Locky "[Vigor2820 Series] New voice mail message from"

1. 2016-09-08 #locky email phishing campaign "[Vigor2820 Series] New voice mail message from xxxxxxxx"
2. https://myonlinesecurity.co.uk/vigor2820-series-new-voice-mail-message-from-random-telephone-number-on-20160823-210159-delivers-locky-zepto-ransomware/
3.  
4. Email sample (sender address is faked to be from voicemail@<recipient's domain>):
5. ------------------------------------------------------------------------------------------------
6. From: voicemail@[REDACTED]
7. To: [REDACTED]
8. Subject: [Vigor2820 Series] New voice mail message from 01452422396 on 2016/09/08 13:23:20
9.  
10. Dear [REDACTED] :
11. There is a message for you from 01452422396, on 2016/09/08 13:23:20 .
12. You might want to check it when you get a chance.Thanks!
13. ------------------------------------------------------------------------------------------------
14. Attached file "Message_from_<number>.wav.zip" contains "<random_chars>.wsf" which contains a JScript downloader
15.  
16. Download sites (URL contains suffix ?<random>=<random>, which does not influence download):
17. http://158.195.68.10/g76gyui
18. http://209.41.183.242/g76gyui
19. http://dashman.web.fc2.com/g76gyui
20. http://dcqoutlet.es/g76gyui
21. http://dpskaunas.puslapiai.lt/g76gyui
22. http://fidelitas.heimat.eu/g76gyui
23. http://gam-e20.it/g76gyui
24. http://ghost-tony.com.es/g76gyui
25. http://josemedina.com/g76gyui
26. http://kreativmanagement.homepage.t-online.de/g76gyui
27. http://ngenge.web.fc2.com/g76gyui
28. http://olivier.coroenne.perso.sfr.fr/g76gyui
29. http://portadeenrolar.ind.br/g76gyui
30. http://sitio655.vtrbandaancha.net/g76gyui
31. http://sp-moto.ru/g76gyui
32. http://srxrun.nobody.jp/g76gyui
33. http://thb-berlin.homepage.t-online.de/g76gyui
34. http://toukontoutaukaiazalea.web.fc2.com/g76gyui
35. http://tst-technik.de/g76gyui
36. http://tujdaehn.homepage.t-online.de/g76gyui
37. http://unimet.tmhandel.com/g76gyui
38. http://www.agridiving.net/g76gyui
39. http://www.alanmorgan.plus.com/g76gyui
40. http://www.aldesco.it/g76gyui
41. http://www.alpstaxi.co.jp/g76gyui
42. http://www.association-julescatoire.fr/g76gyui
43. http://www.bytove.jadro.szm.com/g76gyui
44. http://www.ccnprodusenaturiste.home.ro/g76gyui
45. http://www.gebrvanorsouw.nl/g76gyui
46. http://www.gengokk.co.jp/g76gyui
47. http://www.hung-guan.com.tw/g76gyui
48. http://www.idiomestarradellas.com/g76gyui
49. http://www.laribalta.org/g76gyui
50. http://www.mikeg7hen.talktalk.net/g76gyui
51. http://www.oltransservice.org/g76gyui
52. http://www.one-clap.jp/g76gyui
53. http://www.plumbntile.talktalk.net/g76gyui
54. http://www.radicegioielli.com/g76gyui
55. http://www.rioual.com/g76gyui
56. http://www.spiritueelcentrumaum.net/g76gyui
57. http://www.texelvakantiehuisje.nl/g76gyui
58. http://www.threshold-online.co.uk/g76gyui
59. http://www.whitakerpd.co.uk/g76gyui
60. http://www.xolod-teplo.ru/g76gyui
61.  
62. Malware:
63. - encrypted on download, SHA256 e1c613422f144c88c3df517a4ba7dcd660939813c617f7ccc5a2ecfa29c05af9, filesize 159744 bytes
64. - decoded SHA256 c761685e6d70149af0a3fd461a1bb9d61f93479e46428ca55ed546f85c1d28ef
65. https://www.reverse.it/sample/6da27084917eb60c352701cc2129c1ec8d2d8486906ebd1fb40dc6a4a3db7b88?environmentId=100
66. https://www.reverse.it/sample/0b3f1d2479351a107abdf49249cd1671c9e2ec0a3c2a2d784cb435061c76cc22?environmentId=100
67. https://www.reverse.it/sample/6a7ec5fb2d236aaa3e00e16ed6ad5876b9aa55edc86d1b4eae057f22806fe45a?environmentId=100
68.  
69. There is no visible C2 communication, RSA key is probably part of the config.