2017-08-09 Locky "E 2017-08-09 (xxx).doc"

1. 2017-08-09: #Locky email phishing camapign "E 2017-08-09 (xxx).doc"
2. Samples: 1334
3.  
4. Email sample:
5. --------------------------------------------------------------------------------------------------------------
6. From: Jeanne@[REDACTED]
7. To: [REDACTED]
8. Subject: E 2017-08-09 (87).xls
9. Date: Mon, 24 Jul 2017 07:51:08 +0000
10.  
11. Attachment: "E 2017-08-09 (87).zip" -> "E 2017-08-09 (443).vbs"
12. --------------------------------------------------------------------------------------------------------------
13. - sender address is faked to look to be from same domain as recepient
14. - subject is "E 2017-08-09 (<2-3 digits>).<doc|docx|xls|xlsx|jpg|tiff|pdf|jpg>"
15. - email body is empty
16. - attached file "E 2017-08-09 (<2-3 digits>).zip" contains file "E 2017-08-09 (<2-3 digits>).vbs" a VBScript downloader
17.  
18. Download sites:
19. http://3sat.fr/y872ff2f
20. http://adnangul.av.tr/y872ff2f
21. http://aedelavenir.com/y872ff2f
22. http://aisp74.asso.fr/y872ff2f
23. http://ambrogiauto.com/y872ff2f
24. http://apositive.be/y872ff2f
25. http://atesbocegianaokulu.com/y872ff2f
26. http://attilabalogh.com/y872ff2f
27. http://autoecole-jeanpierre.com/y872ff2f
28. http://auto-ecole-lecastelet.com/y872ff2f
29. http://auxilia-fr.com/y872ff2f
30. http://azlinshaharbi.com/y872ff2f
31. http://bayimpex.be/y872ff2f
32. http://beansviolins.com/y872ff2f
33. http://binarycousins.com/y872ff2f
34. http://boschettoristorante.it/y872ff2f
35. http://busad.com/y872ff2f
36. http://camefe.com.mx/y872ff2f
37. http://campusvoltaire.com/y872ff2f
38. http://cipemiliaromagna.cateterismo.it/y872ff2f
39. http://dbr663dnbssfrodison.net/af/y872ff2f
40. http://fachwerkhaus.ws/y872ff2f
41. http://flooringforyou.co.uk/y872ff2f
42. http://greenerlivingca.com/y872ff2f
43. http://henweekendsbirmingham.co.uk/y872ff2f
44. http://homeownersinsurance.ca/y872ff2f
45. http://iida-sevensuns.com/y872ff2f
46. http://jaysonmorrison.com/y872ff2f
47. http://llallagua.ch/y872ff2f
48. http://melting-potes.com/y872ff2f
49. http://peluqueriacaninaencordoba.com/y872ff2f
50. http://saunaesofmansatis.net/y872ff2f
51. http://searchlightcare.com/y872ff2f
52. http://tasgetiren.com/y872ff2f
53. http://telesolutionsconsultants.com/y872ff2f
54. http://themeastralgratuit.com/y872ff2f
55. http://willemshoeck.nl/y872ff2f
56.  
57. Malware:
58. - SHA256: 390ed1dde4ff03adfcf67c59ee02567ac5665bb5e029eaebf0332bc81e4d1891, MD5: 0d0823d9a5d000b80e27090754f59ee5
59. - VT: https://www.virustotal.com/file/390ed1dde4ff03adfcf67c59ee02567ac5665bb5e029eaebf0332bc81e4d1891/analysis/1502275376/
60. - HA: https://www.reverse.it/sample/390ed1dde4ff03adfcf67c59ee02567ac5665bb5e029eaebf0332bc81e4d1891?environmentId=100
61. - C2:
62. POST http://83.217.8.61/checkupdate
63. POST http://31.202.130.9/checkupdate
64. POST http://91.234.35.106/checkupdate