2016-09-16 Locky "IMG, FAX, DOC, SCAN"

1. 2016-09-16 #locky email phishing campaign "IMG, FAX, DOC, SCAN"
2.  
3. Email:
4. -----------------------------------------------------------------------------------------------------------------
5. From: "Winifred" <Winifred1@[REDACTED]>
6. To: [REDACTED]
7. Subject: FAX_3450
8. Date: Fri, 16 Sep 2016 15:37:04 +0530
9.  
10. Attachment: FAX_3450.zip
11. -----------------------------------------------------------------------------------------------------------------
12. - sender address is random, but seems to belong to same domain as recipient
13. - body is empty
14. - subject has format [FAX|DOC|SCAN|IMG]_<4 digit number>
15. - attachment <%subject%>.zip contains file <random chars>.wsf a JScript downloader
16.  
17. Download sites (actual URLs conain suffix ?<random>=<random> which does not influence download):
18. http://1express.com.sg/54JHbjgcDLG
19. http://24hourprintshop.com/54JHbjgcDLG
20. http://46709394.com/54JHbjgcDLG
21. http://adityastar.com/54JHbjgcDLG
22. http://all4supply.com/54JHbjgcDLG
23. http://anythingsteel.com/54JHbjgcDLG
24. http://apro88.com/54JHbjgcDLG
25. http://barcelona4fun.com/54JHbjgcDLG
26. http://b-creative.be/54JHbjgcDLG
27. http://bsm.sk/54JHbjgcDLG
28. http://chelsea-west.com/54JHbjgcDLG
29. http://criar-meu-site.com/54JHbjgcDLG
30. http://curlysol.com/54JHbjgcDLG
31. http://dailymandi.com/54JHbjgcDLG
32. http://demo.website.pl/54JHbjgcDLG
33. http://earnbyemail.com/54JHbjgcDLG
34. http://fgspro.com/54JHbjgcDLG
35. http://gizlot.com/54JHbjgcDLG
36. http://helpmybathroom.com/54JHbjgcDLG
37. http://honeydavis.us/54JHbjgcDLG
38. http://incarmo.ru/54JHbjgcDLG
39. http://inovsol.com/54JHbjgcDLG
40. http://islamiccollege.org/54JHbjgcDLG
41. http://jsydjc.com/54JHbjgcDLG
42. http://kolben.cz/54JHbjgcDLG
43. http://kwiry.com/54JHbjgcDLG
44. http://mahovik-bg.com/54JHbjgcDLG
45. http://markanltd.com/54JHbjgcDLG
46. http://mfcomputer.net/54JHbjgcDLG
47. http://miamilimosina.com/54JHbjgcDLG
48. http://mudelts.com/54JHbjgcDLG
49. http://mytourbid.com/54JHbjgcDLG
50. http://nipeldogalgaz.com/54JHbjgcDLG
51. http://paraspokeri.net/54JHbjgcDLG
52. http://psychquiz.com/54JHbjgcDLG
53. http://qarmoo.com/54JHbjgcDLG
54. http://rentvspb.ru/54JHbjgcDLG
55. http://salemwitchcat.com/54JHbjgcDLG
56. http://samenart.com/54JHbjgcDLG
57. http://sanalnet.org/54JHbjgcDLG
58. http://sds-india.org/54JHbjgcDLG
59. http://shopmjn.com/54JHbjgcDLG
60. http://sinergica.cl/54JHbjgcDLG
61. http://sstaswim.com/54JHbjgcDLG
62. http://swivelsrus.com/54JHbjgcDLG
63. http://timnhadat.com/54JHbjgcDLG
64. http://tobybender.com/54JHbjgcDLG
65. http://travelvoice.com/54JHbjgcDLG
66. http://wordpresshosting.co.il/54JHbjgcDLG
67. http://xn--41a.xn----8sbivjiocsggj.xn--p1ai/54JHbjgcDLG
68. http://xsolution.sk/54JHbjgcDLG
69.  
70. Malware
71. - encoded on download, SHA256 528455065a7c975bfaa3674f6a1dcf051fd69cba4ba81321f7d32269fb99a5bb, filesize 155648 bytes
72. - decoded SHA256 1d0148fc0bd53b9ed5837b827543a93e280812d13d5a34d9b83d2527b61dfaed
73. - execution: "rundll32.exe %TEMP%\<name>.dll,qwerty"
74.  
75. https://www.reverse.it/sample/3f0c23957f1c0ebcfae7be2dca6a6a4105bcc463167e75575edbfd6444ef2dcb?environmentId=100
76. https://www.reverse.it/sample/d7bdef77ff55b6492450e049784d07cc7aa06deda45db8c9c4db4f8f7dd4d032?environmentId=100
77. https://www.reverse.it/sample/c2a6412fbf57a7a4e1f3984915f3874f3e0cc4a9749f634f7de6c00688393cbe?environmentId=100
78. https://www.reverse.it/sample/c1ca393ec9cc9ae747ddec82e73aaf2703449b3a2f1644dbb978369f063ee0ac?environmentId=100
79.  
80. C2:
81. - no C2 communication visible