2016-12-09 Locky "Firewall Software"

1. 2016-12-09 #locky email phishing campaign "Firewall Software"
2.  
3. Email sample:
4. ----------------------------------------------------------------------------------------------------------------
5. From: "Mauricio Knight" <Knight.Mauricio@rcil.gov.in>
6. To: [REDACTED]
7. Subject: Firewall Software
8. Date: Fri, 09 Dec 2016 13:31:00 +0530
9.  
10. Hey [REDACTED], it is Mauricio. You've asked me to order new firewall software for our office computers.
11. Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
12.  
13. Please check it out.
14.  
15. --
16. King Regards,
17. Mauricio Knight
18. IT Support Manager
19.  
20. Attachment: f_license_4498016.zip -> ~2EN661R7GM97RNXGK514Y4.js
21. ----------------------------------------------------------------------------------------------------------------
22. - sender varies between emails
23. - subject is "Firewall Software"
24. - attached file "f_license_<7 digits>.zip" contain file "~<random uppercase chars and digits>.js", a JScript downloader
25.  
26. Download sites:
27. http://4djsbydjs.com/olp58sh
28. http://69.61.21.235/qn6pyrzv
29. http://7thpower.com/ffzw9al
30. http://anjoman146.ir/fadqdkwjh3
31. http://artsonimage.com/jckzrl
32. http://aynuri.cn/apievqkdo
33. http://be-liveinu.com/pqozg
34. http://benefeet.org/j13czonxx
35. http://betrend.dk/bgwck
36. http://bookletta.com/b4tkcnc
37. http://brei.com.br/qpry8jf
38. http://cementossj.cl/svg8x
39. http://childrenshouse.co.za/gorseetvon
40. http://col-lab.com/rdw33rbsi
41. http://comfortdiscovered.com.au/ejtm7
42. http://cr-inos.com/rayefpix2t
43. http://galeriamultiarte.com.br/sdmpmrr
44. http://hotpeppertrading.com/qlleh9k
45. http://jachin.co.kr/qs9mnktcm
46. http://koresh.co.il/jmktjcdc
47. http://mensa-edu.com/ctoufj
48. http://n2.by/0n7kfsnsho
49. http://naama-yeshayahu.com/wgvgug
50. http://new.sunmar.ca/ehoinbiux
51. http://nsecoaching.ca/mmz6iyidbi
52. http://poised.co.in/5jbiszk
53. http://redecamponesa.com.br/l0w1f
54. http://reefclub.ru/clsdgdy7
55. http://registerfit.biz/0wgxubv
56. http://registerfit.biz/0x2krcgd
57. http://registerfit.biz/an8dyy
58. http://registerfit.biz/bibcb
59. http://registerfit.biz/q7rrmhsr4
60. http://registerfit.biz/rgscyvp
61. http://registerfit.biz/s9voy26zdd
62. http://registerfit.biz/u1ohxy3c
63. http://registerfit.biz/utfi2
64. http://registerfit.biz/vom0bs
65. http://skladdomodedovo.ru/4tnq8ash
66. http://styr-bud.com/iz1ch
67. http://trehoada.org/vcnec
68. http://uriauerbach.com/qmkjoicueq
69. http://vishwasgroupindia.com/ynxoxm
70. http://webberm.com/wkw0e
71. http://welte.pl/mupze
72. http://woodpecker.com.mx/3hvpu
73. http://worldtravelbiz.xyz/8gpdctopk
74. http://worldtravelbiz.xyz/b7ydkq
75. http://worldtravelbiz.xyz/cqlykbe8
76. http://worldtravelbiz.xyz/lwvif
77. http://worldtravelbiz.xyz/qdx1zu
78. http://worldtravelbiz.xyz/sulalz
79. http://worldtravelbiz.xyz/ux5tw6
80. http://worldtravelbiz.xyz/vxlxfxnwsb
81. http://worldtravelbiz.xyz/xtd17e2rqe
82. http://worldtravelbiz.xyz/ziqkmmjg6
83. http://www.02seo.com/1dm3bowl7v
84. http://www.bergwelt-oberhof.de/gjyl7t
85. http://www.cvshopfactory.com/na5dtn
86. http://www.dahuahdcvi.com/hgbompfw0
87. http://www.demelkwegtuk.nl/e7ahisrzzw
88. http://www.ebusiness-articles.com/gcuiq
89. http://www.glutax-ori.com/6vjzk9few
90. http://www.gostaythere.com/gsup1fgl
91. http://www.izmirtente.info/qbdbn
92. http://www.knowsleymedicalcentre.co.uk/0hwn9uw07
93. http://www.lordrc.ch/29b8g6
94. http://www.pgringette.ca/a8crrwrc2t
95. http://www.pptdesign.nl/ntjh9wmk
96. http://www.secretblog.de/qe4lamlfuc
97. http://www.smartkutu.com/o3ig6584e
98. http://www.steur.tv/u8bn6c
99. http://www.tutmacli.com/gcc6eznpf
100. http://www.tvblanket.com/l6pcu
101. http://www.veinteproducciones.com.ar/rlqlqx
102. http://xtelent.com/znhyyuh8u
103. http://yzjinou.cn/wzm4yo
104. http://zappsi.com/z5kr7
105. http://ziskant.com/zdnkq1t
106. http://zuri.pl/8pzk7pbw4
107.  
108. Malware:
109. - encoded on download
110. 40e614f1f637bafa1d5e09736f621d6ed92d579c1d8fdd12afb78672e9a8c7da http___4djsbydjs.com_olp58sh [1]
111. 50debaa964cffba4303f5a37241ec35e495d54f914bf6dd2dd9ceb2fbe75892d http___69.61.21.235_qn6pyrzv
112. bb001f5dc4d238bd1a906c492079f34535a6fb255a5f867f0457d8d62bd90a45 http___7thpower.com_ffzw9al
113. 92a74f01317ae9edcb19916dc40eb625be4f502cb58ff8df8ec442124a8b1507 http___anjoman146.ir_fadqdkwjh3
114. a3833fd29558e6e988052dbc1bb72132f9973d828fc2d20aaddf5e85cb10f55c http___artsonimage.com_jckzrl
115. d9a93357639b9ee9ab2f3cd99bfd31f7732a3ee1b12f9ff3a2c0006b8f52caaf http___aynuri.cn_apievqkdo
116. dd2f5758bcde66bc271276a8dd0252e8fa12645ed47eb60ac2dc085a43ae5378 http___be-liveinu.com_pqozg
117. 4315bb3d9550e485628d31481d9d105fb94d8c979f3d88a76d19e3f622b1636f http___benefeet.org_j13czonxx
118. c5bd9aca26b19731152e62ea3d196461ae69f73829d180040005afe283a0f6b4 http___bookletta.com_b4tkcnc
119. 25af7998b614ba2a7bacfa2666627d8dcc1060be62d0af1947923195b7d490fa http___brei.com.br_qpry8jf
120. 756fc4a96ff4247603981db558b73294654fd8e442bfa3623677fe3c0f78950b http___cementossj.cl_svg8x
121. afdad0162eff492c14386e3ec3bbd170c2db69663edcb911aa0b7d2f717d0850 http___childrenshouse.co.za_gorseetvon
122. f02edf604d53aa1ddbc3e6623a43e2504f24f5e545c534f920e8289bc2935d23 http___col-lab.com_rdw33rbsi
123. e531dffa622471b4ac4013ad17cc93a1829902e43165b5cf3051eaf677a3d7e1 http___comfortdiscovered.com.au_ejtm7
124. bc7189f59456963bdbb87a19da4d4d2615105a7d9d681300668d948d3f7a30d0 http___cr-inos.com_rayefpix2t
125. 5f4956fb91141f4fa2f5e935d1f8f13300a661d3a0c0864593cf399edf27dde1 http___galeriamultiarte.com.br_sdmpmrr
126. eb2cb049e332c847dd07a353a6b84357c21752e805addb51f159e83510b2bc6f http___hotpeppertrading.com_qlleh9k
127. 4a83c7e9d3aed2f0e9ff4176366d6d6cf02b5cba09892af0c1cfc8c76a516505 http___jachin.co.kr_qs9mnktcm
128. 5c7072129eb3b23bb2bcc4b22f4a30a6b534a54a996da5b3bded63d7c5bb3e24 http___koresh.co.il_jmktjcdc
129. 50839b97554604cd2fb1c9c36345939c2e3e1ab8b227c4261b9db2b2f9d61351 http___mensa-edu.com_ctoufj
130. 6673c04188089a41de4a79bf942e7f444fff1689e7cf074b4c3161b15a043a06 http___n2.by_0n7kfsnsho
131. b2a51e5946ce258307347f1ebfc4de72b538937dd6e8c5a7c4572f2f480fa39e http___naama-yeshayahu.com_wgvgug
132. 5fb803ad6010459632f78f592a547db4dd4e357b1476ff382200fa7e2d056d1e http___new.sunmar.ca_ehoinbiux
133. 1033c035edd429a7a516ac53e81a63b197d1b83a6bdb706dda5add59ea1af5dd http___nsecoaching.ca_mmz6iyidbi
134. 7596892459ef81557418c9137e298621b254c5d307eba8ffcfd870f5a227a953 http___poised.co.in_5jbiszk
135. 29750ec3db84abd8367260ea696bba33185cebf9666dbbf2300718352522e34a http___redecamponesa.com.br_l0w1f
136. f17cef822d1c303b131e7743fb37000b105d134fccbf4adb1b2bc4b4e45b13df http___reefclub.ru_clsdgdy7
137. f834a8c9514d7cb5a06a67f12de77587894e021b34dd4d7c2ad65cb4acf940fd http___skladdomodedovo.ru_4tnq8ash
138. 6e51a0dbfb42dd7dd4642163a5baf97ce776a01e665eb22dce54cd3f5e5a3ad2 http___styr-bud.com_iz1ch
139. 835cacbcbada6b3b8cdf3e57659f5ef5ffc74a617f5a30f82d2a7c9ac1a6da90 http___trehoada.org_vcnec
140. a9c81d3624bd029a99969f736fc58f56a67ff1953619446a00401321d080a800 http___uriauerbach.com_qmkjoicueq
141. b9645f4cf0b998298dcd5e91444455e5c06a90510d61d42d1684196c0430d9b0 http___vishwasgroupindia.com_ynxoxm
142. c0aeec8c87e3b00b0cb50d6a45ffd77a53e6e43f7c1f5bb23b279f4c859a1dd7 http___webberm.com_wkw0e
143. 666dd08c10f40dcf2d38dcd8408d76a2bff408f97a9001f70d8d2d7a6c24c3f1 http___welte.pl_mupze
144. ab86809c3a5a20461992792e44e8647206dfef84f39e54af8429658403347758 http___woodpecker.com.mx_3hvpu [5]
145. 6273a735d8b7cff0d1b2f49548589efe614620b9f2ece8d4cf9727de0a054912 http___worldtravelbiz.xyz_8gpdctopk
146. 6827ebae647f52a629c79a6c2ceba5fbff4f18f68e46c5049a6b6073475dc8f3 http___worldtravelbiz.xyz_b7ydkq [2]
147. 1c420e02ab51612b80f79aa6582e99f8e162040c63a397d68deea62370da69fa http___worldtravelbiz.xyz_cqlykbe8
148. 8a1758338566b486887feab3675d6e54d230298613290b87513f8a7cc9224d4c http___worldtravelbiz.xyz_lwvif
149. a3381261676be1e59b0da80a042b96ed71f068cd7e834960b3aa7bfaaf56da3e http___worldtravelbiz.xyz_qdx1zu
150. d88ea98b5993f03c62936a7ff1f1905d9be463ca6f88a075681a47be9993dcd1 http___worldtravelbiz.xyz_sulalz
151. 3031800e1379bae20fa662b0fd1e6de8d35198f690fdbed821964b5b7bcb3489 http___worldtravelbiz.xyz_ux5tw6
152. e178840687bea4d93823adb3fff8ef61c6c97b29b8bd07827ef6b886af110697 http___worldtravelbiz.xyz_vxlxfxnwsb
153. a3e473345984c258c8fad2f2c5db87b3a569e865d58700693b9b0a1dac92a601 http___worldtravelbiz.xyz_xtd17e2rqe
154. 077468eaff6336cb58ab2b64c8f227df0de621284b2cb18aa3dcd2e2ea27d7af http___worldtravelbiz.xyz_ziqkmmjg6
155. dd31ed4195222a3951feda5cfc374699e355cd14d20f6ca8e4eed1dd0284772d http___www.02seo.com_1dm3bowl7v
156. bff3b0f4c2629d0b6f4b76df643a5d81354d163a61a751b93014dbafd4d08d95 http___www.cvshopfactory.com_na5dtn [3]
157. decd3bcec2e65c0fa03fd44d2ba88c356da182ea416192963ccbd2c9c6fcbb22 http___www.dahuahdcvi.com_hgbompfw0
158. 264609c7383ddeaf9cb9d9eb1e9510eefb05c63ccc2d412e9d66f78f72b6263f http___www.demelkwegtuk.nl_e7ahisrzzw
159. fc04ed6acd383c6825ca4ee0d7ba5132e2122832ad9e05ccae91786eb16934bb http___www.ebusiness-articles.com_gcuiq
160. e4bb9622e001f3f76a2b057269b1dd25eb6c21eb28a0cbade6ff79b1941163cc http___www.glutax-ori.com_6vjzk9few
161. 6d211db3c9fe9b303c95ddb0da0f15c3334f36f36d8e76fae614a29a96ec6c3d http___www.gostaythere.com_gsup1fgl
162. ea36016c33886919ff526ce43a638a0c2e7a7be6f1776b590629ad18fc797333 http___www.izmirtente.info_qbdbn
163. 8a11c9ffe43fd5a14df6ef110efd0410b8737ef1823585cef4e66803a6820558 http___www.knowsleymedicalcentre.co.uk_0hwn9uw07
164. 83a3d018a00912355492df78e125f5886335a834e4a791c36b3d28bfc0e480ef http___www.lordrc.ch_29b8g6
165. 53aa29eb3e4134b3708fe769f1eb4113d16ad6d490489d7c72ca568e4c5e1e5d http___www.pgringette.ca_a8crrwrc2t
166. 845e546a335edb6f0f4cad5c5aa2aa13d808c8e575e240573563c4da2daa6989 http___www.secretblog.de_qe4lamlfuc
167. b4137254bf8616c2376a281ac88eba5d8fecc415a81fcc53a7d17f31d54f2cf6 http___www.smartkutu.com_o3ig6584e
168. 1cc18906fdbbd8335c857d14262788dafeb5428789070d6f547aa81e5159841a http___www.steur.tv_u8bn6c
169. f19ba7a5a5f481404deb150d09121d6f3df5700498b183328bcf29b14d7dd974 http___www.tutmacli.com_gcc6eznpf [4]
170. 8a97c8801dfb8d062446e3e57f0db8642e8a5ca62a9118d5858a5efede58cec1 http___www.veinteproducciones.com.ar_rlqlqx
171. e3aaa317d6666802ba43de042616c449ddd1f77228c9c9cb09770ce38e25c4e6 http___xtelent.com_znhyyuh8u
172. 532acf9591e4745e4a1f48c0ed98a49c88d28ab441dfe4b11e363669042b4770 http___yzjinou.cn_wzm4yo
173. aab683df4ebfd636819a4001448b7e458c004ce146c59aa23bcef01505adf97c http___zappsi.com_z5kr7
174. 1a30006e2dc5e39bd93db9cb181769862351e8c38a94f07b230d6723c6a13203 http___ziskant.com_zdnkq1t
175. 90ba1c0307b551bf822e6269626286e4e35d84e950ea1fd353eb42e0c2e8eb24 http___zuri.pl_8pzk7pbw4
176. - decoded
177. 1dcc051b323106f44f8c0dca270c283e3599e00b5fd913025554a18980a07289 [1]
178. a3f4903ac07020667437f31133fdb0cf3c8b29a0a8cf6bd828726f5804a66aec [2]
179. 8c850d4c23f4956a62e381be38d32529fee01d4c1f5088349d91bd37bf59918e [3]
180. caea2986a4f129483d660c932a26c3f8b6aece750e1d73fabef98836f5353d40 [4]
181. bb97028a01c9729203fd4f70d6bad02cb47180e7ce966022c2ba87e57de3ef1b [5]
182. - executed by "rundll32.exe %TEMP%\<filename>.ZK,G4"
183. - samples
184. https://www.virustotal.com/file/1dcc051b323106f44f8c0dca270c283e3599e00b5fd913025554a18980a07289/analysis/1481278419/ [1]
185. https://www.virustotal.com/file/a3f4903ac07020667437f31133fdb0cf3c8b29a0a8cf6bd828726f5804a66aec/analysis/1481278437/ [2]
186. https://www.virustotal.com/file/8c850d4c23f4956a62e381be38d32529fee01d4c1f5088349d91bd37bf59918e/analysis/1481278460/ [3]
187. https://www.virustotal.com/file/caea2986a4f129483d660c932a26c3f8b6aece750e1d73fabef98836f5353d40/analysis/1481278486/ [4]
188. https://www.virustotal.com/file/bb97028a01c9729203fd4f70d6bad02cb47180e7ce966022c2ba87e57de3ef1b/analysis/1481278504/ [5]
189.  
190. C2:
191. POST http://107.181.187.97/checkupdate
192. POST http://178.159.42.248/checkupdate
193. POST http://51.254.141.213/checkupdate