2016-09-22 Locky "Receipt of payment"

1. 2016-09-22 #locky email phish campaign "Receipt of payment"
2.  
3. Email:
4. --------------------------------------------------------------------------------------------------------------------
5. From: "Maria scrivener" <Maria.scrivener0@patelmarriages.com>
6. To: [REDACTED]
7. Subject: Receipt of payment
8. Date: Thu, 22 Sep 2016 03:39:58 +0400
9.  
10. Good afternoon,
11.  
12. Thank you for you call this afternoon.
13. Please find attached your receipt of payment.
14. If you need anything else please feel free to contact me on the details below.
15.  
16. Kind regards.
17.  
18. Maria scrivener
19. Credit Controller
20. IB GIBL Credit Control
21. 7th Floor Spectrum Building
22. 55 Blythswood Street | Glasgow | G2 7AT
23. Direct: 0141 233 3164
24. Maria.scrivener0@patelmarriages.com
25. http://www.ajginternational.com/
26.  
27. Attachment: "(#77239916719) Receipt.zip"
28. --------------------------------------------------------------------------------------------------------------------
29. - sender address varies between emails, but the "company" in footer of email is the same
30. - subject is "Receipt of payment"
31. - attached file "(#<number>) Receipt.zip" contains file <random uppercase chars>.hta, a JScript downloader
32.  
33. Download sites:
34. http://abdulqadirmahar.com/746t3fg3
35. http://accentofficefurniture.co.nz/746t3fg3
36. http://afzalbaloch.comli.com/746t3fg3
37. http://agaoglu-mytown.com/746t3fg3
38. http://appleappdeveloper.com/746t3fg3
39. http://attractions.com/746t3fg3
40. http://blivenews.com/746t3fg3
41. http://cardimax.com.ph/746t3fg3
42. http://celebratebanking.com/746t3fg3
43. http://deftr.com/746t3fg3
44. http://dmlevents.com/746t3fg3
45. http://emaster.4devlab.com/746t3fg3
46. http://flyingbtc.com/746t3fg3
47. http://graybowolson.com/746t3fg3
48. http://greenkeralatravels.com/746t3fg3
49. http://grimkonde.net/746t3fg3
50. http://hrx.net.au/746t3fg3
51. http://imsalud.gov.co/746t3fg3
52. http://indglobaldemo.com/746t3fg3
53. http://infosunsystem.com/746t3fg3
54. http://lsnsoft.info/746t3fg3
55. http://managedv2.4devlab.com/746t3fg3
56. http://micaraland.com/746t3fg3
57. http://muhammadyunus.org/746t3fg3
58. http://myownindia.com/746t3fg3
59. http://nsgroup.in/746t3fg3
60. http://prettynicewebsite.com/746t3fg3
61. http://pvtltdregistration.com/746t3fg3
62. http://ringspo.com/746t3fg3
63. http://satyagroups.in/746t3fg3
64. http://tvorbis.com.mk/746t3fg3
65. http://venussystems.in/746t3fg3
66. http://www.barodawebsolution.com/746t3fg3
67. http://www.bujod.in/746t3fg3
68. http://www.e-media.in/746t3fg3
69. http://www.mango-do.com/746t3fg3
70.  
71. Malware:
72. - encoded on download, SHA256 78900539b0e2907007f5de818ac69c89eaf7ff1b29f901ff84e65d0b1e718021, filesize 163840
73. - decoded SHA256 704eb9e3cc54bdafa1736f529ae0695d620a7c064e6d4fac591ab98ebe47fc0c
74. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
75. - samples
76. https://www.reverse.it/sample/9779195cabb5547307cfad9e52d543fda56f3e8ff8eb517289d2ac15eba89ee4?environmentId=100
77. https://www.reverse.it/sample/aee3478b5f6782c9adcabf84bce7992e84634b9e4e7277f34bdb2fc678a7bf66?environmentId=100
78. https://www.reverse.it/sample/252c1e2ab29b8c077edbf5f69d9f0382554d0751dcb96e8c1a29c0ce331b035b?environmentId=100
79. https://www.reverse.it/sample/1020fa9afbfad3700e1cbf03200d2a1973f976d3c1a3bcc9f6bf070df07c0917?environmentId=100
80. https://www.reverse.it/sample/d6d6859b7b9896b7fe8818d375b1fbacafdd30fb6304ba6f086dd9e988bcf275?environmentId=100
81.  
82. C2:
83. - no visible C2 communication, encryption key is probably in the locky configuration