2016-10-03 Locky "please sign"

1. 2015-10-03 #locky email phishing campaign "please sign"
2. http://blog.dynamoo.com/2016/10/malware-spam-please-sign-leads-to-locky.html
3.  
4. Email:
5. --------------------------------------------------------------------------------------------------------------------
6. From: "Otha Hampton" <Hampton.1571@berlin-girls.de>
7. To: [REDACTED]
8. Subject: please sign
9. Date: Mon, 03 Oct 2016 15:34:38 +0530
10.  
11. Hi [REDACTED],
12.  
13. I have made the paperwork you asked me to prepare two days ago.
14. Please check the attachment. It just needs your signature.
15.  
16. Best Wishes,
17. June Odom
18. Key Account Director Municipalities
19.  
20. Attachment: paperwork_scan_003e18766.zip
21. --------------------------------------------------------------------------------------------------------------------
22. - sender address varies between emails
23. - subject is "please sign"
24. - attached file "paperwork_scan_<random hexa chars>.zip" contain two files - one-letter-named junk file and file "paperwork scan ~<random hexa chars>.wsf", a JScript downloader
25.  
26. Download sites:
27. http://charge2go.com/coplbr
28. http://dangras.net/3geg2zj
29. http://dangras.net/5edbite
30. http://dangras.net/6lebt
31. http://dotcom-enterprises.com/cpgskvx9
32. http://eskrow.ru/gk2sabe
33. http://ferumusky.com/229k9z
34. http://ferumusky.com/5o11b5s
35. http://ferumusky.com/6nfhu0lt
36. http://galelaure.com/gvn4j9eq
37. http://honeine.com/h03dyzp
38. http://joplinglobeonline.com/cc3al2x7
39. http://louisirby.com/cmlfoyb
40. http://louisirby.com/ejtocks
41. http://medicangka.com/2wn3r
42. http://medicangka.com/515grm
43. http://medicangka.com/65l4byy
44. http://mucicsitta.net/2imhkap
45. http://mucicsitta.net/4li3zc
46. http://mucicsitta.net/64vvi
47. http://mutiarafurniture.com/qwal3v9
48. http://ossiatzki.com/dyke9
49. http://p2pbikini.com/cm9s56to
50. http://parasaymamakina.net/ja152
51. http://relianceclouds.com/tr56dz8z
52. http://rondeaho.com/08dqn
53. http://rondeaho.com/24agob
54. http://shinipri.com/brzvbi
55. http://softwaregolower.com/rddt0z
56. http://syncfish.com/k7brjhgm
57. http://tandjsalon.com/gd5ke
58. http://welsell.com/tgtmzm
59.  
60. Malware:
61. - encoded on download, filesize 163332
62. 557ecdd50394a5d7f8c4ab8a601181daab05c546ad1f46f7e0b1e2ecfdc8774b http___charge2go.com_coplbr
63. bbb7ddaa902d8b841fa61d19b1d660c700cafdec6b2d5e053869b013b748b730 http___dangras.net_3geg2zj
64. dd08228c392f453fca3c2a7ce9704f459adfb877a11dc8678f28780c0b23b7a5 http___dangras.net_5edbite
65. dc5af8dedfd5bfd7aba3835016b5c2dd0dedf32c9cd573f87821d4b874bce334 http___dangras.net_6lebt
66. b930bd9a83872fefd9f0998d68ba06bce89443fa0a4c53cccef43e54efe8bb29 http___dotcom-enterprises.com_cpgskvx9
67. 980ec589d5235ceeddb6b9386104179dadd257e80f7b59b196d8b56e6b56bc1a http___eskrow.ru_gk2sabe
68. 734f88817afd59964e6996a3adacc3578fbb9a2dfb521eb25b18dbc2dfe595b0 http___ferumusky.com_229k9z
69. b101235e9d617498e55d40688ef4482d642ea93a8be9bca1139242582d14ec14 http___ferumusky.com_5o11b5s
70. 3128acae30eb3bf5df2ac9c39ae852941002df4c9b8ad184954bbdedee22a72c http___ferumusky.com_6nfhu0lt
71. 8eda605ee5f6dbfe29b651c1397e780f96d36e8fe837ac98cda677096fd026f0 http___galelaure.com_gvn4j9eq
72. 5099475989f74f2106c2dcd383b47c086e582b980d9ce1c5c3eced8b856c2d26 http___joplinglobeonline.com_cc3al2x7
73. f37ab2fbc3c42e0279640fccdcd08484e82c0ed22ed068d47ccc359ec8b8e644 http___louisirby.com_cmlfoyb
74. 03d3c17961ef23246beb1ebac534605161b71a79238a64c7053e72b3c0d667a9 http___louisirby.com_ejtocks
75. 98cf3234aee25840bc51d05ad5f66375dcab0efbb21cd08499a6ccc24aaeab56 http___medicangka.com_2wn3r
76. e9547541475ebcd5dc4e5caad7d53e290a19fb91dabc796cc4d54432905d2284 http___medicangka.com_515grm
77. 3d89cb66726cc219d7872bb6e00fa235c7c213b8a0331452be1ee2301dc00d84 http___medicangka.com_65l4byy
78. 092bdbb596e756c0ec6e3066c3cbab489f63b5d4f3b0cf4851750a03066d0ba8 http___mucicsitta.net_2imhkap
79. d0e8789f090b06d6698d07ca028bcf0185f94ebe0a85f9328392def67e16ec1b http___mucicsitta.net_4li3zc
80. 779b65ccfb0b2c3b6659eef2cf1ed4146c1c67d47dc77c9732279544bb71a0e4 http___mucicsitta.net_64vvi
81. 5f9088706a9742f6a238b6b2695d77b0f017dd4e9a666b84867a338d4003f427 http___mutiarafurniture.com_qwal3v9
82. 09193a04a852092e71ac0dbdd285738b7c7ac399171cb8f8f8476c9c574e7327 http___ossiatzki.com_dyke9
83. 43a0418eaceadbb8c03b5d720f7583a84cd5cf9f69bea33890dc64f938c4c8f5 http___p2pbikini.com_cm9s56to
84. 7e916878f623f36cc7c9ad32b5cfdfadcde605d501d3cbc63f302945d15af1f8 http___parasaymamakina.net_ja152
85. 6f39d179366181c7a6544229ba957ce5ec8736b20ff2adaa736490710a5a8595 http___relianceclouds.com_tr56dz8z
86. a29969dda69ca58636f32ae66b5a3aa6a99812d09756ca0e471324c2769e69c9 http___rondeaho.com_08dqn
87. ce347f56c824055c46bd6d17bcab3c091bb0d5bd74ce292653502987d5b660a9 http___rondeaho.com_24agob
88. 1f2b542755531b5cb74863182f84b614903de8235bfb561e72b3c13541f77abf http___shinipri.com_brzvbi
89. eb6c3d3cc394d41f5a46f7f0f78dc19e8df9afb2bce0496b7880ec551cfb7937 http___softwaregolower.com_rddt0z
90. fa7df4fc07444b5e36dcba8c78d75ee4a38ac02c45549f55db283a31eae7c90c http___syncfish.com_k7brjhgm
91. 54314bd371b53c2f2c7e9eb41970f231d82b871ca8bc74639c060c80bc7352cf http___welsell.com_tgtmzm
92. - executed by "rundll32.exe <dll_name>,qwerty 323"
93. - samples
94. https://www.reverse.it/sample/2b3bfd64d9cba71141dbc927d68196252c338a5c061ae66a0536ede587633b61?environmentId=100
95. https://www.reverse.it/sample/7619fd4ebf89030dc2da85906cd4eccc63422080c7ccb0a416f3acb932253e50?environmentId=100
96. https://www.reverse.it/sample/75c64e65071345abd00bdad287d5d791526fc10ad0b56176617e0622afb76724?environmentId=100
97. https://www.reverse.it/sample/7a19750588c3693657d8cf91fec57d01a7e31e65e5f17076cc16c94ad706345d?environmentId=100
98.  
99. C2:
100. - no C2 communication visible, offline variant