2016-09-15 Locky "SCAN"

1. 2016-09-15 #locky email phishing campaign "SCAN"
2.  
3. Email:
4. ------------------------------------------------------------------------------------------------
5. From: "Vonda trench" <logistics@polvige.com>
6. To: [REDACTED]
7. Date: Thu, 15 Sep 2016 11:39:38 +0200
8. Subject: SCAN
9.  
10. _____
11.  
12. Vonda trench
13.  
14. Logistics Department
15. ALGRAFIKA SH.P.K
16.  
17. Tel : +355 4 23 52 506
18. Fax: +355 4 23 73 211
19. Mobile : +355 67 40 46 320
20. Web : http://www.polvige.com
21.  
22. Attachment: "SCAN_20160915_4058772597.zip"
23. ------------------------------------------------------------------------------------------------
24. - sender address varies, in format logistics@<domain>
25. - subject is "SCAN"
26. - Attachement "SCAN_20160915_<number>.zip" contains <random>.wsf with JScript downloader
27.  
28. Download sites:
29. http://bet4good.org/afdIJGY8766gyu
30. http://bigfishcasting.com/afdIJGY8766gyu
31. http://charlcote1.net/afdIJGY8766gyu
32. http://delicefilm.com/afdIJGY8766gyu
33. http://dendang.net/afdIJGY8766gyu
34. http://eiti.co.il/afdIJGY8766gyu
35. http://hawaiipoliticalinfo.org/afdIJGY8766gyu
36. http://insideinsights.net/afdIJGY8766gyu
37. http://insieutoc.com/afdIJGY8766gyu
38. http://keratin.sk/afdIJGY8766gyu
39. http://kf-design.com/afdIJGY8766gyu
40. http://lacumpa.biz/afdIJGY8766gyu
41. http://techboss.net/afdIJGY8766gyu
42. http://tommylam.com/afdIJGY8766gyu
43.  
44. UPDATE:
45. http://espaciosamadhi.com/afdIJGY8766gyu
46. http://fenwaycourier.com/afdIJGY8766gyu
47. http://mika.tohmon.com/afdIJGY8766gyu
48. http://oliveservicedapartments.com/afdIJGY8766gyu
49.  
50. UPDATE2:
51. http://allovercoupon.com/afdIJGY8766gyu
52. http://americofernando.com/afdIJGY8766gyu
53. http://credit-it.com/afdIJGY8766gyu
54. http://electua.org/afdIJGY8766gyu
55. http://lowcostveterinarios.com/afdIJGY8766gyu
56. http://mumbomedia.nl/afdIJGY8766gyu
57. http://pasbardejov.sk/afdIJGY8766gyu
58. http://rimpro.ru/afdIJGY8766gyu
59. http://salarypra1.net/afdIJGY8766gyu
60. http://trudprom.ru/afdIJGY8766gyu
61. http://zharikoff.ru/afdIJGY8766gyu
62.  
63. UPDATE3:
64. http://1natureresort.com/afdIJGY8766gyu
65. http://discoverstillwater.com/afdIJGY8766gyu
66. http://gearstuff.net/afdIJGY8766gyu
67. http://iandistudio.com/afdIJGY8766gyu
68. http://jxbestextile.com/afdIJGY8766gyu
69. http://lullaby-babies.co.uk/afdIJGY8766gyu
70. http://lusanmaster.com/afdIJGY8766gyu
71. http://ocscexpo.net/afdIJGY8766gyu
72. http://onefilmy.com/afdIJGY8766gyu
73. http://sandpiperchorus.us/afdIJGY8766gyu
74. http://sapanboon.com/afdIJGY8766gyu
75.  
76. Malware:
77. - encoded on download, SHA256 c9b7c221208a2d459503b836a1f9c727041170e139523db65dee487db74498e2, filesize 258560 bytes
78. - decoded SHA256, f68a383f7f27a8ac1f1cc9040bcbb11747412d2193d6eaa508d010eef3d59d76, filesize 258560 bytes
79. - executed by "rundll32.exe %TEMP%\YgXrvSpiw1.dll,qwerty"
80.  
81. https://www.reverse.it/sample/d37af7fb2a2ca387b8d1febf4acdcdd9e45337773e3d3fccdd2571955ac52ebf?environmentId=100
82. https://www.reverse.it/sample/7089ddb070e7902c1422075ee5bc7d8d7a59080867d6b6dc80d1dcdc63e4779f?environmentId=100
83. https://www.reverse.it/sample/95f63a38b9fabd64357b485736f40469438fafffd5f438cfe09f5316715a7fbb?environmentId=100
84. https://www.reverse.it/sample/20702e287e9483875460c39cc9f76fd7a9bae6516b138b92397ebe84e00e5b24?environmentId=100
85. https://www.reverse.it/sample/a3851868bba572b8054fe64ce0354546b32e6cab74a608eb3030416ba27e2a56?environmentId=100
86.  
87. C2:
88. -no C2 connections