2016-09-22 Locky "Delivery #D-xxxxxxx"

1. 2016-09-22 #locky email phishing campaign "Delivery #D-xxxxxxx"
2.  
3. Email:
4. ---------------------------------------------------------------------------------------------------------
5. From: "Tina Burke" <Burke.63839@aaacoaching.com>
6. To: [REDACTED]
7. Subject: Delivery #D-8637942
8. Date: Thu, 22 Sep 2016 14:52:15 -0300
9.  
10. Dear [REDACTED], thank you very much for your order!
11.  
12. Total amount of $768.75 was charged for your order #D-8637942.
13.  
14. All the details are in the attachment. Delivery will arrive at 15:00 coming Monday.
15.  
16. Attachment: eaf8ab5b0307.zip
17. ---------------------------------------------------------------------------------------------------------
18. - sender varies between emails
19. - subject is "Delivery #D-<7 numbers>"
20. - attached file "<random hexa chars>.zip" contains two files, one-letter-name junk file and "delivery details scan <random hexa>.js", a JScript downloader
21.  
22. Download sites:
23. http://abdrent.com/jg35c
24. http://allbabyadvice-blog.com/u6hugrq
25. http://americanjuniorgolfschool.com/45cl97uw
26. http://aquobodge.com/06ndxl3
27. http://aquobodge.com/37kc9
28. http://artoccasions.com/e18ls
29. http://aurylmorga.net/1jtjyz7q
30. http://aurylmorga.net/4499sf
31. http://bernardchandran.com/yt77q
32. http://bircanogankul.com/dukfz
33. http://bobneal.net/y7ynfwc
34. http://bushidotactical.com/wojj7u1
35. http://clempurry.net/2v9r9d
36. http://clempurry.net/5du88
37. http://couplestherapyexercises.com/qdjdm0o
38. http://cyber-minipc.com/h8avxk
39. http://drsearscoach.com/aa2iae
40. http://hellolanguage.com/yk4qht82
41. http://holidayhops.com/b87nop
42. http://hotelcelnice.cz/vqjvduh
43. http://hullpotterypriceguide.com/ifs2v4
44. http://ipda.com.ua/37kc9
45. http://kwmassage.com/b8cjbk
46. http://lesiyteco.com/1774s4
47. http://lesiyteco.com/3fgggff
48. http://onmunrebut.com/24hydk
49. http://onmunrebut.com/45cl97uw
50. http://ooomaksim.ru/y431px
51. http://signumtte.net/dkt4ln7
52. http://sjunne.net/rzxh3
53. http://sorrentovalleypainrelief.com/1774s4
54. http://spkenig.ru/pyvr2io
55. http://sportbkk.com/ifqia
56. http://studioitaliacostruzioni.com/4499sf
57. http://svityaz.net/utf8yn
58. http://taladcaraudio.com/shl9lzvq
59. http://tgr161.ru/h6mr0
60. http://thcr.com/y2cfph
61. http://thealchemyofjoy.com/ukfxxr4e
62. http://theweekwines.com/yo1c40
63. http://thisedu.com/t87wg07
64. http://tuberro.com/f4gw67u
65. http://u-flats.com/rfscc
66. http://uv-print.ru/vmxdzp
67. http://version-restaurant.com/80zivvz1
68. http://zgqz11315.com/rt7vl
69.  
70. Malware:
71. - encoded on download
72. ea723dfb99951fef1a5bd2c1d6a289b592c50a36deb58a5b4dc9bf6bf7291430 http___americanjuniorgolfschool.com_45cl97uw
73. 060a0df4ec4e9e077f6ce76b39f63d7b6eb7863c110d31bd2e8ce9113800469d http___aquobodge.com_06ndxl3 [2]
74. 2daf243d83d780455f534721111c9cb182fd677c3d40c3efd446274695ad8f89 http___aquobodge.com_37kc9
75. b04d1ce71b89860e4e294f5733c9a081273e7ee6d5f6781c08988b901e5791d2 http___artoccasions.com_e18ls
76. 72ba0618cccfcd472d75a28947d9d27e71467104246784de1e5e415ae7c021ab http___aurylmorga.net_1jtjyz7q [1]
77. 945ab9a83ca05e15c13b8e5fe5af431254eae781c0f9fe7c86946bdecef1fa01 http___aurylmorga.net_4499sf
78. 087c396b894059121821486a435366db2a1aeba0af4445085bf056ca0d6ba4fa http___bernardchandran.com_yt77q [4]
79. 48b2bfe2afd35c5163f31549cef446ca3b9d75ede4d0f4b96e66368cfc747b4d http___bircanogankul.com_dukfz
80. 1ab477d39013955da038cede09045b146a4c2725ea84df349131d3ba0c554d4b http___bushidotactical.com_wojj7u1
81. d3f2ad5889c49643f3e9469aa332df49c8a9dc4f0b1d3b83bda647d3536991dc http___clempurry.net_2v9r9dc [3]
82. fe46ddc0213ce62cc49c96a5a92b2552a93c350dc39c0d7d381e8e6c2c390f50 http___clempurry.net_5du88 [5]
83. 15eeb68bb190ec3b752fd83748f79c689042619617d02cab401e5167a8bf9f5a http___cyber-minipc.com_h8avxk
84. a6c308be741852fd87fba87d5cc8f7c05a0b1b1f851697c089f03b66851c0efc http___hellolanguage.com_yk4qht82
85. 6b68b07c3bafe4e7883031e6eeeadc13bc2d053f275fdca1eccf3084d781568b http___holidayhops.com_b87nop
86. 28a5f00f18d91298039918e3ed1d78e9892268b402f38ebd0e73d2bc5903e62e http___hotelcelnice.cz_vqjvduh
87. 2cafc25f385bef78aa3675e5468758b4f1e46cabc0ae6da4680b607ab317491b http___hullpotterypriceguide.com_ifs2v4
88. 2daf243d83d780455f534721111c9cb182fd677c3d40c3efd446274695ad8f89 http___ipda.com.ua_37kc9
89. 05fc882b3411ee69f66dcf8a4a51e5712bc6dcab79bdc279705e7e10dffc6f22 http___kwmassage.com_b8cjbk
90. a2fcb13fcd56ff76b410d0ef46b17dbc9d5cfd217178e872dd0a0141e0c7e57f http___lesiyteco.com_1774s4
91. 9d01484fc8692a8173e800f3c7eb14752076266b8b7700fb760682cc4b8e41ac http___lesiyteco.com_3fgggff
92. 1fb9f339b6cb21473d5a87889b5f145902315e16307bd38ec5ce624104b3fc2b http___onmunrebut.com_24hydk
93. ea723dfb99951fef1a5bd2c1d6a289b592c50a36deb58a5b4dc9bf6bf7291430 http___onmunrebut.com_45cl97uw
94. 4f81cf405f7be12865c482fc5a9be3a88f0bb959a677437583db1d6fa368e8fc http___ooomaksim.ru_y431px
95. 218213f3b110e8dbdba03a08675614f91514538e55bb2f1dfbfba9709363ef32 http___signumtte.net_dkt4ln7
96. 1436ce7bd45f0cfa9957b341576acffa201dbcc1285bfcd9f25a840ff219a3ff http___sjunne.net_rzxh3
97. a2fcb13fcd56ff76b410d0ef46b17dbc9d5cfd217178e872dd0a0141e0c7e57f http___sorrentovalleypainrelief.com_1774s4
98. 6214591eb1ae8f6f4831d90adf8a0d71689778218b36b14778bab51989b7f602 http___spkenig.ru_pyvr2io
99. 6c158e3be12d56f649c4e2d64c35d7edf26d432d66cb67c565bc8d820a781822 http___sportbkk.com_ifqia
100. 70fdbb271be5ab134d5521162d6752f3d775fb5bff346799408e3d1e7563c71e http___svityaz.net_utf8yn
101. 1a4ab9bca62f2bbf32135bdbacaa87a9258adc477aa591a637db355b7f55855e http___taladcaraudio.com_shl9lzvq
102. dbd5aea98fb14995d2505255b1c43c9fa3a53542b85cc1b0358e1d208a96ccac http___tgr161.ru_h6mr0
103. 7ebeee77f3bd790f32c9187dce52f1fa60d7bf579b13d1e133fec11f9984cbe8 http___thcr.com_y2cfph
104. 011b5c5d14e9b2bc15875256bfb5d711d228ebc82fc388ba41697dee5db82e81 http___thealchemyofjoy.com_ukfxxr4e
105. e6c8928885d7b28f76af110a3f65d2c816887bfd14eed32c90c3a10a5a6d5c78 http___theweekwines.com_yo1c40
106. cdd87561a16cc3fa42a09d0dcfa7c02976f3afa36dd73296d3627dfd2b1e611d http___thisedu.com_t87wg07
107. 760f250424eec0ef45fe8a7a0fc1ff276a150b01efc09d4463c68a1f515ac18e http___u-flats.com_rfscc
108. 993cb96076fad2f4465e864ef7405be6877eaed1950cf8e33ebf49cc524e1cb4 http___uv-print.ru_vmxdzp
109. b9c846b3b99d8fc10038ddb9fb9b539c4b7d23e60d6e7dc38290487b163fd0e3 http___version-restaurant.com_80zivvz1
110. 45ab4780772b34ff609cc39abbbfac366ec5e0fc3d901eb1ecc8f81cd20224f5 http___zgqz11315.com_rt7vl
111. - decoded
112. 4199faf58975dcb1416edf073db54682b42a52bc0de21f761d68b20b6628a4c7 [1]
113. 39af06ae5bf746caea0fdfaf7b7009323029146a2cf5541cbdc9cc946b0d67ed [2]
114. 9efed491c46abd9d3a0a2ba9ff29f6fdc717233b4e09cfa9089267795f3ead6d [3]
115. a0be3e12ad794a7949d44b71d6025588873737b68d80778f2e5f191484a6413f [4]
116. c618dfa8f9e819b943450546b85621a4036f419db53f23c0a026242b17f81881 [5]
117. - executed by "rundll32.exe %TEMP%\<ddl_name>,qwerty 323"
118. - samples
119. https://www.reverse.it/sample/908ac1eeade10f9df494b890ff066539b5f892ea752278839da0c0b0bf540945?environmentId=100
120. https://www.reverse.it/sample/89943599c8193015b87201112e29d816856885b90573adc6058111ac395c5c2c?environmentId=100
121. https://www.reverse.it/sample/ef6e6bf2688d0c7ad97f98de4629f84eaf57d2864eb6493403247c2c6ab7f210?environmentId=100
122. https://www.reverse.it/sample/d4febb21e207652bbd26aa9deb9ffffdfbfdde1e361cd7cdd772db43c6558b02?environmentId=100
123. https://www.reverse.it/sample/db16f930bc80845a23f1abf9b9122bd1de20e9239d94231aa4c3a21507021527?environmentId=100
124. https://www.reverse.it/sample/3df89e9b85ce1d95fee1380f12455cb2a598f3f0e8c5493e444dc7e3f24899fd?environmentId=100
125.  
126. C2:
127. 51.254.108.40:80/data/info.php
128. 94.242.57.152:80/data/info.php
129. tswsgajtwhqkosd.su/data/info.php [91.239.235.130]
130. wnrgttsfmhfmmoqxm.biz/data/info.php [69.195.129.70]
131. jfmiondv.xyz/data/info.php [91.239.235.130]