2016-12-14 Locky "Parcel Certificate"

1. 2016-12-14: #locky email phishing campaign "Parcel Certificate"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------------------------------
5. From: "Robin Bailey" <Bailey.Robin@pazgarde.com>
6. To: [REDACTED]
7. Subject: Parcel Certificate
8. Date: Wed, 14 Dec 2016 16:47:54 +0700
9.  
10. Dear [REDACTED],
11. Please check the parcel certificate I am sending you in the attachment.
12. Order number is 477-F. Quite urgent, so please review it.
13.  
14. -
15. Best Regards,
16. Robin Bailey
17.  
18. Attachment: par_cert_7727260.zip -> ~_KO8VYC_~.wsf
19. ---------------------------------------------------------------------------------------------------------------------
20. - sender varies between emails
21. - subject is "Parcel Certificate"
22. - attached file "par_cert_<7 digits>.zip" contains file "~_<5-7 upper chars and digits>_~.wsf"
23.  
24. Download sites:
25. http://176.58.124.197/fi6ifw1w5
26. http://adiosalvello.com/azro2yu
27. http://aeroptim.com/9lhtqtw
28. http://akkugarancia.hu/ojj5c
29. http://alexandergorban.com/gstwnmcgqn
30. http://andrey.goldfine.ru/wk5tfu9fpg
31. http://aria-asp.ir/k7cwvi
32. http://ayvalik.info.tr/udohemi
33. http://bursacicekmagazasi.com/v2r3438pj8
34. http://camschlampen.notgeile-amateure.com/c2knp
35. http://decouer.com/ohpj3
36. http://demo.fishtime.com.ua/g1q2n46a
37. http://demo.ghwchina.com/thoxca
38. http://design-travel.ru/iyftenb
39. http://dg.gamebuffet.mobi/ah697dt
40. http://dtburakakin.com/4zhdeehto
41. http://dux.baidu.com/toihm6
42. http://eflengu.ru/slqfqov
43. http://environment.ae/ui0gi1qq
44. http://eor.ir/h41qx
45. http://giftoflife.nl/ofc5vmee
46. http://gizlot.com/0ixbu7fhl
47. http://gm-werbekonzepte.de/fm9qp
48. http://johndada.se/pzn0d9w
49. http://kurochka-ryaba.ru/5icp9tfsco
50. http://lanehmontgomery.com/2k1ripjpbx
51. http://leonsi.eu/dwzef
52. http://m.cuisines-aviva.com/q3hopc9w
53. http://mijnknwu.knwu.nl/kdgu1aiyu
54. http://mintthaicafe.com/swctibivl8
55. http://mytourbid.com/0mle9jq
56. http://new.craescuela.net/4fntbqb
57. http://oldenburgertransport.com/fi89qa
58. http://pizzatr.net/9nzb5q7v
59. http://pwdhash.com/d5sif
60. http://reefclub.ru/cag2zv
61. http://rkf3460.dk/xotxbf
62. http://sahara-prof.ru/4tdaknluxp
63. http://shop.cxweixin.cn/jt6e9avj
64. http://sstaswim.com/3sczy9y5
65. http://swanseabaptistchurch.org/6p0kire
66. http://test.easynet.net.au/imdxb
67. http://test.verox.dk/yacm5u
68. http://test.yanying100.com/ekigtkxpk
69. http://thelostpearls.com/plkrs
70. http://tocotrucking.com/9frj4
71. http://upperclassmeninc.com/67qo91yrv
72. http://urachart.com/0maqspu
73. http://whutszk.com/zlhv6nrcpx
74. http://www.2290express.com/qbcx9elv7h
75. http://www.konfidence.pl/gm1bui
76. http://www.olgiatalife.it/aulhdovqsi
77. http://www.socialmediaplanner.com.au/helyi4a
78. http://xlraider.com/f8pqp2
79. http://yoga.tanialove.com/lhfyng5r05
80. http://ypgg.kr/ajro6z
81. http://ziskant.com/kqnioulnfj
82.  
83. UPDATE:
84. http://avtomoika23.ru/qff3kkl
85. http://nordvelay.fr/s5sjsn3
86. http://www.ckmp.ru/sijxxshn
87.  
88. Malware:
89. - encoded on download
90. 69588ef7e63f6ade5055227c64f2a8471d795d7da4a68e9a922b700db7f2feeb http___176.58.124.197_fi6ifw1w5
91. f8d5f68c97abf5b63b4c86ecd6e33fb16c69a8036770de684a2a05636fb96121 http___aeroptim.com_9lhtqtw
92. a24c2a0374484435d077b86dc8856efb7dbfb78ffa6e54ca4b6f06eadb5caf1f http___akkugarancia.hu_ojj5c [2]
93. ccb1e1e807500252a7f2350fa4d7a8b36c739bd57599a5b1079e123fdd51830f http___alexandergorban.com_gstwnmcgqn
94. 912e0aaec346598c92914a01fbc77a4c7e7cd43dab0b87f4c95017d17c18049b http___andrey.goldfine.ru_wk5tfu9fpg
95. bb50ca69165eb0a05720ca20c49bc42d47b6a156b88dfd58f6ac62aa615562a4 http___aria-asp.ir_k7cwvi
96. 6b15b333f418d6ff415dba460270fa445a437836d09a7dfe9f7763ee5e17f2c3 http___ayvalik.info.tr_udohemi
97. 6d030ac5ec6f2228e2e16d64538dd454736ab6d3aa09078f9dd46e90b3cd92f8 http___bursacicekmagazasi.com_v2r3438pj8
98. caa2ba13da1433864af16572ae4c58daecc0c9a8f737fea3aef12759562d730c http___camschlampen.notgeile-amateure.com_c2knp
99. be17b8d7c3ca445bba9e3993ebf3860c0f939abc4e235e337606176613263dad http___decouer.com_ohpj3
100. 2a4561c470df2613b59811791b2f3f5411260c0f16087113cc6fca1d95d334c1 http___demo.fishtime.com.ua_g1q2n46a
101. 1cb3cea0176f2b712f3ffb86bea7be898be209461a1f8a8c1b1adecb3a830280 http___demo.ghwchina.com_thoxca
102. f783f3eb887ca8a856e61770ec392a941971e8cbe05df48299a5104303f8ed68 http___design-travel.ru_iyftenb
103. 7885b9c65a22fef440e958cb6a3e50965bfbba06440c28507607c6240a9f37a9 http___dg.gamebuffet.mobi_ah697dt
104. c3014cd7fa162788c9a39c173435279bb70b2d91592e0021c5af5f73dc3a625b http___dtburakakin.com_4zhdeehto
105. de04e4001f853fe9fb6253e6e336ac852519655bc03a5ae7a416cef9bc666f96 http___dux.baidu.com_toihm6
106. a992006724e90ed2f520ab799bbbcf0364312cfdf9e9f40072c51c4f2c04d607 http___eflengu.ru_slqfqov
107. 0f1b5898033621b62c8dd7f56725f524b0b2cb5444ca3d7055709594e11c0585 http___environment.ae_ui0gi1qq
108. 7418b2e46eafea389395da6d612c712da08e41fd382f231239a509bf98ec9ac0 http___eor.ir_h41qx
109. a35084c774ece9eb936f7efdd1632e4e24240e97c05258f913dad31aeda5450c http___giftoflife.nl_ofc5vmee
110. e2d99f5b538f1abdebb7ebcaa609ec5aeec35ff4e81a3196cc63c1da0143ff9a http___gizlot.com_0ixbu7fhl [1]
111. e56043d99a6a7b0563a02535e5bc440f32b8fcec8812478b66cf33cd00fb0502 http___gm-werbekonzepte.de_fm9qp
112. f2c06cb35e06a80ee1fa24e83fb1302ba8901d58f67b8ba54662b53f4683c9a0 http___johndada.se_pzn0d9w
113. 3649c07638a5065b2adf4f027f31ddf2827fa691c433f5b3a03c4c96713ae290 http___kurochka-ryaba.ru_5icp9tfsco [6]
114. 6c764946a0f49acb149349ceec3c12256883b106736d037b41b74a7183de83a5 http___lanehmontgomery.com_2k1ripjpbx
115. 82e9d5522bcccf178e073a2b9c64ded9a6ec500132ca8e94e572721737c72e06 http___leonsi.eu_dwzef
116. d7186d61ca90df31e158e1f001d6c09669938c87b8d975f863ae51cfb718e71c http___m.cuisines-aviva.com_q3hopc9w
117. 0a4e9a7e5804e1d552f57a6055c8c54ef36862c8f2659cfeec5d4fffacdf002d http___mijnknwu.knwu.nl_kdgu1aiyu
118. 91314e58e95af5546ae039f4a39624eea3d05cac6b72cd99b1a4551a2088e58e http___mintthaicafe.com_swctibivl8
119. 37477699b69cefe04b204ba9c62b7d34760ed22c3697db1231a79485621cf21c http___mytourbid.com_0mle9jq
120. 17ce34019e70ba106e7c3d0d52ae96ed3cfeed5d1983ceb2db78645b735c03df http___new.craescuela.net_4fntbqb
121. c874b775074af75825bba873a9926d93f51ac2bb12de4eab2f83b037603f293f http___oldenburgertransport.com_fi89qa
122. cb2ca74b6bff54686f32dcf5cf4a3a892b161a30b20f6ee21141a0c3155f1290 http___pizzatr.net_9nzb5q7v
123. bf775b71704dc424c1ed33d2a0f5fa23491664bf14f7975add72cee1432ec2b0 http___pwdhash.com_d5sif [4]
124. 324a8674138072570bfea4fabf31b21739c343f1e0fabf4f6e335503b6dd9875 http___reefclub.ru_cag2zv [3]
125. 5c762e768ac27a512731e4cf4c6378eeebd6e816ca2010e5d49fa8d455bde719 http___rkf3460.dk_xotxbf
126. ad63d0aed8d0ef73b1b24906c9abad626b47515a3314670c4c5cc9d1a39fbc7c http___sahara-prof.ru_4tdaknluxp
127. aebdef453ea2d542e9c0371978ee7de1b942427bd507370e3687d42045a314dc http___shop.cxweixin.cn_jt6e9avj
128. 56c1ce04689c64438552a4016473f725da908dba2fb8078ed078e8088ef6ae97 http___sstaswim.com_3sczy9y5
129. 6ce780944c5ef26d05eea223da552013013f8fc80c693be3d9e319855b0cd854 http___swanseabaptistchurch.org_6p0kire
130. 3f7e91413596dd86262021153d677fb0b8e91d0ef7c1491b2df5f27241414741 http___test.easynet.net.au_imdxb
131. 3272f3523399d322457c432d7957e4618fef5c44d58767ab6a43b247caab5e0a http___test.verox.dk_yacm5u
132. aa83af96bd2e3ef350ff1cb3b039d63249a3b40d4714447a0696690b47f33498 http___thelostpearls.com_plkrs
133. 8c4dba7430a90830c83378610101008b2f5e4e3f1c833477d41c7d3934414b79 http___tocotrucking.com_9frj4
134. 90b1f4fc38be1bddce90161824746af217f9997a52634f12fa4ef3d51c9c2102 http___upperclassmeninc.com_67qo91yrv
135. 39db6ea56857440c5ba11fdd283638232bbc4df963f811d2190b642691e862eb http___urachart.com_0maqspu
136. fc374d0ed61c0c87113fde95560b084fa61e33996c4f061e84fcd6b892a61c98 http___whutszk.com_zlhv6nrcpx
137. 4eccbf21c69582de51a0363330c6af73cca3b775ef9d245c00ca1d5e4d06746d http___www.konfidence.pl_gm1bui
138. a19df04d169c54334d9cd83fb4105d7e8a889e8d512f67aa8917b84f5c2b8098 http___www.olgiatalife.it_aulhdovqsi
139. 91e245f790f47bb47bb0fecd6f9f19069c86db9bcd23401b7c1e17e1f738669f http___www.socialmediaplanner.com.au_helyi4a
140. f42702c1d820ec1dbd0f875f50f88c3f0fc827c1513c76375318c86786f11daa http___xlraider.com_f8pqp2
141. d21300bf92d6501de94250ce4682b92606617b2e675bbdbd1b5fe1904a08a655 http___yoga.tanialove.com_lhfyng5r05
142. 82a1bb0a979c72bf4e4fe2b016e1d64af1dbff38acebeea736b923f9f593c957 http___ypgg.kr_ajro6z [5]
143. 9c495c41a66705c756cdf25988fbd1f7c76fd2d991e4f89e002d9f93318584d9 http___ziskant.com_kqnioulnfj
144. - decoded
145. d4a2a4fc982d52e295e03aab010bd9c6e64e16f8c16548d82f40d9d4198e1802 [1]
146. bb194d74778ad151b59f8652926de9b537b125053bfb14e642b9b89d489465b5 [2]
147. 528cc81c9ef9fe1e2d67750b51ebf4a01338e70345e6606251adea5d0c69b85e [3]
148. 71d1fe74d25e97c53d10031316515f9a2156a48a1caa0db208062d93b01fae91 [4]
149. 844ffc80cbc22bcbf8fa9eb0edf361067fd00024695b594af5b3c40eef06791e [5]
150. da58654d9adabcde4aa63f95cbd7e3b0104abf051dd77e5599938683031fa904 [6]
151. - executed by "rundll32.exe %TEMP%\<filename>.ZK,Ajp3yeeaD7P2stvWfcPLhIWeWaBWU"
152. - samples
153. https://www.virustotal.com/file/d4a2a4fc982d52e295e03aab010bd9c6e64e16f8c16548d82f40d9d4198e1802/analysis/1481711422/ [1]
154. https://www.virustotal.com/file/bb194d74778ad151b59f8652926de9b537b125053bfb14e642b9b89d489465b5/analysis/1481711429/ [2]
155. https://www.virustotal.com/file/528cc81c9ef9fe1e2d67750b51ebf4a01338e70345e6606251adea5d0c69b85e/analysis/1481711435/ [3]
156. https://www.virustotal.com/file/71d1fe74d25e97c53d10031316515f9a2156a48a1caa0db208062d93b01fae91/analysis/1481711441/ [4]
157. https://www.virustotal.com/file/844ffc80cbc22bcbf8fa9eb0edf361067fd00024695b594af5b3c40eef06791e/analysis/1481711448/ [5]
158. https://www.virustotal.com/file/da58654d9adabcde4aa63f95cbd7e3b0104abf051dd77e5599938683031fa904/analysis/1481711454/ [6]
159.  
160. C2:
161. POST http://185.129.148.56/checkupdate
162. POST http://213.32.113.203/checkupdate
163. POST http://86.110.117.155/checkupdate