2016-12-19 Locky "Tracking Sheet"

1. 2016-12-19: #locky email phishing campaign "Tracking Sheet"
2.  
3. Email sample:
4. -----------------------------------------------------------------------------------------------------------------------
5. From: "luisa wallinger" <luisa.wallinger@overheadthealbatross.com>
6. To: [REDACTED]
7. Subject: Tracking Sheet
8. Date: Tue, 20 Dec 2016 05:37:07 +0700
9.  
10. Dear all
11.  
12. please find attached sheet
13.  
14. Thanks
15.  
16. Attachment: Sheet 20-12-2016-9254.zip -> 24905681401.jse
17. -----------------------------------------------------------------------------------------------------------------------
18. - sender varies between emails
19. - subject is "Tracking Sheet"
20. - attached file "Sheet 20-12-2016-<4-6 digits>.zip" contains file "<11-12 digits>.jse", a JScript downloader (downloader is not encrypted as .jse would suggest, just plain .js)
21.  
22. Download sites (actual URL contains suffix ?<random>=<random> which does not influence download):
23. http://alavatotal.com/byt4g3
24. http://autonoom.org/byt4g3
25. http://boyni.ru/byt4g3
26. http://bummeln-um-die-welt.de/byt4g3
27. http://canbal.net/byt4g3
28. http://chmedonline.com/byt4g3
29. http://conor.com.mx/byt4g3
30. http://designerdogwear.com/byt4g3
31. http://digital1.50webs.com/byt4g3
32. http://drareum.com/byt4g3
33. http://dream-road.jp/byt4g3
34. http://drzalai.hu/byt4g3
35. http://elfrasha.com/byt4g3
36. http://followme.si/byt4g3
37. http://forhealthatividadesfisicas.com/byt4g3
38. http://hanavanpools.com/byt4g3
39. http://hiveapps.co/byt4g3
40. http://jira.fastfine.ru/byt4g3
41. http://lib.yoll.net/byt4g3
42. http://lombardimobili.it/byt4g3
43. http://www.celoinvest.eu/byt4g3
44. http://www.galerie-idees.fr/byt4g3
45. http://www.garrox.com/byt4g3
46. http://www.heartofchina.org/byt4g3
47.  
48. UPDATED:
49. http://apocrif.ru/byt4g3
50. http://cltserve.org/byt4g3
51. http://cosita.awardspace.info/byt4g3
52. http://crownfinancialsolutions.org/byt4g3
53. http://culturepick.com/byt4g3
54. http://cusushi.com/byt4g3
55. http://dobrinin.ru/byt4g3
56. http://dspace.us/byt4g3
57. http://ecocredowoning.nl/byt4g3
58. http://furniturlab.com/byt4g3
59. http://galaxy-cosmetics.com/byt4g3
60. http://gozovipsite.50webs.com/byt4g3
61. http://hansfilz.de/byt4g3
62. http://hennesseywelding.com/byt4g3
63. http://www.dvdpostal.net/byt4g3
64. http://www.falconriver.com/byt4g3
65.  
66. UPDATED:
67. http://acp-dom.ru/byt4g3
68. http://buzzardsroost.com/byt4g3
69. http://bybeephoto.com/byt4g3
70. http://cdsp.pl/byt4g3
71. http://cherry-pik.com/byt4g3
72. http://chinepromotions.com/byt4g3
73. http://chmk.ca/byt4g3
74. http://dechihuahuas.be/byt4g3
75. http://deltaclub.org/byt4g3
76. http://demail.eu/byt4g3
77. http://directprotectsolutions.co.uk/byt4g3
78. http://ellsley.com/byt4g3
79. http://faithfull.kdm.pl/byt4g3
80. http://gerkar.pl/byt4g3
81. http://hongikmediaplus.com/byt4g3
82. http://hootys.biz/byt4g3
83. http://htocvt.org/byt4g3
84. http://nui.tokyo/byt4g3
85. http://rosenblut4u.de/byt4g3
86. http://shema.org.ua/byt4g3
87. http://www.bewustbv.nl/byt4g3
88. http://www.cryoniq.com/byt4g3
89.  
90. Malware:
91. - encoded on download SHA256 8a328f1550262db73c43be692e1a73ff06110dbaa39dbd90d95969c26cfa42ae, MD5 3fa1c27cbfda98a0ffb4171c3d25e40e
92. - decoded SHA256 893fb7f67a397efcea2235dfd3ecc5d6b90fd6b151186e1440ee228b7dd6c7be, MD5 599713d3b9ad1607bd70f227e204fc84
93. - executed by "rundll32.exe %TEMP%\<dll_name>.dll,novo"
94. - sample https://www.virustotal.com/file/893fb7f67a397efcea2235dfd3ecc5d6b90fd6b151186e1440ee228b7dd6c7be/analysis/1482188508/
95.  
96. C2:
97. POST http://176.121.14.95/checkupdate
98. POST http://188.127.239.48/checkupdate
99. POST http://193.201.225.124/checkupdate
100. POST http://91.203.5.144/checkupdate
101. POST http://91.223.180.3/checkupdate