2016-12-20 Locky "for printing"

2016-12-20: #locky email phishing campaign "for printing"

Email sample:
------------------------------------------------------------------------------------------------------------------
From: TAMMY MALTMAN <tammy.maltman@jmorris.net>
To: [REDACTED]
Date: Tue, 20 Dec 2016 16:15:08 +0530
Subject: for printing

Hi,

For printing.
Thank you so much.
--

*TAMMY MALTMAN CristobalHRD/Admin Officer*
*Moonbake Inc.14 Langka St., Golden Acres Talon 1*
*Las Pi=C3=B1as City, Philippines 1630Tel. No.: 632 8004373, 632 8022645Telefax:
632 8022645*

*Mobile Number: +63932-845-9007Email Address: tammy.maltman@jmorris.net
<tammy.maltman@jmorris.net>*

Attachment: Certificate_60447.xls
------------------------------------------------------------------------------------------------------------------
- sender varies between emails
- subject is "for printing"
- attached file "Certificate_<4-8 digits>.xls" is a Microsft Excel 2007+ file containing macro that will download malware:

Download sites:
http://artlab.co.il/hjv56
http://avenueresto.com/hjv56
http://bluelunar.net/hjv56
http://charlenelouw.co.za/hjv56
http://devzendo.org/hjv56
http://eagleslearning.com/hjv56
http://farbybialystok.pl/hjv56
http://forstmog.de/hjv56
http://fsamson.com/hjv56
http://guide4health.info/hjv56
http://hostalmilabi.com/hjv56
http://householdanimals.50webs.com/hjv56
http://imperialroofing.co.uk/hjv56
http://inzt.net/hjv56
http://ipt.se/hjv56
http://jaba-translations.pt/hjv56
http://jansen.com.ua/hjv56
http://jayacoat-industries.com.my/hjv56
http://kakamiao.com/hjv56
http://kmwine.ge/hjv56
http://kodivac.com/hjv56
http://kungfumasterwang.com/hjv56
http://ldagnes.pl/hjv56
http://minilab.ca/hjv56
http://mk-beauty.de/hjv56
http://nanomedilac.com/hjv56
http://nfia-china.com/hjv56
http://no1archeryandsports.ca/hjv56
http://owncloud.weber-rechtenbach.de/hjv56
http://paplanindustries.com/hjv56
http://pozsgaiingatlan.hu/hjv56
http://residencegardenia.it/hjv56
http://shouxinghg.com/hjv56
http://stav-reporter.ru/hjv56
http://tc12345.com/hjv56
http://theservantsoflove.com/hjv56
http://todoalojamiento.es/hjv56
http://www.genesisbilling.net/hjv56
http://www.grupoaex.es/hjv56
http://www.inglesenveranoenjavea.com/hjv56
http://www.junaida.com/hjv56

UPDATE:
http://ashpeptide.com/hjv56
http://cracoviamanor.com/hjv56
http://ingemanns-autolakering.dk/hjv56
http://klimatshop.sk/hjv56
http://phayamengrai.chiangrai.doae.go.th/hjv56
http://stuifmeelenstamper.be/hjv56
http://webplatter.com/hjv56
http://www.rencontreparis.org/hjv56
http://www.tenji-guide.com/hjv56

UPDATE:
http://adminca.se/hjv56
http://alaliengineering.net/hjv56
http://isriir.com/hjv56
http://jimprudom.com/hjv56
http://noosnegah.com/hjv56
http://revolutionarymom.com/hjv56
http://tanz-trommeln.at/hjv56
http://www.judo-hattingen.de/hjv56
http://yorkshire-pm.com/hjv56

UPDATE:
http://carloszubiaga.com/hjv56
http://corlouis.com/hjv56
http://gages-56.com/hjv56
http://kayju.com/hjv56
http://knightsure.co.uk/hjv56
http://macoinservicios.com/hjv56
http://namecardcenter.net/hjv56
http://www.azrodandclassic.com/hjv56
http://www.langeoog-meerleben.de/hjv56

Malware:
- encoded on download, SHA256 3e813c9aef93c3ee00c89f99ee3e67314417b3d492c175a0633c0bb61cd03bef, MD5 20bac7aa46a9d2f0f19e54ed36a9b0fd
- decoded SHA256 3f474165756cfb12f459379420447e397e966fc4b665c1ec90d894772926f893, MD5 c46d07a05d498cf4178d3092ee62aa07
- executed by "rundll32.exe %TEMP%\<filename>.vip,vape"
- sample: https://www.virustotal.com/file/3f474165756cfb12f459379420447e397e966fc4b665c1ec90d894772926f893/analysis/1482233488/

C2:
POST http://176.121.14.95/checkupdate
POST http://188.127.239.48/checkupdate
POST http://193.201.225.124/checkupdate
POST http://91.203.5.144/checkupdate
POST http://91.223.180.3/checkupdate