn
89. http://250sb.com./jynvmx
90. http://addwords.com.tr/aah6qmhv
91. http://anti-dust.ru/7k6cp
92. http://asdream.pl/gbbs1c
93. http://atio.li/exjik
94. http://bappeda.dharmasrayakab.go.id/dlhalychp
95. http://braindouble.com/uycx51ix
96. http://buhoutserts.ru/ufdazc6vv
97. http://casino-okinawa.com/ejguf
98. http://catherineduret.ch/5qpqi5ezp
99. http://chinaxw.org/xw1ju7y6zc
100. http://chungcuvinhomemydinh.com/6dvjasf
101. http://crolic88.myjino.ru/1ddig
102. http://demo.shispare.com/bvsjq
103. http://environment.ae/0od5hn
104. http://forbrent.com/h9kqgq
105. http://fyd123.cn/kib6h2d9ga
106. http://groupeelectrogeneservice.com/eefpeywf9z
107. http://hedefosgb.com/dpyzsb6u
108. http://hlonline.kentucky.com/i7z78
109. http://innercityarts.squaremdesign.com/dyo1w7
110. http://jianhu365.com/z9puqdj2eu
111. http://malamut.org/gizb2zq
112. http://obaloco.com.br/67mfj
113. http://peopleprofit.in/pyihdg
114. http://roman64.humlak.cz/7bnisgf
115. http://rulebraker.ru/zsw4cnf9o
116. http://scaune.qmagazin.ro/5hktu4h
117. http://slankmethode.nl/4zzq1am
118. http://subys.com/mjguriv80
119. http://szwanrong.com/x5qxzpjsi
120. http://tecnomundo.uy/a8rnlgzv
121. http://test1.giaiphaponline.org/0ytdjs1
122. http://test.sousouyo.com/feaetpnuee
123. http://theamericanwake.com/xw1ju7y6zc
124. http://travelinsider.com.au/mwaefb4b
125. http://trietlong.net/heyus
126. http://tx318.com/kqe4ca
127. http://ucbus.net/usdxqqt6
128. http://u-niwon.com/kmjg6j9ske
129. http://vaaren.dk/ogcz6ys0d
130. http://viscarci.com/wyqs6353
131. http://walkonwheels.net.au/qmd1uu
132. http://wdcd999.com/lm5z2snyqn
133. http://web-shuttle.in/eeo9oc
134. http://windshieldrepairvancouver.ca/qcp8k7
135. http://wiselysoft.com/qcymgbug7
136. http://wszystkodokuchni.pl/sl5yko7
137. http://wudiai.com/mc3hnwd
138. http://www.espansioneimmobiliare.com/akktnck
139. http://www.myboatplans.net/6d7ukeco6
140. http://wx.utaidu.com/1eybujbru
141. http://xlr8services.com/n970foumf
142. http://xn--k1affefe.xn--p1ai/8wzzjk24u
143. http://youspeak.pt/liowrtxs
144. http://yukngobrol.com/h7sfu
145. http://zhiyuw.com/qfbdcvrul
146. http://zwljfc.com/ld1pvjozu
147. http://zzzort10xtest123.com/nin5k3bwo
148.  
149. Malware:
150. - encoded on download
151. 4772df13d7371bb457a2f4e6be9509efc3f5f8990b82ecf12026414f49ffe96a http___047688888.com_yfmmqd0
152. 60380d4f3e5e392d7af27bc85324d7363dd644dfce4059bff832bb3dff17ff21 http___0668.com_k5bhgn
153. 2d14f034e7fec59cd12baec77dceb16ac1b410b613e2d63e118b55294cec54dd http___2h4u.com_5rkumb2
154. b8178c716f60867e9c0c587450b1712916165c5c84387ed26566816e9d407ea4 http___72mic.cn_q98yonpipk
155. 8d9b81fc81ae05f7533c8d2cfc98417b07cd192acb6368bb7d61710095da727b http___aficar.es_dyap1 [6]
156. f33109d5c8c3f7c21c6e860e59703c05a45f210eb2162e2bc90f3221e530909e http___alexsoft.cn_lqxbccgvg
157. 1c9b95d4a41b8dcb8dea64351ed2660d31e8b8036a3ba145618dbfb9f3a5c3d7 http___alfa-auto.pl_ltopxz
158. b36c2398b11474ccb3c02d0ee0b4e36345aa28c9e7101555fb786a53067f5b89 http___alteo-alumina.com_yqqw0sp3p3
159. 961c585bf02ccb297110fd43089b875d1aad0b9f7bc6d926eac65a96d64d8c29 http___ama119.jp_uxnvj
160. 9329388d016ab49841a31fad2507896b0724507d17508a8a8cbf83f05d8e2aa4 http___anhang-billsville.ca_d3j5l
161. 1333357356f93875d1831193aa25fb1ff4bd6c0f04b9c1b971ef7a30cddf50b6 http___anti-dust.ru_7k6cp
162. 879582db8c6a2e6dd7b13b66fe6b7f3b6e0fea52be216d0b27624b5abf11e440 http___arslan.pro_auuy3to00
163. 67460770ef766dcbd17f3b4717cfdf944d64b3a8112a77a468a9b6a3f18c2384 http___asonoyamaboushi.com_q6n5nml
164. 6c4740742f0ae6884b2d402da68b586b9040a61a1d5fd292cbb64d65f76fd3a3 http___atakankasap.com_m2hmcizn
165. 69c7c306baa7b60c05af065a11f6edda4bf09bdbabcafa48ba7731e88803d1d3 http___atwork.cn_t4kavmogc
166. 74e94c4b500b9ad64afed2db0614c4d74c819f70f42d17db7bb44d383427fb02 http___bappeda.dharmasrayakab.go.id_dlhalychp
167. ac992fc46eb676bd37415ac748b60f3f1f87d8a8d78c371e501cc1b481b60757 http___beinthesky.net_ad4ud12
168. 9e8ed70794c104f8293ec396812202b5aeac7cebe5255fa2ba934dca0760940e http___beumerkleinmetaal.nl_vzmg6rg
169. 2666a43cf09b1d3a4f2964afafa0ee456e8d33514b12798f4a52ff9ffae2550f http___bigtreerecord.com_qvwjc
170. 967b9bf1fbed44633ebad8aa8e67601ef36faa259d713bee6aa0f3c6e1e4c84d http___bigtrust.co.kr_0jpbwaf
171. 522700379bf4aaa0f663c19e7a16803ec32f47cb34ae2d43adbae4099f6f3c4c http___biogoodland.com_ryrfcs [1]
172. 549b212a1aec8a67ad91e27267590b31c39e40edde5a114c6b5c8620cd5adeff http___book.50webs.com_pkxwqfrg
173. f4a1f90ba4c2f8c17591293d5cb23487e352292c4fe0670f323d33c64ffa0b43 http___buhoutserts.ru_ufdazc6vv
174. 4fbef56c1e0c5c0791399dca280cba72b124f5f396bcd042735cfd7d5ab760ad http___candylee.com_f25syokvoc
175. 3f72728cd26c02e830990e81e08d81e3a0aaa2fbcbefb34c7ee001a34fc69bbd http___chandelles-golf.com_sltl0nms
176. c3c202b707bdb0e98e7a17bfedea618ea3369d4d858c86f7c52aaeceb4999548 http___chuaiyue.com_xsttl
177. 8699fa0b8a5e7df6690224e079c3da0414d9aace9be4bbf0e6fde86965a05da5 http___chuantu.net_ftb42ysmkh
178. 5abf81af30ac919aa98d6451ad464bd1889f6923d038bfe0e3c806bd7aa8890c http___chungcuvinhomemydinh.com_6dvjasf
179. 182b98a73cb06ef72826aedb2076aa012e63598bda8f97c0c516abbece0c129e http___communicore.biz_6evwetxcz
180. 25f30430a81da3d69861e3bd3adaa9e726e456c92b1355650b4cdc79222684b6 http___copiadorassharp.es_fzdxewt
181. c611fe759b804709c8e31ebd24bdb48b57ab27ba297c91f40e7e6f23fe49116f http___coruspadel.es_n7kz5km
182. 0b084d8c88f44515dc885c8a54c7ad45accef98c0aff3a6a43596c929987ea6f http___cuoder.org_to6nnme
183. 59b446abbac471363aaa2bbfff5f658907b2bb1de313c2d50fd5f3d470ce0627 http___dinamusfg.com_82hwv
184. e93d27f9a92780bc96d21ea03cd4ea96c51985b7754c9d6812407a5ecb832bc2 http___dxhhbj.com_xgnhqsdq4
185. 2920ed11c779c7c14e30763f52b57480eaa5dc4261a75aa6d3db7f8bc84c3fef http___eflengu.ru_jmu1ix0
186. 3301046561d4e5cf92480b90c3856e4b4f6c8bd653b797564f45be7ab85dc205 http___ekovizyonpeyzaj.com_aiw3cfjw [5]
187. 65803aaa66bc6a101729b223c9c6d35561bb2eb04ac109b72253645a330cfba2 http___environment.ae_0od5hn
188. 1f63bc43223634849c004b8c33b5e09d532f36e7ab8d8a955f8330f39727e4a8 http___fanda-wesst.com_dvnelp1xx [3]
189. c684dc0498cb89441e25f828f28dbd42026376a2aa2185b5c338c8ed9e87aff6 http___fm1111.fr_4sl2rtd [2]
190. f88b7dd4a3bc6ffa0acbb484d1f8a9a0487c46d2900a47580f50349cd1e2c588 http___forbrent.com_h9kqgq
191. aa456d6fc241bcecb7beb78ddfe0ffbbfa95e331ca79f5e71b7283cd8b773e3b http___foxhilltoyfoxterriers.com_ictrno0kyl
192. eef9ad652b13df46397bf0ebbf48058d5e3fe5ac05d8a0b1e9a1341133740260 http___fyd123.cn_kib6h2d9ga
193. 0c2fbb9908997b5c931d5f2e8a95a764349742bb0af128a26f57395c0283cee6 http___gallerisymbol.dk_dqaquyxl0
194. a5f95411351cd3d12384eefa1815b2fe2b0085ce4fe11a0ea5fbf663cf1b10a5 http___goodgate.tv_7m2vrub
195. 78d56bee32a95de593b15b2347b2cd79a3cab334c19273bde34d3d707380c225 http___greybruceinsurance.com_fn0z26pne
196. 24e0ce5b7e72f05e41c122c2743af3baa828ca0542af734607ab6bd11b6e1487 http___groupeelectrogeneservice.com_eefpeywf9z
197. 4f1e51e2c87a7bd429b4c06af0621092f2603d6f362e5a21517332b955900bb7 http___gtilite.jp_xphqbv
198. 7d65cea310f4387fd6008e6693ec60a19ea0b8e951a4b226fe9694c76f66e5f2 http___guardian-angels-diva.de_0cepvia
199. 63dfe370502acd3b78fc48c0ce11bf9d8e35b2fab53f949214a96e734bb34a68 http___hedefosgb.com_dpyzsb6u
200. 5bb0fcb9377bed708681b4cddebe854fdb688e871f3df054d40478185f9d4d8d http___hitechsolinc.com_jhcby
201. f4745c1cf5be1e99c3af11d369281ee5797d9d1a64abb8641e8b14ae79ac5c01 http___hotelglobo.eu_jjsmb
202. 45a4f3987d25ff1d00fedd3310dc755c555149b9a0595178ccd546002157a23e http___innercityarts.squaremdesign.com_dyo1w7
203. 499ab33235526ba848179b940946ea91a240b08cb01fba6e26a97d4ccb478122 http___interoffice-lb.com_3agmjt1
204. 3cb28af49ca5b165d8e39356788fc8dc4efaa5395fbf1f583e351f34372bc965 http___laferwear.com_2xry1qp
205. 07e311d257b6eb78c69e643f29b3bc8b1d2f547813f86b884c9c6768bdc8fd0e http___legaladvice.50webs.com_sti23
206. cfaa1aee8b07a41975bc9e53bb863f3b058bcde0de9bcc217067673fcc27dbc0 http___malamut.org_gizb2zq
207. a2cbfc42b2b95719775244c2be397e07cf6b774088d6fc157aae947248dc2a61 http___mews-labo.com_vwxn1femb3
208. 93cbd4c01f32b9d39757d0f971265b5f2d99ce9ca34b13b5352a8b1b9b8d5485 http___mtrk.ru_3rlflm8
209. 7260fd1b41a23694c54866b0053c46d4a0412d42c75839117f5b8ddd707217ad http___obaloco.com.br_67mfj
210. 3eceed5dccfb6423c4fec6c937a265e09aca0164138342607ef28c37a9daa802 http___pablopaz.com_6twklhtuu
211. 1552dbbe4dc744872eca7fb0e35b256c18ca576d50c23b38a93f5adfe40e2db0 http___rulebraker.ru_zsw4cnf9o
212. 38e159af864c3625b86ae8b01119318c193e1fecf94bd5533d735fa85d3e1fec http___scaune.qmagazin.ro_5hktu4h
213. f425067875dfa1ef54d3e8519e9a20a7368b31fb5458eef17b74ce41c236b3db http___slankmethode.nl_4zzq1am
214. b35070b3000e7b68b6b08e2cf829a33182db4bdc3ab9eaedb832c2c0d99e7974 http___sublimeshop.co.uk_4umz2
215. 17d7054854256b0793bf6aa6700546a043e972191bba20145946a6902d1c9007 http___subys.com_mjguriv80
216. 0df5f4a1e05ad5b4289c45bd08ab5645519e10c9ccd82b00e10312fa15258b11 http___szwanrong.com_x5qxzpjsi
217. e9719d8d73558beefb8d5a706d2c05169cea4e98aecea19df43c8d2f0023f384 http___tecnomundo.uy_a8rnlgzv
218. 564d7eb5f81db1ad1a6400588e9fa97f2fda48dd3424b1f8e63d7e2d53e4e52b http___teen.deep-ice.com_nzw9cp6ooj
219. f96ba5acf26cdb1abd679b7f66d4aec67e2c64dc9d15eea0e822c16385aa7155 http___test.sousouyo.com_feaetpnuee
220. cfaa1aee8b07a41975bc9e53bb863f3b058bcde0de9bcc217067673fcc27dbc0 http___theamericanwake.com_xw1ju7y6zc
221. 99b654d39413500f0255c6bd900251462847a8d0bc0eff5ad699efda157607d8 http___travelinsider.com.au_mwaefb4b
222. 15573792ae1923c24ac9ea35b81d39670ae0d002f74ca12ab59a8025318b0db6 http___ucbus.net_usdxqqt6
223. e421ff2290f3660bd93bc353852719377cf94a8558779fb3b3307d9855251743 http___u-niwon.com_kmjg6j9ske
224. 35a14ff855dd9c5e9ec53351eece7b5336d0c61dae1be5f0d92859365f1efd32 http___untitled.50webs.com_ncsuspx4
225. 209327c0e30052a3e3e3e5f14e4236d8366e45005b55e4e157b9fa5e228e9619 http___untitled.50webs.com_v06afm
226. fac51ac31cbe2cabc4a1aead779c328ebc6929e286b1e8dfb0928afaca3fee88 http___viscarci.com_wyqs6353
227. 7f1132a40bf71cbba5c65daaccfe3749a121bad3aa8ea7ea3e7ebd78e03022a0 http___waat.co.uk_68uitnl
228. 7942fb56210c40a5335a1d27a7b71adfff2faa10cd0e15d3b6b94092f450fc40 http___wdcd999.com_lm5z2snyqn
229. 9c56960f149aaaa338846b2044bcb33bc410a1c07e4c6fae305b4f530744b5dc http___web-shuttle.in_eeo9oc
230. 4b628c53cc41568c3404342ed95b9f2ee0757536ce0cf4ce8bc840829552c22e http___windshieldrepairvancouver.ca_qcp8k7
231. 5487e861fc020735a22fa2270413ac0ecd67312d64ab6e3f4fe049247c37c05d http___wiselysoft.com_qcymgbug7
232. 0b962425f88cb33bb6f1f749b6c51445f4355e2977dbe09d14e0793c2460eaa7 http___wszystkodokuchni.pl_sl5yko7
233. 4977658adcd5be63bf67d4467703596a7440419539c781d13ac0c2907e9b4aff http___wudiai.com_mc3hnwd
234. 80353f7d11595f162b04902001ca6a873070dfd54770cf6d5cbbe8ae99a63942 http___www.angeljob.com_sgdijtu
235. 93f6b298c2cdce14a4b617c95f72104d117e5d4b8cf06ebed912061c3f1f4c0a http___www.bds-1.com_gfftte3uv
236. 7f693ea607ced73c6cfb322a767beb991067aab8c7675abadb7b98369802d162 http___www.elevation.com.cn_xno8wx
237. 5efbd6851f53e4dc744b3c2668190604da054cc032cdc9a8c374c6da485d6cd4 http___www.espansioneimmobiliare.com_akktnck
238. 653cec019e34af43b585f53fd2314c7c1be5665f839a24b83cf9aa77d168c00c http___wx.utaidu.com_1eybujbru
239. c079b2076b743b9330f516d6b3ad70d4f6814a75fadc9193eb8831b80f5cd195 http___xlr8services.com_n970foumf
240. 09f320f6075ef76a0b4872e4c254d0a7232166a45d68d9343c052a44ae895b3e http___yukngobrol.com_h7sfu
241. 86c7448570c0de7abdfcaaea5fb629e33ea92243c4e29ff40e6c945d2a866d54 http___zhiyuw.com_qfbdcvrul
242. c7c4e04c9681c5f32fce264a2e955d91c6d3ae86f974390429c8e6fcab05d8f8 http___zophotos.com_0fmnqv [4]
243. e421ff2290f3660bd93bc353852719377cf94a8558779fb3b3307d9855251743 http___zzzort10xtest123.com_nin5k3bwo
244. - decoded
245. 6e16cdefaac99cfcae7c688c4aefc461f7c6c6757945a7e9a3314c57cd89f7c8 [1]
246. bf18874a5993dcfa04abd3be4e20bbdb177085d9935d6ff8a572677171e8a2cf [2]
247. 30274abe2bcdc83443b6170bc31e81c47bae6c7f61fb22afa12db412f8e3875a [3]
248. 09e0f266a151e149941217bd17bf04abe67081256b6ad2c93525820d69df08f0 [4]
249. ad4ac6e7bf2779aa5667f8246e61facd09c5aab552167c12cf6a6f32edde01e8 [5]
250. 69b9db7ffbbc77ebac69f143387a0db12ce68a9e23ce261639239302ec5c5248 [6]
251. - executed by "rundll32.exe %TEMP%\<filename>.ZK,jQEsJv"
252. - samples:
253. https://www.virustotal.com/file/6e16cdefaac99cfcae7c688c4aefc461f7c6c6757945a7e9a3314c57cd89f7c8/analysis/1481811297/ [1]
254. https://www.virustotal.com/file/bf18874a5993dcfa04abd3be4e20bbdb177085d9935d6ff8a572677171e8a2cf/analysis/1481811305/ [2]
255. https://www.virustotal.com/file/30274abe2bcdc83443b6170bc31e81c47bae6c7f61fb22afa12db412f8e3875a/analysis/1481811312/ [3]
256. https://www.virustotal.com/file/09e0f266a151e149941217bd17bf04abe67081256b6ad2c93525820d69df08f0/analysis/1481811319/ [4]
257. https://www.virustotal.com/file/ad4ac6e7bf2779aa5667f8246e61facd09c5aab552167c12cf6a6f32edde01e8/analysis/1481811356/ [5]
258. https://www.virustotal.com/file/69b9db7ffbbc77ebac69f143387a0db12ce68a9e23ce261639239302ec5c5248/analysis/1481811377/ [6]
259.  
260. C2:
261. POST http://178.209.51.223/checkupdate
262. POST http://185.129.148.56/checkupdate
263. POST http://185.17.120.166/checkupdate