2016-09-19 Locky "Express Parcel service"

1. 2016-09-19 #locky email phishing campaign "Express Parcel service"
2.  
3. Email:
4. --------------------------------------------------------------------------------------------------------------------
5. From: "Jana Wiley" <Wiley.08@wlink.com.np>
6. To: [REDACTED]
7. Subject: Express Parcel service
8. Date: Mon, 19 Sep 2016 14:01:14 +0545
9.  
10. Express Parcel service
11.  
12. Dear [REDACTED], we have sent your parcel by <em>Express Parcel service
13.  
14. The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.
15.  
16. Thank you.
17.  
18. Attached: 7132878efa5.zip
19. --------------------------------------------------------------------------------------------------------------------
20. - sender varies between emails
21. - subject is "Express Parcel service"
22. - attached file <random hexa chars>.zip contains two files: one zero-filed file with one-char name that is just padding and "Express Parcel service ~<hexa chars>~.js" a JScript downloader
23.  
24. Download sites:
25. http://foveawaac.net/jdpoko
26. http://foveawaac.net/qq5dk
27. http://foveawaac.net/w2guf
28. http://foveawaac.net/wzwzjply
29. http://foveawaac.net/yjmaazj
30. http://merofid.com/pitggs52
31. http://merofid.com/rsyhqoz
32. http://merofid.com/w5tnnf6s
33. http://merofid.com/z3zeg
34. http://merofid.com/zn6mcj
35. http://roxieimshi.com/cpboa
36. http://roxieimshi.com/eppmn
37. http://roxieimshi.com/f10h5fzg
38. http://roxieimshi.com/w41x413
39. http://roxieimshi.com/y4lf1neg
40.  
41. Malware:
42. - downloads are multihosted, so there may be different malware on same URL
43. - encoded on download, two filesizes - 158212 and 157700 bytes
44. 0ad37173493cb19d7555579ef36946e9d2570787a8ffc6d968e3163b56753c8e http___foveawaac.net_jdpoko
45. c85db0d8a830a6cf81fda6b181e30020ea1325fcd5a343e910e49969c9ff706f http___foveawaac.net_qq5dk
46. 23a60f563399d019b6ccbc1c4a49fc219125b71668be9753fe7ece0cff872777 http___foveawaac.net_w2guf
47. 317eea26b8aaae32e217a166d13d8d174a89cc3cd08dc44a728972e71cc26f82 http___foveawaac.net_wzwzjply
48. 7e965c614a4272736a47d764d978d5e3bf75a05197314f88c2e22b41f45b8078 http___foveawaac.net_yjmaazj
49. 06b38e324d68a5146aa665d9809081e8f8bd49b92c48435cc20092c208f56940 http___merofid.com_pitggs52
50. 20a104c9595dd4b7ed8d9d5be0be5fde0aafea81175da9501ec2fe79e0b2f1b5 http___merofid.com_rsyhqoz
51. fee19c7b2a23d16e8f0f856e23b32c72217c86ac69be7aa6f1ce79a146bdf887 http___merofid.com_w5tnnf6s
52. 0d90de1e7ee1976d5d7080c4449fc0dc4696ce66dd0526e5557c3b045dbe8986 http___merofid.com_z3zeg
53. 2117018de31d917cb04e3e034039cdfe67445fddfa776ca60214e8d7234151db http___merofid.com_zn6mcj
54. fab150d980e16f884cac3393752336244d2e1ef2ae497092b7c9ac850e260289 http___roxieimshi.com_cpboa
55. 123e4cc8a869cdd942c599e32b95cc54c660cb461bad59abdf0348e69137ae80 http___roxieimshi.com_eppmn
56. 9c2b06ba4d6253b1e3c4aefca7080e4748526122bce157999061eb605c756672 http___roxieimshi.com_f10h5fzg
57. 871fee159aca96a1b8d9fb9a70b6e03f4f88904e1b04846448c08d07ad81e46d http___roxieimshi.com_w41x413
58. 9f1b3bb4aee763c25a008f9e7b1393f1042209fdfe7c4a772257543cfa70232a http___roxieimshi.com_y4lf1neg
59. - decoded
60. 46a50691c76a33b8b00359e86b8d1cabb0dd478452d4e612cba5465eb6f9ebd6
61. 51ab5c028614b2d8109539e354c1aafddc555eace78e138f43a00926ab25393c
62. e6f76eb479856ff6c9b6757d23f0e5a43c2ec9c780ef54cc71d76ae0f05b173b
63. df36b88b7e056ea97633d29519d8a31438a907f55b2957dab2e2e7b08386d53d
64. 68f39ff9ba2e2ef09ac63aa98770368b6c27d5977eb3a0ead939b0a7b6745c25
65. 498811496cb62280f8eabe9fb345b2edc41d99886a4af319f2585fa8ebdc932b
66. 69b51fb638a909b8711ad244efe8994f2951a4e32166051534730b43d5b70dbc
67. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
68.  
69. https://www.reverse.it/sample/8ae9bfec3b67cd83ba0b9116de452001682b5ea353d60e1fa614678c8b5b2dca?environmentId=100
70. https://www.reverse.it/sample/b6ad1dba43ba6747e2f2c9002c8bd71b7cc739620622dca175a6626d7c7d1e53?environmentId=100
71. https://www.reverse.it/sample/43be4b89f50998b438d939d6d89e740b833b7c7c9b1e510e05b501498169b4a5?environmentId=100
72. https://www.reverse.it/sample/7f2cfe7f92c6ab46158b96165809e6e077c5e08bf5799f02bfddeafa4dac9676?environmentId=100
73. https://www.reverse.it/sample/2a96d3a5a7c198a6f999a0f925b4697c77bccf2f0cf7736df27d0c3ddcc7d5b5?environmentId=100
74. https://www.reverse.it/sample/33d4e8416db8e94d05ddc6a8d04c63297c77184359892275703804aa35ff35f6?environmentId=100
75. https://www.reverse.it/sample/df206c9eac9cef4a6cfba925bd2a379a95890aa523445af82bc04a16cdf94224?environmentId=100
76. https://www.reverse.it/sample/b8f601fbaca128e30fa04954f12bfba8ac113b22abd305c2a70e44e39e0013c1?environmentId=100
77. https://www.reverse.it/sample/32c9517e83f8bc30812bedeb08af09a246a3f71ba402b71be4e02ed476f58ff6?environmentId=100
78. https://www.reverse.it/sample/1184e3255d4ea750176326cdfb8d346ac25d97a4bf8a6ec189e5b0433f8e5e91?environmentId=100
79. https://www.reverse.it/sample/ea21284cf7dea76532109aed4b63dfba39125c239228aba30142d3e34c3fadee?environmentId=100
80. https://www.reverse.it/sample/b8f601fbaca128e30fa04954f12bfba8ac113b22abd305c2a70e44e39e0013c1?environmentId=100
81. https://www.reverse.it/sample/2814b12a1a9ad6e0595e036539bc840eec83fa3e31949bed8db5c4c057c2548f?environmentId=100
82.  
83. C2:
84. 195.64.154.202:80/data/info.php
85. 46.38.52.225:80/data/info.php
86. ajsrbomqrrlra.pw:80/data/info.php [91.223.88.209]