2016-12-13 Locky "a picture for you"

1. 2016-12-13: #locky email phishing campaign "a picture for you"
2.  
3. Email sample:
4. ----------------------------------------------------------------------------------------------------------------------------------
5. From: Ronda <Ronda.16@theroyalparadise.com>
6. To: [REDACTED]
7. Subject: a picture for you
8. Date: Tue, 13 Dec 2016 19:56:58 -0300
9.  
10. scanned
11.  
12. Attachment: 2016-12-623875.zip -> 2016-12-11225.jse
13. ----------------------------------------------------------------------------------------------------------------------------------
14. - sender varies between emails
15. - subject is "a (image|photos|photo|picture) of you"
16. - attached file "2016-12-<4-6 digits>.zip" contains file "2016-12-<4-7 digits>.jse", a JScript (plaintext .js, not encoded) downloader
17.  
18. Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
19. http://00005ik.rcomhost.com/knby545
20. http://1smart.nu/knby545
21. http://203kitchen.com/knby545
22. http://87.244.17.86/knby545
23. http://88.150.144.236/knby545
24. http://94.127.33.126/knby545
25. http://abogalalmotors.com/knby545
26. http://accademiamoda.com/knby545
27. http://aidhanlogistics.com/knby545
28. http://arc.com.pk/knby545
29. http://armcoinfrared.com/knby545
30. http://aspirekitchens.in/knby545
31. http://batchmiami.com/knby545
32. http://blog.webskitters.com/knby545
33. http://bobyfrancisandpradeep.com/knby545
34. http://brandappz.com/knby545
35. http://brinktest.com/knby545
36. http://c2sexpress.net/knby545
37. http://caribbeachresort.com/knby545
38. http://charlesworth.com.ng/knby545
39. http://crewclaims-lubpi.com/knby545
40. http://davepotterhonda.com.au/knby545
41. http://dedicateddevelopers.us/knby545
42. http://detrust888.com/knby545
43. http://discoveryourevent.com/knby545
44. http://dmg-properties.com/knby545
45. http://dolutesisat.com/knby545
46. http://dominatetheplate.com/knby545
47. http://easyfooty.com/knby545
48. http://ecolelavasa.edu.in/knby545
49. http://ecommercedevelopment.us/knby545
50. http://empirek9.com/knby545
51. http://empmon.com/knby545
52. http://entelligy.com/knby545
53. http://excellentiasacademy.org/knby545
54. http://fortuneprixgroup.com/knby545
55. http://fshr.al/knby545
56. http://gopa1.ru/knby545
57. http://inventionsteel.com/knby545
58. http://investps.com.au/knby545
59. http://jasonvergara.com/knby545
60. http://joomlaexpertdeveloper.com/knby545
61. http://jrgolfbuddy.com/knby545
62. http://keshamrit.com/knby545
63. http://liftaccessory.com/knby545
64. http://lmprojekte.de/knby545
65. http://maheshpunjabi.com/knby545
66. http://MedicalIsraelTourism.com/knby545
67. http://modelpayments.net/knby545
68. http://namemychild.cn/knby545
69. http://nbjzpx.com/knby545
70. http://newdawnexperience.com/knby545
71. http://nixvector.com/knby545
72. http://oakridge-realty.com/knby545
73. http://oualili.org/knby545
74. http://pandoracharm.ru/knby545
75. http://pattumalamatha.com/knby545
76. http://payserairan.com/knby545
77. http://p-g-a.org/knby545
78. http://prc.ub.ac.id/knby545
79. http://projectprocurement.com.au/knby545
80. http://pst-oil.com/knby545
81. http://radiantstars.org/knby545
82. http://reviewprimer.com/knby545
83. http://rkanswers.com/knby545
84. http://rktest.net/knby545
85. http://rndled.com/knby545
86. http://robekadevelopment.com/knby545
87. http://site4.pulusajans.com/knby545
88. http://socialcampaigns.co.in/knby545
89. http://swarbandh.com/knby545
90. http://tcmrecipe.com/knby545
91. http://thungchang.go.th/knby545
92. http://tradium.com.mx/knby545
93. http://trustcarts.com/knby545
94. http://turningpointdigital.com/knby545
95. http://uberrito.com/knby545
96. http://ukinhub.com/knby545
97. http://uscpl.net/knby545
98. http://uygoman.com/knby545
99. http://velociter.in/knby545
100. http://vibrantdeal.com/knby545
101. http://vintageprintable.com/knby545
102. http://visbymaklarna.se/knby545
103. http://winawoof.com/knby545
104. http://wordpress-developer.us/knby545
105. http://www.cameracontrol.com/knby545
106. http://www.designdepot.in/knby545
107. http://zarasresort.com/knby545
108. http://zist-konkur.ir/knby545
109.  
110. http://2picme.com/0h6br33
111. http://aacom.pl/0h6br33
112. http://aaryn.net/0h6br33
113. http://abela.fr/0h6br33
114. http://abogalalmotors.com/0h6br33
115. http://alestes.hu/0h6br33
116. http://alock.co/0h6br33
117. http://banhang123.com/0h6br33
118. http://billionsfamily.com/0h6br33
119. http://brookstonemanuals.com/0h6br33
120. http://clarkcomm.com-ext.com/0h6br33
121. http://eastoncorporatefinance.com/0h6br33
122. http://ebreckinteriors.com/0h6br33
123. http://fiddlefire.net/0h6br33
124. http://forexilla.ru/0h6br33
125. http://galebtopola.com/0h6br33
126. http://gallery.mohammadtarighi.ir/0h6br33
127. http://ilasd.org/0h6br33
128. http://inzt.net/0h6br33
129. http://ivibohoc.url.ph/0h6br33
130. http://kathymerrill.com/0h6br33
131. http://kirulya.com/0h6br33
132. http://knihovna-libeznice.hostuju.cz/0h6br33
133. http://kserwis.pl/0h6br33
134. http://kurou.bokunenjin.com/0h6br33
135. http://k-wu.com/0h6br33
136. http://lukepaige.com/0h6br33
137. http://masonlodgestpeter.org/0h6br33
138. http://medianisprint.com/0h6br33
139. http://mgascca.com/0h6br33
140. http://miki-bazar.cz/0h6br33
141. http://minis2.com/0h6br33
142. http://mprotectcorp.com/0h6br33
143. http://msveletiny.cz/0h6br33
144. http://nortra-cables.com/0h6br33
145. http://otteryak.de/0h6br33
146. http://pcflame.com.au/0h6br33
147. http://pta-babel.net/0h6br33
148. http://qe7.ca/0h6br33
149. http://rdsc-seminar.com/0h6br33
150. http://s393640255.onlinehome.us/0h6br33
151. http://s435378127.online-home.ca/0h6br33
152. http://s437702314.onlinehome.us/0h6br33
153. http://shomesofa.com/0h6br33
154. http://stoneofliberty.com/0h6br33
155. http://taladm.ru/0h6br33
156. http://thomas-christ.de/0h6br33
157. http://ulli-greve.de/0h6br33
158. http://v-english.com/0h6br33
159. http://vivvn.com/0h6br33
160. http://worldhost1.com/0h6br33
161. http://www.agence-eclectik.fr/0h6br33
162. http://www.dazzle-events.be/0h6br33
163. http://www.enhansit.com/0h6br33
164. http://www.lauraleedonnelly.com/0h6br33
165. http://www.mywoc.ca/0h6br33
166. http://www.ninthdistrict.org/0h6br33
167. http://www.servipisos.com.ar/0h6br33
168. http://www.sitivisibili.it/0h6br33
169. http://www.socialmediaplanner.com.au/0h6br33
170. http://www.thepasobueno.com/0h6br33
171. http://www.tourist-car.ru/0h6br33
172. http://yellowstudio.pl/0h6br33
173.  
174. UPDATE:
175. http://akida.com/0h6br33
176. http://archibaldmicrobrasserie.ca/0h6br33
177. http://calderon.com.mx/0h6br33
178. http://easylation.com/0h6br33
179. http://promgazenergo34.ru/0h6br33
180.  
181. Malware:
182. - encoded on download
183. SHA256 a9478cfd511672b5ad8c39212d848d8ff12fd2dd437c9c3b765da7604084b359, MD5 41eb243c2775c74519f1643c871ef161 [knby545]
184. SHA256 a6c2328b3807596f3199ec2db3e1463e13e979f75829ba73dd98a414493f9d3c, MD5 c951ecd088e3a043a0db6d60914adc14 [0h6br33]
185. - decoded
186. SHA256 fd33604dd1a4ccc3a3779b5769f5fbb58754a1f9152a72323ca6ebdc5d8d98b9, MD5 6534795c6f0ffb3835a1828abce36f88 [knby545]
187. SHA256 9ce472a78b91fd79c707c090cb6cf49a4b0a0df5e50d31409346528b2fb2db7a, MD5 d0d014659cb27cb67b83eef360d3c39f [0h6br33]
188. - executed by
189. "rundll32.exe %TEMP%\<dll_name>,get_value" [knby545]
190. "rundll32.exe %TEMP%\<dll_name>,set_value" [0h6br33]
191. - samples
192. https://www.virustotal.com/file/fd33604dd1a4ccc3a3779b5769f5fbb58754a1f9152a72323ca6ebdc5d8d98b9/analysis/1481672421/ [knby545]
193. https://www.virustotal.com/file/9ce472a78b91fd79c707c090cb6cf49a4b0a0df5e50d31409346528b2fb2db7a/analysis/1481672458/ [0h6br33]
194.  
195. C2:
196. POST http://176.121.14.95/checkupdate [knby545],[0h6br33]
197. POST http://185.117.72.105/checkupdate [knby545],[0h6br33]
198. POST http://193.124.185.187/checkupdate [0h6br33]