Locky "FW: [Scan] 2016-08-13"

1. 2016-08-30 #locky email phishing campaign "FW: [Scan] 2016-08-13"
2.  
3. Email sample
4. - the sender address varies and is faked to be from recipient's domain;
5. - date in email subject is same, but time varies;
6. - the message looks "forwared" (thus the Original Message header)
7. ---------------------------------------------------------------------------------------------------------
8. From: "Rodrick" <Rodrick888@[REDACTED]>
9. To: [REDACTED]
10. Subject: FW: [Scan] 2016-08-13 13:38:18
11.  
12.  
13. -----Original Message-----
14. From: "Rodrick" <Rodrick888@[REDACTED]>
15. Sent: 2016-08-13 13:38:18
16. To: [REDACTED]
17. Subject: [Scan] 2016-08-13 13:38:18
18.  
19.  
20. --
21. Sent with Genius Scan for iOS.
22. http://bit.ly/download-genius-scan
23. ---------------------------------------------------------------------------------------------------------
24. Attachment: file "2016-08-30 [XX] [YY] [ZZ].zip" containing file "[random chars].hta" which contanins JScript downloader
25.  
26. Download sites (actual URLs have suffix ?<random>=<radnom>, but it does not influence the downloaded code):
27. http://alc-okadakogyo.com/HJghjt872
28. http://a-tconsulting.co.uk/HJghjt872
29. http://csmwwst.de/HJghjt872
30. http://detoxshop.atspace.com/HJghjt872
31. http://jack0v0.web.fc2.com/HJghjt872
32. http://pcps.web.fc2.com/HJghjt872
33. http://powermax.ru/HJghjt872
34. http://rakutenjapan.web.fc2.com/HJghjt872
35. http://w07q93g5g.homepage.t-online.de/HJghjt872
36. http://www.avisgibellina.it/HJghjt872
37. http://www.download.extraslot.ru/HJghjt872
38. http://www.fmpromedia.com/HJghjt872
39. http://www.hager.50webs.org/HJghjt872
40. http://www.helpinict.co.uk/HJghjt872
41. http://www.itogazaidan.jp/HJghjt872
42. http://www.redanchemical.com/HJghjt872
43.  
44. Malware
45. - encoded during download, SHA256 7ee7af0eee7ecb8e025533677e51065944e44ec6666c10bb85f09671ef62debc, filesize 143360 bytes
46. - decoded SHA256 db74ae79244ee9c1db11c1d107a95d59258091c1239a318586a56e10b7a89571
47.  
48. https://www.reverse.it/sample/1a16ab54dd193db81ae3b9d80e37966c5321a5b33ec3dfb8a40c6548822ab472?environmentId=100
49. https://www.reverse.it/sample/f4ca63a30d0ba9a056a20b66e03d59f820208b09d2f38855498423e87dc5cdf4?environmentId=100
50. https://www.reverse.it/sample/832c61741933c3a2de0ec5a28b195d8746d6d99b92f68f335252edba586d40c3?environmentId=100
51. https://www.reverse.it/sample/c2c9a4e9079688476d2be31923108badda962e60ea41823f4d988d7f87088bb1?environmentId=100
52. https://www.reverse.it/sample/e3f99995ae99190e1d363155db88e9645a0d2fd6484ec51e7834b224f1ebad31?environmentId=100
53. https://www.reverse.it/sample/ad2f0a3eb16089c7c142808b07a2f5ee168747f1ee719804ea342f432bf501d8?environmentId=100
54.  
55. C2:
56. 95.85.19.195:80/data/info.php
57. 188.127.249.32:80/data/info.php
58. (dutluhnnx.info) 69.195.129.70:80/data/info.php