2016-09-19 Locky "Tracking number"

1. 2016-09-19 #locky email phishing campaign "Tracking number"
2.  
3. Email:
4. ------------------------------------------------------------------------------------------------------
5. From: "Sophia Yates" <Yates.82@acol.globalnet.co.uk>
6. To: [REDACTED]
7. Subject: Tracking number
8. Date: Mon, 19 Sep 2016 11:36:04 -0500
9.  
10. Order
11.  
12. Dear [REDACTED],
13. we are currently processing the order #6594157-0902016 you made yesterday.
14.  
15. Attached is the tracking number (f6e1964a3e9cb1097dd2d8e3cdbea45fb4ad93e9b9cfaac2af36fc99).
16. If you encounter any problem receiving it, please contact us promptly.
17.  
18. Attachment: 243506378511.zip
19. ------------------------------------------------------------------------------------------------------
20. - sender address varies between emails
21. - subject is "Tracking number"
22. - attached file <random hexa chars>.zip contains two files, one zero filled one-letter named and "tracking number scan ~<random hexa chars>~.js" a JScript downloader:
23.  
24. Download sites:
25. http://baftwaag.net/4hdwy
26. http://baftwaag.net/izp7u
27. http://baftwaag.net/tfv6f7
28. http://draybanga.info/30dpldpr
29. http://draybanga.info/8ut36ik6
30. http://draybanga.info/dv72j
31. http://filmymima.net/dmlvhn
32. http://filmymima.net/how92
33. http://filmymima.net/j1umtxl
34. http://greegatha.in/88bgxqt9
35. http://greegatha.in/ecdpq9
36. http://greegatha.in/ikgijt9
37. http://magasjenny.ru/67jabe
38. http://magasjenny.ru/xe9qu
39. http://magasjenny.ru/yjvt3a
40.  
41. Malware
42. - encoded on download
43. c8433b20b938081398c2b0814c8c5a284be0e0bdd776d6baecf050f27a69f544 http___baftwaag.net_4hdwy
44. 64c80f40a3a19aeba9820ea7b7cbff068a2066428aa088a945fec292cde4b5c3 http___baftwaag.net_izp7u
45. 25df597a946301bc18554ae5cf110af7b47beddac5cd298d6fd3bd7e9261c87c http___baftwaag.net_tfv6f7
46. 2e1a0c25e727e393bd91057b86011c4e796cfe62778815d04545338e7e8f29cd http___draybanga.info_30dpldpr
47. c4fa6d1382b7ebcfeafd9e42be4508736df9ea91c564af7324f2cf48190d546c http___draybanga.info_8ut36ik6
48. da9c4f5690ed5850a22a1c215a565163745400fad48666f44fb01172ceee832b http___draybanga.info_dv72j
49. 4b5b3b5dcb81753e37252033707a1bbef725317bdfa0b98117191ca01f333c54 http___filmymima.net_dmlvhn
50. 5d513d1efe6f653a14f7bebd3c10050db73bdf40cbc9ce999801bea08b68a885 http___filmymima.net_how92
51. 7e85e47bc2eb97c3e8a8b9165019f85528f40ddd268668ee23ba66f1e7cfeac7 http___filmymima.net_j1umtxl
52. eacb285de1ccb30e14b00c73715d39b2645704934cbe9a950b317452db81578f http___greegatha.in_88bgxqt9
53. f2d79f8e1598e0b2feae98a1d2fac9c40e911a6a105b553327a82191c00daec0 http___greegatha.in_ecdpq9
54. bc4f5a5fa52b009d6ebe21c729925e240b726f51899ca886fc15c7c632e855df http___greegatha.in_ikgijt9
55. 91204b65717e842c57a73f239eeba5c97807ab68fbdb39d7ceff2dd8aa0bd188 http___magasjenny.ru_67jabe
56. 0f6d44b906848b3af45b134bc92f475fe29665d6f83c305ea77207cb20ef512f http___magasjenny.ru_xe9qu
57. 83bf15a5e564a66f7758b089348a6921b373f6cff2a15c139a3d7a10a5976b2e http___magasjenny.ru_yjvt3a
58. - decoded
59. cf812b3f685d19cb612b1cd019c25813e18af2515350685bd72e0d1f466cd2d5
60. dfadd2d25d9a029b7fd974dbc81c6eb7eeb3aa33fdb571c38defcbd02a3e5418
61. 47090246f1c669414f8ebd2c19fb9c332f1ac163fe09dc7c41a2d467f60a3284
62. 11acb2db50529da5d458690a0422ba8485a2d3c8725422e3e00e1e08ee13baea
63. - executed as "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
64. https://www.reverse.it/sample/c2200da6b7f084e923acad19befd2c8201bb9daffd682ee8d0996cb9f0a528c6?environmentId=100
65. https://www.reverse.it/sample/6d764d29d11f6eeded31c717e5aec41a295865606ee8076f7f55c4f4a56328b9?environmentId=100
66. https://www.reverse.it/sample/87928805882b037842af35bfce308764511a8273fcb2af786e35ec10714f04b5?environmentId=100
67. https://www.reverse.it/sample/bf77ed05c05471d07c605d225f946ef74cf30ce20c0961d81868b6fe1dd8ce0f?environmentId=100
68.  
69. C2:
70. 176.103.56.105:80/data/info.php
71. 91.223.88.205:80/data/info.php
72. kixxutnpikppnslx.xyz:80/data/info.php [91.223.88.209]