2016-09-21 Locky "Package"

1. 2016-09-21 #locky email phishing campaign "Package"
2.  
3. Email:
4. --------------------------------------------------------------------------------------------------------
5. From: "Connie Sutton" <Sutton.95517@pangeaneering.com>
6. To: [REDACTED]
7. Subject: Package
8. Date: Wed, 21 Sep 2016 16:59:51 +0530
9.  
10. Dear customer, we have sent your package today. Please have a look at the receipt attached.
11.  
12. No return or refund will be available without the receipt.
13.  
14. Tracking ID - [c1f980dd5ead5ce1e41863808d81af530a]
15.  
16. Thank you.
17.  
18. Attachment: ce5168a6369f.zip
19. --------------------------------------------------------------------------------------------------------
20. - sender varies between emails
21. - subject is "Package"
22. - attached file <random hexa chars>.zip contain two files:
23. - one-letter named zero-filled junkfile
24. - "package receipt doc ~<random hexa>~.js"- a JScript downloader
25.  
26. Download sites (all hosted on 190.147.38.2, 95.173.164.205):
27. http://ammalewth.com/nve8vv
28. http://ammalewth.com/q5i9v
29. http://ammalewth.com/xk7us
30. http://kinghokey.net/extxe73
31. http://kinghokey.net/q74x0
32. http://kinghokey.net/v9o4y2n
33. http://sardexcel.com/9nh3kp
34. http://sardexcel.com/int0hx
35. http://sardexcel.com/ze8gh1
36. http://soordchut.com/96tf5
37. http://soordchut.com/hl6no
38. http://soordchut.com/uk8gl8
39. http://toaenvy.net/1822i
40. http://toaenvy.net/osk51vd
41. http://toaenvy.net/ujvcc8l0
42.  
43. Malware:
44. - encoded on download, filesize 156676 and 157188 bytes
45. 268d1ebe4d7ac555124064804e9bcff558626e994961f8ae4f6a57066ed74737 http___ammalewth.com_nve8vv
46. 428cec90ade72cd72cb7feb8cf8582588d75bedf7058530cafa9efbe81b5449f http___ammalewth.com_q5i9v
47. 7174acdbb75f2c8da90a36631570c15030f78ff68ce9f2c8ff175a73ad4a14bc http___ammalewth.com_xk7us
48. 13f397ed6f2c58b028f5346184525862a35524568e932b0c6d487155aea638a7 http___kinghokey.net_extxe73
49. 2f2a79b9cc34ae81ee150560ef70f2c1e6cfdeca9583288a81900da63f7cfdc5 http___kinghokey.net_q74x0
50. 8ca2ea672e67bb5c64ebbde34834bc1f0332db6aed30e32ca85fcfc4ea54f10b http___kinghokey.net_v9o4y2n
51. 5e71783d442e4d74a719bb6674efbe8aaf068da17eca999de8dae6455e7ed850 http___sardexcel.com_9nh3kp
52. 5b47ae849c4ebd4fa647acdf7d2602e72bbd6d99ca0c9536aed83345829d4375 http___sardexcel.com_int0hx
53. e33860fe2419987060414f3ed9f7407d7a755d25bb447b319b7b12978c54b359 http___sardexcel.com_ze8gh1
54. 0191c49d4d3f63293ba965326f7e83d69f614fe04391a3bb6fed72a745ac6d97 http___soordchut.com_96tf5
55. d952b00fa47f988aa695bd9b7e5fbbaacd48b5f482a9b2a8ca0d42c23bcbde32 http___soordchut.com_hl6no
56. 3f06cbeb5c08a3efd792dc12e89418233d5c25416840a8c5486307fe9bf7604a http___soordchut.com_uk8gl8
57. 838358f16334f78c86440e0f46c80cfdf615ced86d74be390a92d19b8dd4332a http___toaenvy.net_1822i
58. 82158baab7d136a9dfdf37b5e12e97c6dcc5277df6ea310216b9acea31879069 http___toaenvy.net_osk51vd
59. 0e91201041fa35c004dea68ff5f0b96b109827b2f396af71519a30e95eb667c8 http___toaenvy.net_ujvcc8l0
60. - decoded
61. 571b55080ce62cdfddf0611c5f183a46ddf04d729ac9d3bde1ae1b57eea188cd
62. 769c9c52c8a4d3567e3021450b3e40dec3ebec82957371cf3893444b4c2f5d1b
63. c920284da131ce871bd3e419d8d80435de3112233272e72e525c2c285efa19a9
64. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
65.  
66. https://www.reverse.it/sample/54a7451a184fd8afa3cac9d787d5f83abeb8fecd14d9f136cff135e9f0d849e0?environmentId=100
67. https://www.reverse.it/sample/4a4141c2adab0ebca262f25d7f6a45b773b074628a9522401e8dfa28d4889ccb?environmentId=100
68. https://www.reverse.it/sample/3ca0d09b7236301b91e284f8a272f69a9a1f3fa158b4e8986af400dec545acab?environmentId=100
69. https://www.reverse.it/sample/960b4c3b10bb54428dc28efdb559a533d7fe3cb117049c83d2a02862d8ec99f0?environmentId=100
70.  
71. C2:
72. 91.195.12.173:80/data/info.php
73. 109.248.59.80:80/data/info.php
74. ixearhbmeqsoeck.biz:80/data/info.php [91.239.235.130]
75. faprgrrgp.biz:80/data/info.php [69.195.129.70]