2016-10-24 Locky "Complaint letter"

2016-10-24 #locky email campaign "Complaint letter"

Email sample:
--------------------------------------------------------------------------------------------------------
From: "Dee Compton" <Compton.85085@daankromhout.nl>
To: [REDACTED]
Subject: Complaint letter
Date: Mon, 24 Oct 2016 18:36:30 +0700

Dear [REDACTED],

Client sent a complaint letter regarding the data file you provided.
The letter is attached.

Please review his concerns carefully and reply him as soon as possible.

Best regards,
Dee Compton

Attachment: saved_letter_a357efb85.zip
--------------------------------------------------------------------------------------------------------
- sender varies between emails
- subject is "Complaint letter"
- attached file "saved_letter_<random hexachar>.zip" contains file "saved letter <random hexachars>.js", a JScript downloader

Download sites:
http://alkanshop.com/zrwcx8om
http://bwocc.org/dkttu
http://circolorisveglio.com/dw2hheb
http://cz1321.com/zg4c4m
http://disneyrentalvillas.com/k2ars5j2
http://downtownlaoffice.com/ixmh1
http://duvalitatli.com/umx3btc1
http://executivegolfmanagement.com/qtzsegm6
http://firephonesex.com/bxuobuam
http://fjbszl.com/m4q1pmr5
http://fraildata.net/09rz1jcj
http://fraildata.net/4s1szk77
http://fraildata.net/9b8cba
http://getitsold.info/cndrdsu9
http://girlsoffire.com/d2k0b967
http://gruffcrimp.com/352gr0
http://gruffcrimp.com/5inrze
http://gruffcrimp.com/8vzak
http://gruffcrimp.com/bki56h
http://gunnisonkoa.com/d5cw6
http://gzxyz.net/zznej
http://hetaitop.com/pgq8e
http://iwebmediasavvy.com/eu7mq36w
http://jejui.com/j1ldsf
http://julianhand.com/hollu
http://jzmkj.net/y7tf2
http://kak-vernut-devushku.gq/rwlr9
http://kirijones.net/2b8fnrqm
http://kirijones.net/4v7574mp
http://kirijones.net/66wey
http://kirijones.net/a2r3pme
http://nightpeople.co.il/o8le7
http://onlysalz.com/xjo100
http://pblossom.com/t78u8
http://potchnoun.com/06p2vxua
http://potchnoun.com/38j2xn
http://potchnoun.com/8x2nt
http://privateclubmag.com/wyztr73
http://prodesc.net/x7nlxq
http://relentlesspt.com/faisexor
http://riyuegu.net/o69ecb
http://royallife.co.uk/mx5nck
http://ryanrandom.com/hwv97p8
http://sexybliss.co.uk/en8ds7nt
http://taiyuwanli.com/cpkd9
http://theleadershipdoc.com/wm1bv
http://turservice.xaker007.net/k92b92
http://ukdistributionservices.com/x1397
http://vowedbutea.net/2f1okfif
http://vowedbutea.net/5491o
http://vowedbutea.net/8jtnj8nt
http://vowedbutea.net/apupuyh3
http://xn--b1aajgfxm2a9g.xn--p1ai/dxd3v
http://yourrealestateconnection.us/rlfh0

Malware:
- encoded on download, filesize 245252 or 245764 bytes
a054e9b14b835ac72a56a29e30302a2649dd2b96e759959a027fb28f4d7ffaf4  http___alkanshop.com_zrwcx8om
bb9e81c6b8705731facb3be2388ba05bbc67c4a83f114f1f5ca9e36d85aa9ddc  http___bwocc.org_dkttu
12d0e7389289f4015ecb918ec0623a99da9a51739deecaad2a55b1d934299ba3  http___cz1321.com_zg4c4m
c599fb61932cec2d0d2990edd8402577b2eaffa6745e3bda10d2ae3fdda2df7e  http___disneyrentalvillas.com_k2ars5j2
b2b11b1b23167dd954ddad37c6dae314046d97d7322a1ed3fd3a84bd7ad010ac  http___downtownlaoffice.com_ixmh1
00f4164db54c7217cb280e55dc4e0a13869d4ac64f45bf49b2d22c77855bdee2  http___DSWRITINGS.ORG_lnf7gv
cf5b9c42dd5f4448e3dbc09f2a34f9a9b6748aee96f880836b7281e60ff5b3ed  http___duvalitatli.com_umx3btc1
56ce78a9dc4301476fd1925f0322b9f8b280ea556f36f043a448cee9096eee83  http___executivegolfmanagement.com_qtzsegm6
0d906c1b7f539c59cc9312f1d5b738f0f720ecea31aa062477aa4729342e34fe  http___firephonesex.com_bxuobuam
41259d125edc83262a3ae3f2246b2bc8fbca8f1cd5373a47ad4f6ed5955abf80  http___fjbszl.com_m4q1pmr5
db5fe543f2bb5c918b7387e1c195cd997ea42ea73c0141d4d466318be97c47e0  http___fraildata.net_4s1szk77
10e8347dbe4306256fd61b9290ec19467ec27d3bed22ea957549d8c8be75a881  http___fraildata.net_9b8cba
525df47bd4c74a9d051e54d3ed1743ca458569436762d9d4716f9b7e0e307712  http___getitsold.info_cndrdsu9
487c4c8694db9ef343db09880f9e83e0f0149853e95e30f67459fab0fc2f075c  http___girlsoffire.com_d2k0b967
b747257991c54f45f8b3991f41129ba8dc75d6bed4f8ba4c3dea939bf94c383e  http___gruffcrimp.com_352gr0
4c6a459980bc452d7e02b7905d016370f2938afa2476d68d287356b706691d18  http___gruffcrimp.com_5inrze
8a3e47471e910a549a940ea3ada8ae9aa6c6f19efe600c90ddcea2bba1ad387c  http___gruffcrimp.com_8vzak
c7152ec26961d4d0bb50df84fba99910bfff871d1769faf75db5556f712df52f  http___gruffcrimp.com_bki56h
ac66d6280b39d44ed2de3ab669240c9926284d43362235bde466fe07a44a25dc  http___gzxyz.net_zznej
9d1b9d2f9a9a0553e124f2c7185e10e3dae0b6964f52a30f6bdabe524dc9b0f2  http___iwebmediasavvy.com_eu7mq36w
fc87ad4a6747627c5082f1ff78956fea359f7f18c9fc9af4f71a8b5a9df7ccb2  http___jejui.com_j1ldsf
dd6ed513f4b068a4fb90bdbcf4cad9cf5824ff5d887029c99944224ef88cfc7f  http___julianhand.com_hollu
3eacd4a7b50da3f2aae39aa5245d57007770a9756eec78204fade143ca6e3597  http___jzmkj.net_y7tf2
2ab3245c5cad4ef1fab99f9ab16c6b2a4c22535747d075e263ce1e6690e50902  http___kirijones.net_2b8fnrqm
4134142b74e130632b16d2f749f59a1f5fb8544e3274e39a0a09380c80b106e8  http___kirijones.net_4v7574mp
b061942a66e50aef735cdc2b2e8bf1c286294115c23a637acb20fb3f36d57cc9  http___kirijones.net_66wey
69b96c8f56c7658466178bd3ba23cffcddb617a4c73b2d163c6434b0b7243760  http___kirijones.net_a2r3pme
8ec1dbcc4de6359a34316421701ee8e4928149b7c456ec7d4d6c0840555566c4  http___nightpeople.co.il_o8le7
80671ce15c8e56de65a00f3d0acb542784f3582fafe4f45825b580c870579041  http___onlysalz.com_xjo100
ebf80eb505afaae587347b60a6fc2d85c2c069c2f2170d5ccf2f9d614d195f1a  http___potchnoun.com_06p2vxua
f40efe3e2ce445f0869903f0ea431941cfc88dabb9e38343b190f1a9831ef8f1  http___potchnoun.com_38j2xn
4ea48038d20a2c5e86d4249eb9efe34e7d3f8c041bd6c47cacf61e30cb2b3b28  http___potchnoun.com_8x2nt
905bcc85e927e37eeb7d66595690571f14c99b491950d642aa3a30c0cf91043d  http___privateclubmag.com_wyztr73
ed58142ee7b01792a2a00b4aee3bdd4ffa610123e4b8d78a439ff54873e3e7a8  http___relentlesspt.com_faisexor
52d283952e31cc96dfe4ddfc6a3ac28250a633a8434f1dc85159fad51e05eef2  http___riyuegu.net_o69ecb
7fcc341f2da76b49c5a8cab42f60b91670f4b49dd8a07eeee69d4f454d31999d  http___royallife.co.uk_mx5nck
677cf343e19f7bed6073f8975ca8ca1d872a55d9c8fa0e2cfb3c7d789157313d  http___ryanrandom.com_hwv97p8
90a848a19075606f8a16eef7d6e5d868b5f9e08f50f653f77d7026463391d637  http___sexybliss.co.uk_en8ds7nt
2fac93714259ec9d787ba3fe3074ed7aef5ea81aca8e1a9637bbc43373f1151b  http___turservice.xaker007.net_k92b92
0386a220dfd9c7986476a4c37d742f611646c98987f802630e23d8d59642c5f4  http___ukdistributionservices.com_x1397
ee40cb183997166a952fb334eeb175b7e256059f850952210bb5304585ba1557  http___vowedbutea.net_2f1okfif
6e7fd60591f7151b19127b54e48aa8d94419b2d8658f2f1fe41d2172a24c5ee1  http___vowedbutea.net_5491o
953bf4cca77fb877beff2597953202f7898f6c2d070314d1538c36e31758a66e  http___vowedbutea.net_8jtnj8nt
f8150304298dd4174c72fc53da85352a4d2f8b62f2bb375938878cd13fec8687  http___vowedbutea.net_apupuyh3
374cdd37ddf51c2c893c14a17fa23abfa90e0a85654ceef25dd1c9cc6c2c741a  http___yourrealestateconnection.us_rlfh0
- executed by "rundll32.exe %TEMP%\<dll_name>,EnhancedStoragePasswordConfig 147"
- samples
https://www.reverse.it/sample/c183a1cc8bea027427ecb7372d60e750bac83d78c922d85eed4c4d1aef940388?environmentId=100
https://www.reverse.it/sample/26a75a49db0bf2ef4587b0c6321945a45460d83bb8abb09a87c57bf278b78b0b?environmentId=100
https://www.reverse.it/sample/b69a6af6196f44b7c8c2574694efaf52687c42ec7030cfb09676e880828ade58?environmentId=100
https://www.reverse.it/sample/38c7b60acbcadca9985413977cb638692539ae92c2c8f1a121a6c51f62766843?environmentId=100
https://www.reverse.it/sample/ff714dbcd2e6e9e96af1e6920502af24896f466344d25478ec8fddaaf9456107?environmentId=100

C2:
- no C2 communication visible, offline variant