2016-12-19 Locky "Payslip for the month Dec 2016"

1. 2016-12-19: #locky email phishing campaign "Payslip for the month Dec 2016"
2.  
3. Sample email:
4. ------------------------------------------------------------------------------------------------------------------
5. From: RUTHIE TORDOFF <ruthie.tordoff@damienelsing.com>
6. To: [REDACTED]
7. Subject: Payslip for the month Dec 2016.
8. Date: Mon, 19 Dec 2016 16:43:51 +0500
9.  
10. Dear customer,
11.  
12. We are sending your payslip for the month Dec 2016 as an attachment with this mail.
13. Note: This is an auto-generated mail. Please do not reply.
14.  
15. Attachment: Payslip_Dec_2016_7705596.doc
16. ------------------------------------------------------------------------------------------------------------------
17. - sender varies between emails
18. - subject is "Payslip for the month Dec 2016."
19. - attached file "Payslip_Dec_2016_<5-8 digits>.doc" is a Microsoft Word 2007+ file with macro that will download malware
20.  
21. Download sites:
22. http://023pc.cn/8hrnv3
23. http://abatjour.be/8hrnv3
24. http://adygkomnac.ru/8hrnv3
25. http://aguamineralsantacruz.com.br/8hrnv3
26. http://airportrentacar.ro/8hrnv3
27. http://alimobiles.com.ua/8hrnv3
28. http://allard-g.be/8hrnv3
29. http://almrausch.tv/8hrnv3
30. http://archindonesia.com/8hrnv3
31. http://as-kanal-rohrreinigung.de/8hrnv3
32. http://aspecta-aso.net/8hrnv3
33. http://audehd.com/8hrnv3
34. http://audreyetsteve.fr/8hrnv3
35. http://axmetrix.com/8hrnv3
36. http://bastacycling.com/8hrnv3
37. http://baugildealtmark.de/8hrnv3
38. http://belgarion.eu/8hrnv3
39. http://berstetaler.de/8hrnv3
40. http://birdhausdesign.com/8hrnv3
41. http://blackseo.ir/8hrnv3
42. http://blendpak.com/8hrnv3
43. http://bperes.com.br/8hrnv3
44. http://brainfreezeapp.com/8hrnv3
45. http://convergencevineyards.com/8hrnv3
46. http://cycollierville.com/8hrnv3
47. http://delreywindows.com/8hrnv3
48. http://democracyandsecurity.org/8hrnv3
49. http://drwonder.org/8hrnv3
50. http://e-vime.com/8hrnv3
51. http://factoryfreeapparel.com/8hrnv3
52. http://fastfine.ru/8hrnv3
53. http://franjaroja.emcali.net.co/8hrnv3
54. http://friendlygeek.org/8hrnv3
55. http://garosero5.com/8hrnv3
56. http://globaser3000.com/8hrnv3
57. http://gluten-free-on.net/8hrnv3
58. http://gps.50webs.com/8hrnv3
59. http://grafiquesvaros.com/8hrnv3
60. http://growing-e-m.com/8hrnv3
61. http://gyoda.v.wol.ne.jp/8hrnv3
62. http://halogen.dp.ua/8hrnv3
63. http://oliverkuo.com.au/8hrnv3
64. http://pliki-kirbyworld.50webs.com/8hrnv3
65. http://routerpanyoso.50webs.com/8hrnv3
66. http://skyers.awardspace.com/8hrnv3
67. http://www.andmax-rehabilitacja.pl/8hrnv3
68. http://www.bandhiga.com/8hrnv3
69. http://www.clinicafisiosan.com/8hrnv3
70. http://www.cryoniq.com/8hrnv3
71. http://www.de-klinker.be/8hrnv3
72. http://www.foyerstg.pro/8hrnv3
73. http://www.globalchristiantrust.com/8hrnv3
74. http://www.neumayr-alkoven.com/8hrnv3
75. http://www.texasredzonereport.com/8hrnv3
76. http://zimbabweaids.awardspace.com/8hrnv3
77.  
78. Malware:
79. - encoded on download
80. SHA256 36ec2edae1dfd19f201223dd0b101494c33d092e2884288fecd8615cd86cd993, MD5 539ff4ca8d5a2ef6ab7297c4788c9e7d
81. SHA256 27f256daf811b85b8cdfe9efa1235bc59ff99ecf2c0f909155fdf3d646ebfdcc, MD5 30ffab27be3ca772b1bf8c97b22b9fdc
82. - decoded
83. SHA256 a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3, MD5 e93bbc2feaf005d85affbadc1abb39e9
84. SHA256 877c57b2b8bd3ebd8d2bbb96bdfd910b6a5bd91e045b12f2ca80786ad2339d07, MD5 b2c125eb7d8186e1a4d52c411b94dd58
85. - executed by "rundll32.exe %TEMP%\<filename>.ero,money"
86. - samples
87. https://www.virustotal.com/file/a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3/analysis/1482159947/
88. https://www.virustotal.com/file/877c57b2b8bd3ebd8d2bbb96bdfd910b6a5bd91e045b12f2ca80786ad2339d07/analysis/1482188600/
89.  
90. C2:
91. POST http://188.127.239.48/checkupdate
92. POST http://91.223.180.3/checkupdate
93. POST http://176.121.14.95/checkupdate