2016-12-06 Locky "receipt"

1. 2016-12-06 #locky email phishing campaign "receipt"
2.  
3. Sample email:
4. -------------------------------------------------------------------------------------------------------
5. From: "Alexandra Brady" <Brady.Alexandra@muza4helen.ru>
6. To: [REDACTED]
7. Subject: receipt
8. Date: Tue, 06 Dec 2016 23:59:33 +0530
9.  
10. Dear [REDACTED],
11. It is Alexandra from the delivery service. Recently, you've made the order in our store.
12. Sending you the receipt and full report in the attached file.
13.  
14. Please inform me if you notice a mistake.
15.  
16. ---
17. Best Regards,
18. Alexandra Brady
19. Delivery Service
20.  
21. Attachment: receipt8218966.zip -> ~1OKDB661ZR32716YU6UA8V.js
22. -------------------------------------------------------------------------------------------------------
23. - sender varies between emails
24. - subject is "receipt"
25. - attached file "receipt<7 digits>.zip" contain file "~<20+ uppercase chars and digits>.js" a JScript downloader
26.  
27. Download sites:
28. http://4djsbydjs.com/ffi5tpbui
29. http://artsonimage.com/b7d2pn
30. http://be-liveinu.com/gcc4vi0jyb
31. http://benefeet.org/a4ztilxpex
32. http://bjarnum.eu/pjj42gl
33. http://brei.com.br/kyi5l
34. http://cementossj.cl/qrgmkmi
35. http://childrenshouse.co.za/1v0lblf
36. http://chocogaterie.eu/lijxve8
37. http://col-lab.com/m1p73uqdeb
38. http://cr-inos.com/lzwiz3d
39. http://diariolatitud35.com.ar/edkij4anq
40. http://elizabethwright.co.uk/ode8hifc
41. http://fonteaulente.com/q5vpvcz
42. http://galeriamultiarte.com.br/osn2bj
43. http://gaozhao-edu.com/jdspeeimvz
44. http://gocatering.se/ctrshwvx
45. http://hotelmira.ru/on2gh
46. http://hotpeppertrading.com/iuuhioli
47. http://jachin.co.kr/n48wu8a
48. http://koresh.co.il/9uoctzb2vo
49. http://mirageaudiovisual.com/jflp9dkxsg
50. http://naama-yeshayahu.com/twibpn8don
51. http://nechtyela.sk/k7ras
52. http://nekkel.pl/0apru
53. http://nsecoaching.ca/cd62kg4btm
54. http://nyxiaoyuan.com/uig0dyc7m
55. http://one1club.com/8iqrtn
56. http://pregnancysquare.com/wk97j
57. http://quentinconstruction.com/jcmprfrr
58. http://rabussa.wz.cz/x08gte
59. http://radom.nl/zdknyeq0du
60. http://rampas.ch/xc2clj
61. http://realearthproperties.in/surhnrm6xv
62. http://redecamponesa.com.br/bovofik
63. http://renklerle.com/vycrub
64. http://restauranteelveintiseis.com/antpme
65. http://rhyzrin.com/ysacclh
66. http://roome.co.il/uc3bhhxwoa
67. http://rosispitaniya.com/x07nn
68. http://sieuthicuadep.com/jwqwt
69. http://specimengear.dk/2armwx
70. http://thedivafiles.com/29gce0ube
71. http://trehoada.org/rakk97
72. http://uriauerbach.com/l87aw
73. http://welte.pl/czdpf6
74. http://www.beautybydesignonline.com/prsvu
75. http://www.clap4ya.com/1eodzfvkg
76. http://www.cvshopfactory.com/da9p4ja
77. http://www.dahuahdcvi.com/4yjo2ewbam
78. http://www.globalem.asia/gsup38l5
79. http://www.gostaythere.com/7oemd
80. http://www.izmirtente.info/itccwdk
81. http://www.secretblog.de/j3m3iyomrh
82. http://www.seecomedia.com/qem1cmp
83. http://www.smartkutu.com/eijjjici62
84. http://www.tacfitacademy.com/i46phb
85. http://www.tvblanket.com/baxullbrx
86. http://www.veinteproducciones.com.ar/mcren
87. http://xn--80adixsmm7f.net/9c8cqg55x
88.  
89. Malware:
90. - encoded on download
91. 33c17b64e30e0a2438a1ae26fb1ea1665e33dfd5758a064f98302bc6bee7b16f http___4djsbydjs.com_ffi5tpbui
92. 403541bfbb4a2ac1f37c10bc0eb7d322b6ee1565d6ccc64c2dafdddb9dd10577 http___artsonimage.com_b7d2pn
93. 47a7d09614f522e9fb7d8923edeced5c44ad68ce1ffdad55d5956229b44ab2b5 http___be-liveinu.com_gcc4vi0jyb
94. 577a7897bac5607038de138075d47bf9b2727686a872446625ab6728441eaac1 http___benefeet.org_a4ztilxpex
95. 055fc1a739311c35b97426b46b0c45d6ba1425c93bbf229aca748eb400440bc2 http___bjarnum.eu_pjj42gl
96. 6c24d9453395921047c50356d8b0fdd484a8fdf4ada7b7560731882d7eebd57e http___brei.com.br_kyi5l
97. 6983909d12324a890091515e043fa451ab9ccee6c11606e9771f225db78160f2 http___cementossj.cl_qrgmkmi
98. 1815ce50dc83b50489f9fe1ebbb00f38015d87f55b809120528486894fbc39d4 http___childrenshouse.co.za_1v0lblf
99. 3cf890c743965b2453f5cab539313841ce54e969ab2dac551536f52c3dc98880 http___chocogaterie.eu_lijxve8
100. 2fbfc5e049d4f707fdc6d7b9ceb6359d6786871300a662016469e61036ccfd92 http___col-lab.com_m1p73uqdeb
101. f3d27d7285e1a0b03edaa6bebea98418357eae02e55a9f8b0f9ceeaca81908a0 http___cr-inos.com_lzwiz3d
102. f9757873a9d78ec0e0fb6b34bee4e66da236e5753f676dfac4fabff98bfa1357 http___diariolatitud35.com.ar_edkij4anq
103. b25d559acd45c81374ed68110df0530afc907c283219ec4acad753441173df71 http___elizabethwright.co.uk_ode8hifc
104. d591a17a5b33b033d8248993b66f3d1088eb4a50642b0d8330b6fa052e2a47b8 http___galeriamultiarte.com.br_osn2bj
105. c2b9130a2bf40a064a4a5e0dd89be945653228616935bba2367b880fa04dce05 http___gocatering.se_ctrshwvx
106. b8f1fcb615a652c81930ff004ff1f0b3ff089c43739ba62929093b8253811b23 http___hotelmira.ru_on2gh
107. 4720b06d0371ad8cd9e8b4490a33ac759f0d2f11482e157eedbba9a891b42e4c http___hotpeppertrading.com_iuuhioli [3]
108. f91c5e5132c78c7f9404d967504ce1f2f8a4baa131ed825d42f1d3e7165676ad http___jachin.co.kr_n48wu8a
109. 49c33c5d094d4b16b65e7c77a837469e9f1132327e3973b13253781d7ed3828d http___koresh.co.il_9uoctzb2vo
110. 26af455d8479f0b06eb39dcaba8f2531f9dcfbca36976eb393d599c26b772fe7 http___mirageaudiovisual.com_jflp9dkxsg
111. a76edd607dc3d9e56728831d6f8e4e9e49568c9a78267f6299496b3c293df37d http___naama-yeshayahu.com_twibpn8don
112. 36291fe4f899c6e2680f02f835a1b46c529619d870a89dc85cc244e93c27c58e http___nechtyela.sk_k7ras
113. 63d78d6b8495494bec0b11431aa1404fd0bef51d70da585cec67204b74412e72 http___nekkel.pl_0apru
114. 787b1c3ef91a7122c7d941b863c7890e52b86390e110fa4a73a58d0c4e7c208e http___nsecoaching.ca_cd62kg4btm
115. 937a28ae89e950fdbcf3ecd97c7db6bb8138ead04b0ba9b0fdf3af6942601502 http___nyxiaoyuan.com_uig0dyc7m
116. 5a01238b1ccbe6da39cbdea14a50e3f4ccd96bc786ededd52f681c4bf37f54ee http___one1club.com_8iqrtn
117. 613783b4d6d2ae0fcdda1e1bd6c83ae1c0483049a7a3e1a609840a01372f4bdc http___pregnancysquare.com_wk97j
118. 50e25b3bec47f265fbbe938b9385f168d57e2f12c1a0a94475a70bcfc1ecea7b http___quentinconstruction.com_jcmprfrr
119. c53ef809dd4ea7b392300381ebba2de1604b502bf881b5d13108b86dc863aa51 http___rabussa.wz.cz_x08gte [4]
120. a6cc5def802326d2ed167e3878b7ad22c6efada11c2760590dd1cfc0fc822696 http___radom.nl_zdknyeq0du
121. c0017136bfd4d167e1941b0ce8d1f79e425503a1be02f586a4be8cd641e0d54c http___rampas.ch_xc2clj
122. 18e4405aa556615b698e011fcb62a0103afee0168cac3989b516053b4e5dcb6d http___realearthproperties.in_surhnrm6xv
123. b245db730bfb465bbcf774d93025d9f734cf2494724a545f3b7d3d2cb8632acd http___redecamponesa.com.br_bovofik
124. f57e7b185faf3f0d9076eba900940adeaede73249333944b65592051e88da916 http___renklerle.com_vycrub [1]
125. 281c0aedd1931ac8bee0d3f06da45b2a2353e15ea41364ab6411f79e1c766291 http___restauranteelveintiseis.com_antpme
126. e99994d395fb50c3003a9cd98dc28a91a0a9cee78047916f3a55101f2a693726 http___rhyzrin.com_ysacclh
127. e5f26ea9001b03a22bfb419eae764c292d8035bc9336763386047c2ce5bf7606 http___rosispitaniya.com_x07nn
128. 920c5083fb7944d91f17af58ca79f3bee82169b77f3a21b2f02ef829f74c192a http___sieuthicuadep.com_jwqwt
129. 72c22c2f518eae6f6a73cfdfc2f1dfe46a3f0bc203623f1160036ea4aef521c9 http___thedivafiles.com_29gce0ube
130. 9c9b06226428624ff69cf557798d06d03b677971295eec496752712707ebf089 http___trehoada.org_rakk97 [2]
131. 4e134c0f19d8fcc05d15b4d2721d930c184933af0d79fa24c93d86ac1638d8e2 http___uriauerbach.com_l87aw
132. c41a261d52b4c8bd66d76878685a8fcf48d3a5abd0b7b2fbd956927992186438 http___welte.pl_czdpf6
133. 5ea0eb7264d604040b7ab94ee72b28eae5bdc7714c4f59a59a991ad4fc822929 http___www.clap4ya.com_1eodzfvkg
134. a285d71fccc015d070b0281678e12830f5ad461992c8aea9ae8aa21a70573340 http___www.cvshopfactory.com_da9p4ja
135. 40b06fa9dfdc64fe521cda72eff5e254fb14b6f536eb4aebb0c8d31a06c5fd80 http___www.dahuahdcvi.com_4yjo2ewbam
136. 07d77e8a898919c2086530ecc8b1f3901bb37b04a614ef183c0c73302601ee1a http___www.globalem.asia_gsup38l5
137. 256bc85eefecd50de4932fc9d7481f32e46a585dc0d5a4c2b861966620f0fd52 http___www.gostaythere.com_7oemd
138. 99397be74c9c24d19442d0e69d09a1427c2f2d0ffb055427605f667fad3ac6e6 http___www.izmirtente.info_itccwdk
139. 561e12f86be53ce1624bfab1917d8fa5de6b31a35810497e1eb09549faa7b900 http___www.secretblog.de_j3m3iyomrh
140. 0d3c970fe679042d3cdf5706964e0492ced900d8c446cb75644befcd1e03f2b0 http___www.seecomedia.com_qem1cmp
141. c14c54b6eafef7cd7920756b28058017482c7982dd4ed381af0133fa86938846 http___www.smartkutu.com_eijjjici62
142. 3f9f69973d8f46682ae985f2aa470828f03c38999f1dbb1a7132d5811fc8aa70 http___www.tacfitacademy.com_i46phb
143. 17d903fd51a982c556b9074c67579f85d43f3ce07ab0cc3cbfa6f201ca17e519 http___www.tvblanket.com_baxullbrx
144. 70b4965933aef25335687f674bd5cea911e58d7cb62bb94361cb123c27badd82 http___www.veinteproducciones.com.ar_mcren [5]
145. - decoded
146. 9bb9443c8ba53c8258c5da3f15eac0b99e7f7eafa48d39b7418b04e3902fbcc0 [1]
147. f5aeefb3f564d9f47ae1fce39f72a7bc7108d293e4367a7cf38658c28937f34b [2]
148. fc2df5f9b2d33bb2156adbf1d881e369575adbfc993750732571cbd65c7d5396 [3]
149. 0b2bc6c2391d80228318dee837266204d638c62eb982cde7ed6af92519ecabc9 [4]
150. 67aedf0ef9af87d3f543b0d4eb4e1da9367ac6760c10239e793830d13df86bdc [5]
151. - executed by "rundll32.exe %TEMP%\<filename>.ZK,JAMPK8tM4Gv"
152. - samples
153. https://www.virustotal.com/file/9bb9443c8ba53c8258c5da3f15eac0b99e7f7eafa48d39b7418b04e3902fbcc0/analysis/1481100689/ [1]
154. https://www.virustotal.com/file/f5aeefb3f564d9f47ae1fce39f72a7bc7108d293e4367a7cf38658c28937f34b/analysis/1481100697/ [2]
155. https://www.virustotal.com/file/fc2df5f9b2d33bb2156adbf1d881e369575adbfc993750732571cbd65c7d5396/analysis/1481100703/ [3]
156. https://www.virustotal.com/file/0b2bc6c2391d80228318dee837266204d638c62eb982cde7ed6af92519ecabc9/analysis/1481100710/ [4]
157. https://www.virustotal.com/file/67aedf0ef9af87d3f543b0d4eb4e1da9367ac6760c10239e793830d13df86bdc/analysis/1481100715/ [5]
158.  
159. C2:
160. POST http://176.112.219.101/checkupdate
161. POST http://194.67.215.228/checkupdate
162. POST http://85.143.213.71/checkupdate
163. POST http://91.203.5.176/checkupdate