2016-09-20 Locky "Tracking data"

1. 2016-09-20 #locky email phishing campaogn "tracking data"
2.  
3. Email:
4. -------------------------------------------------------------------------------------------------------------
5. From: "Georgina Greene" <Greene.72@connectel.com.pk>
6. To: [REDACTED]
7. Subject: Tracking data
8. Date: Tue, 20 Sep 2016 12:03:53 +0500
9.  
10. Good afternoon [REDACTED],
11. Your item #1511809-201609 has been sent to you by carrier.
12. He will arrive to you on 23th of September, 2016 at noon.
13.  
14. The tracking data (570d51e19adc78fc6811f269a1c0c102ba7cc400) is attached.
15.  
16. Attachment: e814fa8c18a.zip
17. -------------------------------------------------------------------------------------------------------------
18. - sender varies between email
19. - subject is "Tracking data"
20. - attached file <random hexa chars>.zip contains two files - a zero-filled on-letter named junk file and "tracking data ~<random hexa chars>~.js, a JScript downloader
21.  
22. Download sites:
23. http://akinave.ru/1e11lhrk
24. http://akinave.ru/ckk7y
25. http://akinave.ru/sij8m
26. http://banyapike.net/61a00qs2
27. http://banyapike.net/d0tuudc
28. http://banyapike.net/s92nzco
29. http://nightzax.in/jgjp58x
30. http://nightzax.in/n0uc1mqr
31. http://nightzax.in/zw5y36
32. http://solenapeak.com/2zg3kl
33. http://solenapeak.com/fs3e3a
34. http://solenapeak.com/ha4n2
35. http://vetchsoda.org/5pnqv2
36. http://vetchsoda.org/jraiuh
37. http://vetchsoda.org/uemmdt
38.  
39. - encoded on download
40. 801167a277a427b82a15631c15efff6011d9a3d643dd3214b827537428d9c417 http___banyapike.net_61a00qs2
41. 56f1f0dbf4cef5c51eb4d56375276f552436be76c38b71aa94bcd0269408860f http___banyapike.net_d0tuudc
42. 36cf2e0e2a7b8c23f5c146070a7c15f1787354250df84cc5e8f3ca5b6685c486 http___banyapike.net_s92nzco
43. a639726a4f94f58570801488163bb8cf1fb1a95c2382cd979dd2b2f8690113cd http___nightzax.in_jgjp58x
44. fc605b938c00cc38a65d194ef581d3d7863db3e513f0742f8fbcad60a8ffb127 http___nightzax.in_n0uc1mqr
45. 7ffd79dea82cc0d692cd7d2eba382ee64af2ad88da7970244bed4e6b791020df http___nightzax.in_zw5y36
46. ec65913da87fa36f57b57860896261d5076ce603c34305c40522b70dce3b81b1 http___solenapeak.com_2zg3kl
47. 61ac2e103a2ec13cbab5b660ac9f9c637a96c0258908d55089365f047e32f013 http___solenapeak.com_fs3e3a
48. 8a4ff90fdde35ef78303bf40c0577f67ce486028818df7a64b68a204410b9186 http___solenapeak.com_ha4n2
49. 035e041b5ec75f62d61bcf4b3ce4f251c5593ca891beb109221ac3063b94c8d9 http___vetchsoda.org_5pnqv2
50. 6287fe8c7b260c2e8c76bdb3d5b2f9b407870ea8656ed94e59f02c86afc5f546 http___vetchsoda.org_jraiuh
51. 7bcdeda57f42fe3f19b70db9f5aee6c64d70c4528fbcc78d6d57bd2f637273a8 http___vetchsoda.org_uemmdt
52. - decoded
53. 5c5d62826deb008e0ae0fe5015f02d305403a6f624454138c4cd491d3f9d80d3
54. 23aabac3e4d5062abae02798d20547e3353bfed1f3b589b0733e4583a3969aed
55. f225cb59d62e40a086a0ce10ee1f748b1af77a3bf090a2540debed782012be99
56. ea1cfa9b3f09a0ac533f8ee0f902851fcaff23b7e3e9386050ff6c9a166da42e
57. - executed as "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
58.  
59. https://www.reverse.it/sample/d7e29516b6c5336546193e6237ba90cfb49ca81ecdaefa989242a27a975243a6?environmentId=100
60. https://www.reverse.it/sample/b4d53866b8106f89d94c4d1c6d010c2f3370251f5d29efe1db63491524b60083?environmentId=100
61. https://www.reverse.it/sample/b9ad5ebb02eddbf023730cd938ca8d76537ccff698a2f61968ee13863cab94a3?environmentId=100
62. https://www.reverse.it/sample/50b1872cfc78164753832437dad3c08a12f751835472b5040d315097a7c1e903?environmentId=100
63. https://www.reverse.it/sample/f69c308b4514ea46d580422367fb20ef927bf56dd16c3da58074c653949f35da?environmentId=100
64. https://www.reverse.it/sample/fb645bbd110f087359a8ad5de6bd02924bbb2a6545b3437a8df057e035e9c944?environmentId=100
65.  
66. C2:
67. 46.38.52.225:80/data/info.php
68. 195.64.154.202:80/data/info.php
69. 91.223.88.205:80/data/info.php
70. 176.103.56.105:80/data/info.php
71. kixxutnpikppnslx.xyz/data/info.php [91.223.88.209]