2016-12-13 Locky "Bill for paper 2016-12-13"

1. 2016-12-13: #locky email phishing campaign "Bill for papers 2016-12-13"
2.  
3. Sample email:
4. ------------------------------------------------------------------------------------------------------------------------------
5. From: woodrow.milliken@gmail.com
6. To: [REDACTED]
7. Subject: Bill for papers 13-12-2016
8. Date: Tue, 13 Dec 2016 05:42:43 +0530
9.  
10. Attachment: Bill.zip ->
11. ------------------------------------------------------------------------------------------------------------------------------
12. - sender varies between emails, but always from @gmail.com
13. - subject is "Bill for papers 12-12-2016"
14. - email body is empty
15. - attached file "Bill.zip" contains file "<3 digits>-<4 uppercase letter><4 digits>.wsf", a JScript downloader
16.  
17. Download sites (the actual URLs have suffix ?<random>=<random> which does not influnce the download):
18. http://24x7telugu.com/jht76gh
19. http://agile-scrum-training.com/jht76gh
20. http://alhamdinternational.co.in/jht76gh
21. http://artofovernight.com/jht76gh
22. http://axzio.com/jht76gh
23. http://badvaruhus.se/jht76gh
24. http://banknifty.com/jht76gh
25. http://bindaasdelhi.org/jht76gh
26. http://bmbuildingpteltd.com/jht76gh
27. http://bonzerwebsolutions.com/jht76gh
28. http://bptpm.sragenkab.go.id/jht76gh
29. http://bpt.sragenkab.go.id/jht76gh
30. http://cambostudio.com/jht76gh
31. http://cardimax.com.ph/jht76gh
32. http://cargo1.lin14.siteonlinetest.com/jht76gh
33. http://cemiselbiseleri.com/jht76gh
34. http://csrj-ah.rau.ro/jht76gh
35. http://development.susteen.nl/jht76gh
36. http://dlugosz-it.pl/jht76gh
37. http://dndwebtech.com/jht76gh
38. http://dreamruntech.com/jht76gh
39. http://dryilmazyildirim.com/jht76gh
40. http://dssstaging.net/jht76gh
41. http://eurofranq.com/jht76gh
42. http://giafastfood.ro/jht76gh
43. http://goldseparator.com/jht76gh
44. http://gruponyn.com/jht76gh
45. http://gtaxusa.com/jht76gh
46. http://hansdavisgroup.com/jht76gh
47. http://hoopwizard.com/jht76gh
48. http://imlearningsystems.com/jht76gh
49. http://infomazza.com/jht76gh
50. http://innoservtest.in/jht76gh
51. http://intrekmedya.com/jht76gh
52. http://italics.in/jht76gh
53. http://jackpotfutures.com/jht76gh
54. http://koiatm.com/jht76gh
55. http://mangliks.com/jht76gh
56. http://mygreenlivingideas.com/jht76gh
57. http://narifashion.com/jht76gh
58. http://nationaltaxoffice.com/jht76gh
59. http://olivierimmobiliare.com/jht76gh
60. http://prototypingjob.com/jht76gh
61. http://pubbligrafica360.it/jht76gh
62. http://rajfoto.com/jht76gh
63. http://ravaniagro.com/jht76gh
64. http://ravaniinfra.com/jht76gh
65. http://sampletemplates.net/jht76gh
66. http://seasy.in/jht76gh
67. http://shreemahalaxmiagro.com/jht76gh
68. http://sparezz.com/jht76gh
69. http://statelesspeopleinbangladesh.net/jht76gh
70. http://suffitechh.com/jht76gh
71. http://sukienhoanggia.com/jht76gh
72. http://taipei-lottery.com/jht76gh
73. http://tasveeranarts.in/jht76gh
74. http://themeonhai.com/jht76gh
75. http://thingsandsuch.co.uk/jht76gh
76. http://twoj-sennik.pl/jht76gh
77. http://ubertama.com/jht76gh
78. http://www.3g4e.ir/jht76gh
79. http://www.3shadz.com/jht76gh
80. http://www.camko-motor.com/jht76gh
81. http://www.epmedia.it/jht76gh
82. http://www.kamakhyaits.com/jht76gh
83. http://www.mastropoloartgallery.com/jht76gh
84. http://www.merinnaa.com/jht76gh
85. http://www.risto10.it/jht76gh
86.  
87. Malware:
88. - encoded on download SHA256 40db24cd899efd4381dbe76eb82a10b29a7b5acff901da9ce9a1b3284d3830be, MD5 e98ae17129de777e560d9bb5a49d77e3
89. - decoded SHA256 5c8d053e3339d09bf277a98c73feac0eb34dd604ae8459f3f24cd7c1a56f414a, MD5 8bc549a9e9d720c6e25a03eac360479f
90. - executed by "rundll32.exe %TEMP%\<dll_name>,set_str""
91. - sample https://www.virustotal.com/file/5c8d053e3339d09bf277a98c73feac0eb34dd604ae8459f3f24cd7c1a56f414a/analysis/1481587931/
92.  
93. C2:
94. POST http://109.234.34.212/checkupdate
95. POST http://176.121.14.95/checkupdate
96. POST http://185.75.46.13/checkupdate