2016-09-26 Locky "Documents Requested"

1. 2016-09-26 #locky email phishing campaign "Documents Requested"
2.  
3. Email:
4. -----------------------------------------------------------------------------------------------------------------------
5. From: "Melody" <Melody8@[REDACTED]>
6. To: [REDACTED]
7. Subject: Documents Requested
8. Date: Mon, 26 Sep 2016 17:08:49 -0300
9.  
10. Dear [REDACTED],
11.  
12. Please find attached documents as requested.
13.  
14. Best Regards,
15. Melody
16.  
17. Attachment: doc(553).zip
18. -----------------------------------------------------------------------------------------------------------------------
19. - sender varies between emails, but its email address is forged to be from the same domain as recipient
20. - subject is "Documents Requested", in some cases prefixed with "Re:" or "FW:"
21. - attached file "[doc|new doc|Untitled](<number>).zip contains file <random chars>.wsf, a JScript downloader
22.  
23. Download sites (the actual URLs contain suffix ?<random>=<random> which does not influence the donwload):
24. http://allmemoryusa.com/g766d4ft
25. http://asotelepathology.org/g766d4ft
26. http://copsro.sk/g766d4ft
27. http://corights.net/g766d4ft
28. http://endwithcare.org/g766d4ft
29. http://floridaautostereo.com/g766d4ft
30. http://genealogy.su/g766d4ft
31. http://imagillaboration.org/g766d4ft
32. http://jahanexchange.com/g766d4ft
33. http://optimalpoland.pl/g766d4ft
34. http://relaywebsample.com/g766d4ft
35. http://resboiu.ro/g766d4ft
36. http://vktechs.com/g766d4ft
37. http://xceramics.com/g766d4ft
38. http://yourwellnessprescription.com/g766d4ft
39.  
40. UPDATE:
41. http://banksecuritywatch.com/g766d4ft
42. http://clsss.ru/g766d4ft
43. http://discountghd.org/g766d4ft
44. http://elateplaza.com/g766d4ft
45. http://elmostashar.com/g766d4ft
46. http://ensaenerji.com/g766d4ft
47. http://etoc.biz/g766d4ft
48. http://ict-net.com/g766d4ft
49. http://infotecx.com/g766d4ft
50. http://localxmobi.com/g766d4ft
51. http://lust-vodka.com/g766d4ft
52. http://minevitamin.com/g766d4ft
53. http://mokinukai.lt/g766d4ft
54. http://networkthai.org/g766d4ft
55. http://osago-plus.ru/g766d4ft
56. http://polykarpou.com/g766d4ft
57. http://presidenthotelthailand.com/g766d4ft
58. http://residencyradio.com/g766d4ft
59. http://room8008.com/g766d4ft
60. http://serwing.com/g766d4ft
61. http://sindhbankltd.com/g766d4ft
62. http://snor.it/g766d4ft
63. http://specnaz-ars.ru/g766d4ft
64. http://sudep-registry.org/g766d4ft
65. http://u2station.com/g766d4ft
66. http://venderminegocio.com/g766d4ft
67.  
68.  
69. Malware:
70. - encoded on download, SHA256 02f5f74a6213ca24e55e2baaec2dab8c1366f2287eba9b9bad87dd11354def09, filesize 233472 bytes
71. - decoded SHA25 86d229d219a21ab8092839a4361d30977e56c78f0ada10b6d68363b2834dd1dc
72. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
73. - samples
74. https://www.reverse.it/sample/292e22840eaaeb57b8fb8ef717db3340b4884bedd2120b2a89ea1888fa6c561c?environmentId=100
75. https://www.reverse.it/sample/d69264e5d257848117b917f418ff6da3c4a46ff7c91f8e30f22e3214137fa3dc?environmentId=100
76. https://www.reverse.it/sample/d93ae0db0035126337062b1eede3dcced33d7434f600bf055232f8e86467305a?environmentId=100
77. https://www.reverse.it/sample/b1cb3e3dd1be978a040f7fe0e30b1b2c020f3101a34a0ade2c355fab5401d700?environmentId=100
78. https://www.reverse.it/sample/8f209d47f687748f2af3857345aac08f9552363cd999456b6f7239eb581947f6?environmentId=100
79. https://www.reverse.it/sample/d58770e949bf6eb3411d05bbed9a1a7d3ef0d4c1cefc681fb6f324e283765651?environmentId=100
80.  
81. C2:
82. POST 62.173.154.240:80/apache_handler.php
83. POST 5.196.200.247:80/apache_handler.php
84. POST uiwaupjktqbiwcxr.xyz:80/apache_handler.php [86.110.118.114]
85. POST rflqjuckvwsvsxx.click:80/apache_handler.php [86.110.118.114]
86. POST dypvxigdwyf.org:80/apache_handler.php [69.195.129.70]