New Locky distribution sites - 29/06/2016 affid=3

1. _*Locky affid=3*_
2.  
3. *Email info*
4.  
5. The *Subject* can be one of the following:
6.  
7. FW:foto
8. FW:images
9. FW:my photo
10. FW:my photos
11. FW:photo
12. FW:photo you asked
13. FW:pictures
14. RE:foto
15. RE:images
16. RE:my photo
17. RE:my photos
18. RE:photo
19. RE:photo you asked
20. RE:pictures
21. foto
22. images
23. my photo
24. my photos
25. photo
26. photo you asked
27. pictures
28.  
29. No*_Body* email observed.
30.  
31.  
32. In attachment a zip archive with a javascript file.
33. Here the code: https://gist.github.com/Antelox/c3e6cf237687fa662fc1a41452fc87ee
34.  
35. Javascript sample - MD5: a318d0a63e13d03b7c300bc022710b1c
36. VT: 11/55 - https://virustotal.com/en/file/e25662a6be279c1db7d5f042ec2129f0d54c9b3b12890bc9aa378dcc4de78206/analysis/
37.  
38. *Compromised domains (13)*:
39.  
40. armaplate.co.uk/ 8y7gvt65v?utajtJu=UwxvtvuRe
41. bdkj-alzey.de/ 8y7gvt65v?utajtJu=UwxvtvuRe
42. benelist.cz/ 8y7gvt65v?utajtJu=UwxvtvuRe
43. demo25k.hekko24.pl/ 8y7gvt65v?utajtJu=UwxvtvuRe
44. haselburg.cz/ 8y7gvt65v?utajtJu=UwxvtvuRe
45. mazaci.cz/ 8y7gvt65v?utajtJu=UwxvtvuRe
46. mypetsculpture.com/ 8y7gvt65v?utajtJu=UwxvtvuRe
47. pawpawscatfishhouse.com/ 8y7gvt65v?utajtJu=UwxvtvuRe
48. stxha.com/ 8y7gvt65v?utajtJu=UwxvtvuRe
49. topoeval.ro/ 8y7gvt65v?utajtJu=UwxvtvuRe
50. www.cristaleriadominguez.com/ 8y7gvt65v?utajtJu=UwxvtvuRe
51. www.gnatologo.eu/ 8y7gvt65v?utajtJu=UwxvtvuRe
52. www.wenti.nl/ 8y7gvt65v?utajtJu=UwxvtvuRe
53.  
54. *Sampled downloaded*:
55.  
56. File Name: 8y7gvt65v
57. MD5: 6c33700b12efaae1d87191068e2d9936
58. VT 6/53 - https://virustotal.com/en/file/2fcd597cef85c840072220a4742941c57cb1b19aee71107828faafa06d2f57b7/analysis/
59.  
60. *Hardcoded IPs*:
61.  
62. 93.170.123\.219
63. 151.236.17\.45
64. 149.154.159\.125
65. 14.31.59\.147
66. 151.236.17\.47
67.  
68. *DGA*:
69.  
70. alxsgfnnwpkm\.xyz
71. apwspwaxwgxd\.org
72. cjjrhlowiqgaiui\.xyz
73. cuivjbqkauvusoe\.click
74. hgyrjsa\.pw
75. icgxhdkgfm\.work
76. rbgpglsfypiuesrgl\.click
77. rxmekpy\.org
78. upuerwvwauety\.pl
79. wqdwxpmvwdstncige\.pw -> 69.195.129\.70 United States
80. xtwinxqqgogkynfh\.info
81. ysggrqvej\.info
82.  
83. *Hashes*:
84.  
85. 05f1a9bee6ca27e4165b64651641f1bb
86. 0f2c55bba384bac9d5dac16163ae3c42
87. 14395970fac354401a4aac827cc3009e
88. 15b6e0361e9ae3f22ccd13bf86e4c3c7
89. 19ff98415a0379a63ef819a6afbdc886
90. 3064305ea482271b15352b55d3171460
91. 3d006fc4a88c60a919bf5b76101badd7
92. 47b7594839f902de913c1534bd38f358
93. 4d389d1bf1bc9ce85366cd3c793d6597
94. 4fab03e434367c0dff17f3d9bc15e5ae
95. 5eee5cedb96154f63286e0fd825bbacc
96. 64d4229ec43e403c3be2955341f15130
97. 6764bdd0c90d0557b0769ae6417174f8
98. 681a05a74dd23014cd2157e7b1f687ea
99. 70e29371ff4d659f3c7b4a30c9a54599
100. 7696f133a76309593e6853659ee6f689
101. 8747d2a51eeefacd3333d7de4602b622
102. 8a4ec1850e2446d58f5f4d026f1fc68e
103. 99fcddb0fd9997433165cd672895d98e
104. a318d0a63e13d03b7c300bc022710b1c
105. a3f7a662a3124650cc017c4e12d79b3a
106. a9d9499724612d2953dd0216885fd067
107. b94964fbdc62dba3fb35d1861872b75f
108. b9ab940d778a7134c93e2ef75f5b72f1
109. c44f960d8711fe1bb8338e0418a8545c
110. c92af3932c4ac83310dba866333eb5a3
111. cc9b8d9622f010d87215c23daa39d52c
112. d7030a7e7c3148c7142cc1da32de8423
113. e240d95188b85db2398a97d56b7e8a6a
114. f24dd428e996e7501c77b1b51eaf7f14
115. f330cb82fe9eb3b89cf9f1b0e2a5cbc9
116. f77259f3570bbc824aabf48649188ef7
117. f84b4a0e8aa2edccc4cdf42e894e48ea