2016-09-23 Locky "Transaction details"

1. 2016-09-23 #locky email phishing campaign "Transaction details"
2.  
3. Email:
4. ------------------------------------------------------------------------------------------------------------
5. From: "Oswaldo Klein" <[email protected]>
6. To: [REDACTED]
7. Subject: Transactions details
8. Date: Fri, 23 Sep 2016 11:12:53 +0530
9.  
10. Dear [REDACTED], this is from the bank with reference to your email yesterday.
11. As you requested, attached is the scan of all the transactions your account made in September 2016.
12.  
13. Please let us know if you need further assistance.
14.  
15. ---
16. Oswaldo Klein
17. Credit Controller
18. Tel.: (866) 869 46 50
19.  
20. Attachment: 77735befddb0.zip
21. ------------------------------------------------------------------------------------------------------------
22. - sender varies between emails
23. - subjetc is "Transaction details"
24. - attached file "<random hexa chars>.zip" contain two files - a one-letter-name junkfile and "Transactions details scan <random hexa chars>.js", a JScript downloader
25.  
26.  
27. Download sites:
28. http://28amen.org/4149zgun
29. http://aarontax.com/kp5j6zc
30. http://afteryou.fr/oxineg
31. http://angrybirds-rio.ru/hnlabf
32. http://apterr.org/w51lm
33. http://bandkhasi.net/1avsq
34. http://bandkhasi.net/3b1cyor
35. http://bansarnfun.com/atrv59k3
36. http://battcave.net/ksrwo
37. http://bibleartministries.com/ozepjy
38. http://bizarrebazar.net/dxumqr
39. http://bursasporlu.org/vbwrn1ks
40. http://camkuar.com/1hnsn4
41. http://camkuar.com/3dbpr
42. http://cedarwick.com/f3l125jh
43. http://citynewsnow.com/j3hqf
44. http://colufras.org/80j925
45. http://davidphillips.us/weql90x
46. http://eduardschellhammer.com/rqqvkc6w
47. http://epicentres.info/ztng3u3
48. http://excellenceinmentoring.com/ewv43c4q
49. http://geodispo.com/kvvf5z3h
50. http://hostinecraj.sk/csudio3v
51. http://kotofey24.ru/52f4x
52. http://latticent.com/gn9iw
53. http://mail2offers.com/90637
54. http://moyobamba.com/e5h0wg
55. http://mydepot.ru/oqeo3o5h
56. http://mygun.pl/7so17v8
57. http://mystmarco.net/27549
58. http://mystmarco.net/4149zgun
59. http://northerncards.com/e450os
60. http://ourfrontline.com/lbzjneu
61. http://pertclinic.com/qsipz9g
62. http://prospower.com/kqp479c7
63. http://qualitycontrol-egypt.com/i3uj7r
64. http://raihaan.com/kwrs5kt3
65. http://renklitatlar.com/sev0d37
66. http://sadovod-gel.ru/43h36n54
67. http://sakegawaya.com/je4puu
68. http://saltsabar.gr/6eaan
69. http://samsuntasima.com/r24lt
70. http://sashatel.com/8ajyp
71. http://shpl-mm.com/syu5x
72. http://sinergiaurbana.com/rwxydry5
73. http://sky-express.ru/sekt5
74. http://soiaree.com/9llyk
75. http://statieepurare.com/pm4in97x
76. http://sunpaper.ru/vt5uepli
77. http://swimpalla.net/2nfxh6l
78. http://swimpalla.net/43h36n54
79. http://tendereng.com/27549
80. http://tidedawest.com/2wiva
81. http://tidedawest.com/4istf
82. http://tohmon.com/ir26tcy6
83. http://webcyte.org/dcyu9c
84. http://wishatsamyan.com/uj4n6wa
85. http://wizardwebhosting.com/lwwjyj
86. http://zapfm.nl/ohn902b
87. http://zharifsofiaexchanger.com/qbsd2cbd
88.  
89. Malware:
90. - encoded on download, filesizes 157188, 156676 and 157700 bytes
91. 2fb2df825f1261cb7fe579554f1a3c9bb62509da92e11310ef5d67352c36daf1 http___28amen.org_4149zgun
92. 190da028bae549e4b913bff9d50a2063dac8eae6929ab2535d972d208073c65b http___aarontax.com_kp5j6zc
93. fc27b32954a033427c2230a4e61de09986573a9fbc58df7523fa41e897fe0526 http___afteryou.fr_oxineg
94. 69b051949e04b86a467129923e333f80188cb264dc9363d8cdd937f39d266729 http___angrybirds-rio.ru_hnlabf
95. 3b506809d7ce8ddd6e69390a49be579fdca0e6146b369a4b3c6bf1e9f5e73586 http___apterr.org_w51lm
96. 770ae42d9eee8e9a1545344ac45a8ec94efb34e52e84cf90f5305f9db29f832d http___bandkhasi.net_1avsq
97. 457e5a70af48363e019b730913db31514c918e0214d31bec8c19850e0f4cba63 http___bandkhasi.net_3b1cyor
98. a17ecdf50ece2618a273bfd70fd5c7efab06e226a104436bd6498d887ed48a31 http___bansarnfun.com_atrv59k3
99. 4368abc45399173fd1fb15c05334cde79a8f6953ac07ec79749acea08102d957 http___battcave.net_ksrwo [2]
100. a2c5e5d8b5193085b0e7591f2eaaa89c1e42d88aeac3c53b2f5b29a6c121adc1 http___bibleartministries.com_ozepjy
101. 312bf759fcaf535cb8a59cc555bbab8ac73435e80d96c0ede4c4155f2b2eda98 http___bizarrebazar.net_dxumqr
102. 229cc7a374e2b572bb74c02302769b1707a899fe0a37073ea477648807225117 http___bursasporlu.org_vbwrn1ks
103. a3c56bb9c1e6abadc7161d3e8b772ed0f2168e3dcddcd98bf695baae6ae64230 http___camkuar.com_1hnsn4
104. 1cb2ade3af8d34a88bfd2b09f444972d7faceee8b04ee3815a7e7d67db594e1a http___camkuar.com_3dbpr
105. b0c6940ac2760f8b8fddf8aadf78d723e20db202744efce46b151726f4688474 http___cedarwick.com_f3l125jh
106. 0a84d51146a5e561e006d1697ce2866b9a0b07ecf7c1c3564da8dd88e80f57cf http___citynewsnow.com_j3hqf
107. 4f3101443938b3f12519ed798c781a63bcfefefd8dd9b34ca39a9363da393ead http___colufras.org_80j925
108. 688f14f5a03f91b6748f9f5b72ba32c4652e63a721102a48dd80a4170bff5175 http___davidphillips.us_weql90x
109. 2671afc1ac38f9edeab2a43ea3c3c44d1504d2274ae3ba62ddafbb51f6c93ae7 http___eduardschellhammer.com_rqqvkc6w
110. 1f16fe8c5c74ef68724bfabaf91dd98cd9e89d99584cd1cef0d82ad285b82eee http___epicentres.info_ztng3u3
111. dded169cbd1c538ff684181c953c5d5b20989e101176b1f6e2f380d39d59d645 http___excellenceinmentoring.com_ewv43c4q
112. 2d3f064dc1a32ddaab0147c3574d2e0f7ab87c39df1b8399e4d25d3fe9b0deab http___geodispo.com_kvvf5z3h [3]
113. bc2e6a076ba230b1beaa03cb2a3720254eb9cccff4c021ead1a7c2744ca1115d http___hostinecraj.sk_csudio3v
114. 1ba38164fba9db4d9aaecd0a1db1fca71c174ad4fdb18eeba4abe540b7e5f80c http___kotofey24.ru_52f4x
115. 3c2ec84268bf07e91a34a1f89e5c071afffab8b650124b308960cbae31cd85ed http___latticent.com_gn9iw
116. 304c44b2843546dde647d1b721b98cf870dea482bd910c4fa1ab024e9a0477ca http___mail2offers.com_90637
117. cb85a8263686f22400229ff06f40bd49892583d385fd51b498801dc1c167b63f http___mydepot.ru_oqeo3o5h
118. 079af75d592218c9e5ecf24fda25c08b59eeba44bc6b9b103ba5950e1f7e5f5f http___mygun.pl_7so17v8
119. 856d663b6beec37c1f14a3de3e6a718f77ccff15765032c5c4b0361e7e77d5cf http___mystmarco.net_27549
120. 2fb2df825f1261cb7fe579554f1a3c9bb62509da92e11310ef5d67352c36daf1 http___mystmarco.net_4149zgun
121. a81fb2999aec1dac1967228124d861fd9333e542e085a053f40ea6a4ac345ef1 http___northerncards.com_e450os
122. 30b4707ddd60406893dbe1af3d1f2881913e413328b846d5239b4d58282115f7 http___ourfrontline.com_lbzjneu
123. 9880f189463e3effc46d799de40a2afe4ab7e2875e896ab2ec50173149668d7b http___pertclinic.com_qsipz9g
124. 37e42b0e47ba1b94f324511f58d158428ca8a42ec086e879daa0b16f115a9c98 http___prospower.com_kqp479c7
125. 9143023757c9e03ed76641e6ad2d6fbaf982ed5fa24c5f44b8defac201a973c6 http___qualitycontrol-egypt.com_i3uj7r
126. f08973ce4153964a1d682c85b4d347d342a81b9f625ccf3932c3bad73997c307 http___raihaan.com_kwrs5kt3
127. e42bfbc7c4216307826648f549a37bd40a4052f38d5c0a1a0c292b4be9196233 http___renklitatlar.com_sev0d37
128. c9f129315e1e8e19167fafd222c33880d82e2fc97da5b78fb3d85daeec7693a3 http___sadovod-gel.ru_43h36n54
129. caf22939b91cc80f4bb66011e3d04482cf91d92f62182c4c22c472b5353a0133 http___sakegawaya.com_je4puu
130. bbfdaa2312615fa169a75a7bb51d22e85dc46592359c4065ece5231632625907 http___saltsabar.gr_6eaan
131. 7cd2efeacc4277f3d7516b90f11b055d2be87ec347f82769a5f77df3b8be1b4a http___samsuntasima.com_r24lt [4]
132. e201a685b5967763e78fb81b099fa3970d48662f8fe2888997a7eb7a54757744 http___sashatel.com_8ajyp
133. 6cf828b11ac8daeee4dc5e06edaf6b954cdf87f0009378c93a343be3547969b2 http___shpl-mm.com_syu5x
134. 647ef47b9dd9958de946334b8e90ce8a3d281d1cc12ac57069ff749c8beadc87 http___sinergiaurbana.com_rwxydry5
135. 32414c96bb3084c22aa5d868a968492b6be91a2bd1478aa977e81422eb041496 http___sky-express.ru_sekt5
136. 23aa27b19992fc643392494048096b7af247e74a88bb3095c3e97392e07783ba http___soiaree.com_9llyk
137. 0f07cd90de8b8b5bebc1d8870f4a985d206ec9f837b284874bd52c3eb41d04eb http___statieepurare.com_pm4in97x
138. 571bae5ada4aa9dfb0bad055e07f5fa7d37ce67cbff5a25486e21e5a052b67e3 http___sunpaper.ru_vt5uepli
139. 807e62947f68d6ad8daeba9eb807f445a1d32054094049fd3ed30bfd0a74eecd http___swimpalla.net_2nfxh6l
140. c9f129315e1e8e19167fafd222c33880d82e2fc97da5b78fb3d85daeec7693a3 http___swimpalla.net_43h36n54
141. 856d663b6beec37c1f14a3de3e6a718f77ccff15765032c5c4b0361e7e77d5cf http___tendereng.com_27549
142. 87770c5bfa0239941b2f5392380bc075bd609dc64fe0456b6ffd62ee7d98cdc7 http___tidedawest.com_2wiva
143. e77df3bfd186b4654dff8d6c0b27f0031ba3e7b0df37900007f33a4e81532982 http___tidedawest.com_4istf
144. d7d2af3a15fb227758fbdec2209feb051e387546a3a092a64aee0cc94d5fbd64 http___tohmon.com_ir26tcy6
145. 0b07c3a93be19ffc6c26102357c5d50acbce3ab88ff6ebc4dd2fc984ec704fce http___webcyte.org_dcyu9c
146. a4ae8ccaad57fd133835d0edb67d68fe3f5f5fffb2fbb183e4a61368595122dc http___wishatsamyan.com_uj4n6wa
147. 6393da32f7c50a7a5278c3c7b206b1a822b255405296284a2b7d8374e4ec5316 http___wizardwebhosting.com_lwwjyj
148. 07641a7ff6ba4fa3fb343191757c4818b8741cdc8817d06ed3678dff77a0f58d http___zapfm.nl_ohn902b [1]
149. b2f72e2bada8e14d71d4d3afff002d60a79f1422ed7af2d38c9ef7cdf2bc3405 http___zharifsofiaexchanger.com_qbsd2cbd
150. - decoded
151. 196081558e70f541218ccf5613c6659c7527c1603833f163194268348d0c368d [1]
152. f42aea4de1d244967458fcddcddc393840a43748e2005557f9dca5afe639fc66 [2]
153. a08392fc2fd082f9eb85e94bf0560199cebdbf318086985219c77ffd2af41c39 [3]
154. ea9036c89dd59f3e4dd02f4bd583fa804fb630c99d2e38b83adf81b6290e7510 [4]
155. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
156. - samples
157. https://www.reverse.it/sample/0381f81885d8ebb6b7de2a90be577c5a4524d343c574db07d41549d2444bed5d?environmentId=100
158. https://www.reverse.it/sample/7f9e4bcf79f6c8c66bb4ac460ed9ac58da3741d514e5d677adeae996bc0f12be?environmentId=100
159. https://www.reverse.it/sample/bd0fdb92670cf824a8520618c4c8370a8de1e9ed4961def6730784bfe566ff0e?environmentId=100
160. https://www.reverse.it/sample/141dca197719a40a70603e79a1560960ef28dca49a62365a57b5a4a1db30cc53?environmentId=100
161.  
162. C2:
163. POST 51.254.108.40:80/data/info.php
164. POST 158.255.6.129:80/data/info.php
165. POST wnrgttsfmhfmmoqxm.biz:80/data/info.php [69.195.129.70]
166. POST tswsgajtwhqkosd.su:80/data/info.php [91.239.235.130]
167. POST jfmiondv.xyz:80/data/info.php [91.239.235.130]