New Locky distribution sites - 23/06/2016 continue

*Email sample*

_Subject_: Payment

_Body_:

Dear [NAME],

Our records show that we have not yet received payment for the previous order #A-532173
Could you please send payment as soon as possible?

Please find attached file for details.


Yours sincerely
Jeremy Jackson
Operations Director (CEO Designate)


In attachment a zip archive with a javascript file.

Javascript sample - MD5: b217ece3ecf33fd6fc624af5d25f0840
VT: 1/56 - https://www.virustotal.com/en/file/a7e93e059bf53885110dddb52b5029e4e5c0b35f98ab3981a26b80a47118905d/analysis/

*Compromised domains (47)*:

98.131.20.17/ o41d3
bbmarilu.it/ f7x1378
bbvogliadimare.it/ h573kdg
bolanoid.ru/ vjqraq
btgnj.com/ a6308b
caseificiodesantis.it/ bmvl5xz
centrosportivoiunco.it/ c42en
cm-seia.pt/ 0q6d4ej
cond.gribochechki.ru/ zibni
control-seduction.private.pl/ eu5c1q
darts-pr.ru/ 6m5hl
deangelis.co.uk/ 9189x
dice-design.com/ 9cotr5w
dugganinternational.ca/ jlv43q0
edilperle.it/ b354kx0o
fastmoneyloan.info/ 0h1vsa63
fitnesclub.ru/ oc7xhbuc
folkchata.pl/ wmm4i0
follyfoot.org/ todl3fc
garnelenfarm.net/ jixh4iz
genius-versand.de/ 9kme7u
hate-metal.com/ hre8fqo
hoosiernetwork.com/ 6oa4xhk
hotstreams.ru/ o1cri71
hudebiah.net/ uhpdylx4
ilbalconcino2011.it/ bzukq
ingstroymash.ru/ m92xv
itc.slav.dn.ua/ w4b7m0
karl-lee.se/ x23ft
marchandedidees.fr/ o1236qw
maydenehotelblackpool.com/ 4qjb81gs
modband.com/ a4jw2if
mr2peter.de/ myu3a6ge
namifitnessclub.it/ c6y9dcms
newgeneration2010.it/ cx6uxxg5
newpark.co.uk/ 54yp9
oavb.com/ 9hh3ybox
potolok-profit.ru/ od0xz9xv
redpower.com.au/ xlkdld
saintkatherine.orthodoxy.ru/ 5uj4u6
staffsolut.nichost.ru/ qimiiud
turniejkrzyz.za.pl/ fz0i11
uas-aas.ca/ 4bwbk5
usdavetrana.it/ c474o
vonenidan.de/ kdwytr
www.johnlodgearchitects.com/ fx89v
www.puertasjoaquin.com/ nl5tl

*Sampled downloaded and decoded*:

File Name: fksdOKooVkA.exe
MD5: 8137DC850A9F2593F331A149D6CC17CF
VT 13/54 - https://virustotal.com/en/file/6f292ac37fb327ce7223f4e7d58b93f0f3038f279ac54348c2cef430aacc44d8/analysis/