2016-12-14 Locky "Booking confirmation"

1. 2016-12-14: #locky email phishing campaign "Booking Confirmation"
2.  
3. Sample email:
4. -------------------------------------------------------------------------------------------------------------------
5. From: camille tuenbull <camille.tuenbull@didlake.hr.coxmail.com>
6. To: [REDACTED]
7. Date: Wed, 14 Dec 2016 11:56:41 +0200
8. Subject: Booking Confirmation
9.  
10. Booking Confirmation
11.  
12. This email and any attachments are confidential. If you have received it in error - notify the sender immediately, delete it from your system, and do not use, copy or disclose the information in any way. Kirklees Council monitors all emails sent or received.
13.  
14. Attachment: BookingConfirmation_7305_[REDACTED].docm
15. -------------------------------------------------------------------------------------------------------------------
16. - sender varies between emails
17. - subject is "Booking Confirmation"
18. - attached file "BookingConfirmation_<2-6 digits>_<recipient's email>.docm" is a Microsoft Word file with malicious macro that will download malware
19.  
20. Download sites:
21. http://028cdxyk.com/nbv364
22. http://allan.multimediedesignerskive.dk/nbv364
23. http://amaniinitiative.org/nbv364
24. http://angermeir.de/nbv364
25. http://antonbogov.com/nbv364
26. http://arbeiten.pl/nbv364
27. http://autozirkus.com/nbv364
28. http://bikebrowse.com/nbv364
29. http://dealspari.com/nbv364
30. http://demo.ahost5.ru/nbv364
31. http://demo.pornuha4you.com/nbv364
32. http://dicksmacker.com/nbv364
33. http://dochalupy.com/nbv364
34. http://dongiberson.com/nbv364
35. http://downloadform.net/nbv364
36. http://dryerventexpress.com/nbv364
37. http://eastoncorporatefinance.com/nbv364
38. http://e-pin.gr/nbv364
39. http://evolutionseries.com/nbv364
40. http://facerecognition.com.ba/nbv364
41. http://gandalfoli.com/nbv364
42. http://hotmusic.vipereskariot.ru/nbv364
43. http://houssiere.daniel.formations-web.alsace/nbv364
44. http://infinitecorp.ca/nbv364
45. http://kayamuh.sarf.com.tr/nbv364
46. http://ledticket.com/nbv364
47. http://lntproductions.com/nbv364
48. http://lucapotenziani.com/nbv364
49. http://mainlinecarriers.co.tz/nbv364
50. http://mbdvacations.com/nbv364
51. http://meatthetruth.ru/nbv364
52. http://mhmchicago.com/nbv364
53. http://old.strommarnas.se/nbv364
54. http://o-migunova.myjino.ru/nbv364
55. http://ospkrutyn.pl/nbv364
56. http://pacworld.com/nbv364
57. http://perspektive-fuer-kinder.de/nbv364
58. http://s98405.gridserver.com/nbv364
59. http://safataj.ir/nbv364
60. http://seven-cards.com/nbv364
61. http://shortsuey.com/nbv364
62. http://spikaflora.ru/nbv364
63. http://store.elixe.net/nbv364
64. http://theexcelconsultant.com/nbv364
65. http://tunca.bel.tr/nbv364
66. http://ustadhanif.com/nbv364
67. http://watchmeninc.com/nbv364
68. http://welovetofish.org/nbv364
69. http://www.englishworld.it/nbv364
70. http://www.jebbenterprises.com/nbv364
71. http://www.kottalgenealogy.com/nbv364
72. http://yaeliloni.com/nbv364
73. http://zhongguanjiaoshi.com/nbv364
74.  
75. UPDATE:
76. http://movewithgrace.ca/nbv364
77. http://obccllc.com/nbv364
78. http://smcga.ca/nbv364
79.  
80. Malware
81. - encoded on download SHA256 a0f61de098c20ea77b8c0aa81724459fe63ac2f21f0b3150a2a5b16e1971ba40, MD5 47ba782233f37579aff9ca0687b36b5c
82. - decoded SHA256 a9574969901055c2db26e0a9f63cde558d9b9be85f808bf3013888bc65cfd87b, MD5 78f3293d928a1539b7a173124b255b96
83. - executed by "rundll32.exe %TEMP%\<filename>.rudf,GetMessage"
84. - samples
85. https://www.reverse.it/sample/bf80b15f9e889be5b41a0bba33163a823cb4560b36297902e35a22e372b9ff44?environmentId=100
86. https://www.reverse.it/sample/bc504d0fc9793d24ea860ca069745eeb0a777906a3cb98196bc3ac84507d857a?environmentId=100
87.  
88. C2:
89. POST http://176.121.14.95/checkupdate
90. POST http://185.117.72.105/checkupdate