2016-11-23 Locky "Please pay attention"

1. 2016-11-23 #locky email phishing campaign "Please pay attention"
2.  
3. Email sample:
4. ----------------------------------------------------------------------------------------------------------------
5. From: "Wallace Guzman" <Guzman.Wallace@hoop-ology.com>
6. To: [REDACTED]
7. Subject: Please Pay Attention
8. Date: Wed, 23 Nov 2016 14:49:36 +0530
9.  
10.  
11. Dear [REDACTED], we have received your payment but the amount was not full.
12. Probably, this occurred due to taxes we take from the amount.
13. All the details are in the attachment - please check it out.
14.  
15. Attachment: lastpayment_[REDACTED].zip
16. ----------------------------------------------------------------------------------------------------------------
17. - sender varies between emails
18. - subject is "Please pay attention"
19. - attached file "lastpayment_<recipient name>.zip" contains file "<random uppercase letters and digits>.js", a JScript downloader
20.  
21. Download sites:
22. http://broncvita.com/5vy2q
23. http://broncvita.com/dvdzv
24. http://broncvita.com/g7fiwm
25. http://broncvita.com/gy3defplbd
26. http://gurlfanam.net/bzv4jz9er
27. http://gurlfanam.net/d4g73
28. http://gurlfanam.net/krwjx
29. http://gurlfanam.net/uhcgkozekr
30. http://jinxlaze.com/emch2nr6
31. http://jinxlaze.com/rysuuttn
32. http://jinxlaze.com/vr2ltm
33. http://nhatnang.vn/he5m5tfvih
34. http://nicehdwall.com/lobvc
35. http://nielsredeker.nl/gmcoirnrm
36. http://nightpeople.co.il/xklqq33nr
37. http://noveda.nl/viknlp3
38. http://novinnic.ir/liinyes
39. http://obtenloya.com/iksivwr
40. http://ondeviesurgut.myjino.ru/4edogu
41. http://opakowania.info/ickljgo
42. http://opennano.pl/ewf1xe3i
43. http://ovacii.biz/eh7xryos
44. http://ovofit.cz/tcaulm
45. http://ozzu.de/wdxzw
46. http://pearlgonzalez.com/b9wawhy
47. http://pensionwoehler.de/9jjgk
48. http://pesci.ro/jgves
49. http://pineysprat.com/fquah44d
50. http://pineysprat.com/jd3gfy
51. http://pineysprat.com/zqdjx
52. http://playdog.ro/ufbuscn
53. http://playtres.com.ar/3aepw
54. http://plus39italiandesign.com/rtyww0
55. http://poloneo.com/55bgq
56. http://praam.cz/iessl
57. http://pregnancysquare.com/diu9ktmd
58. http://printo.nl/uxzw0mspm
59. http://publygoo.it/u1rcrvfojx
60. http://pvlabs.com/kby84bm
61. http://qdweierya.com/qtubp
62. http://rabavolgy.hu/utmu1mc
63. http://racersguide.com/ghsgpxzovg
64. http://reklomastik.com/8xekhjw
65. http://rentvspb.ru/dzduu
66. http://revuk.com/agqrcwgqyn
67. http://risewh.com/pg31nkp
68. http://vedicmotet.com/4krn5d7
69. http://vedicmotet.com/61y7mljr4
70. http://vedicmotet.com/8eqb3u
71. http://vedicmotet.com/rpi4l
72.  
73. UPDATE:
74. http://jinxlaze.com/1tsrnq7rqh
75. http://nirvel.ca/7grdd
76. http://nlvladimir.ru/sfmfl5ktuc
77. http://ofertaestetica.com/5uiyuhohn
78. http://orchideus.cz/vrzaq
79. http://pineysprat.com/z2uqnic
80. http://pnlglobal.com.au/i7uma
81. http://polgraf.eu/j8uxdx0j
82. http://prayerarchive.com/fymbob
83. http://proancosl.com/gcotjy
84. http://qumeinv.com/ljhdj5
85. http://rennsteig-saale.de/pn7v5
86. http://rightman.co.th/6vk5qq
87.  
88. UPDATE2:
89. http://natural-anxiety-remedies.com/e5vo06vkm
90. http://oneice2011.com/4pwxwqj3ug
91. http://pfec.com.au/mq2qf9eb
92. http://pindaomenu.com/nvslt
93. http://prismaserv.ro/obel8tf
94. http://ptworkdomain.com/vicsc4zgya
95. http://rek-style.ru/eivvpg7
96.  
97. UPDATE3:
98. http://ppfe.ru/vyf4h
99. http://redrhinomakeuptrailers.com/jxgaeipxw
100. http://naturalnepodlogi.cba.pl/utnnyduqa
101. http://offerrat.com/12mi44q
102.  
103. Malware:
104. - encoded on download
105. 540beef55a8adf2a14ba2acf48357433ca23291cb1859cad47c4229d9ae81f65 http___broncvita.com_5vy2q
106. ab6b6a9e109ef7f7200fd5a4f92cceb64478bb24a4033b852194acd121857746 http___broncvita.com_dvdzv
107. b06ddfacd055570a6ea817b1abfc03e65ff2b3edad2c068d546d8795ad5c5e56 http___broncvita.com_g7fiwm
108. 793eb19fb4dd6b150bab5a9f86c23cceb7b32bc754b3088c5579652cd692872c http___broncvita.com_gy3defplbd
109. a2050a09223d883232368daedfc64afeee92a875867a09779fcf8dfdd1df6d93 http___gurlfanam.net_bzv4jz9er
110. 8bf47e6d3ae4168909eaae9dd2e28678a3b4ee994c0043669b28e43a7a49e467 http___gurlfanam.net_d4g73
111. 6d0d9d9442973d90022afbe70e8e1332e3f61ec9f3fc763484c866752b97d63a http___gurlfanam.net_krwjx
112. 64c83876303a741938aec86a7ca300c5a9ad1d6cb1d7ab9d6687aa15b6187ee9 http___gurlfanam.net_uhcgkozekr
113. 56b345e29fbea43681fcb00bb8f037fb2f34e526496e6e1293a38e8cebb3095f http___jinxlaze.com_emch2nr6
114. 9ca215fe1f19fc0d352d1ee337c1bd2c04f4959ed074f75cdb541ba4b6540af7 http___jinxlaze.com_rysuuttn
115. 08ebf161edc68c6354fac7960f89935924f30c05dc094abf1d29b3c7842c1bed http___jinxlaze.com_vr2ltm
116. 4bdc15d04a742fe23a7ddf88ba1808d1beb82a8b1141141d51b98f2d43c47cf0 http___nhatnang.vn_he5m5tfvih
117. 9451f4c1903f45625c6cc11b113d6d31f5439ce138df69a480e04d7d86baf0a2 http___nicehdwall.com_lobvc
118. d4fe0de9fb7c8827f4c0de5e72eea3497299ddb3677c90aba6d5cfa8d7d249d4 http___nielsredeker.nl_gmcoirnrm
119. 37f21822c22f35aea14ec518782f7b3966a78bc5101f31d0030cf955d541df03 http___nightpeople.co.il_xklqq33nr
120. d1c3c4bbc1fe106a7243d55186d64366579d3c653629f3420cb820b167d76f3d http___noveda.nl_viknlp3
121. 351e188752f9a848b73b1944fe88be2045add5b4c13ddbe90f4d8d551e753a1c http___novinnic.ir_liinyes
122. 70d2b911004d49f599f0fcb6a94e371f6b6233a9357e34f3b5b4e8255b9732ee http___obtenloya.com_iksivwr
123. 571a4c0850c2d63791ce3fa61ac6a6270683bbafd1fb441289bcbc06849df0e0 http___ondeviesurgut.myjino.ru_4edogu
124. 0a9a7f053020725b4b732f695ef34bf5368c3040081299af7874e920c6b63180 http___opakowania.info_ickljgo
125. 8252fa8fd8d1bf48b690062f8bd81bede55e5a13f0ae5bc21ddebccb3e10a3bd http___opennano.pl_ewf1xe3i
126. ab707c250ff7185c92f9dd903827c4e09d92249127a75637d9c2a797834640a1 http___ovacii.biz_eh7xryos [1]
127. aaca2f1f670e481b158afb6f2352a8346f4870317092078c32011a58ffc209be http___ovofit.cz_tcaulm
128. 74124182634b0b0207dc49226a5132a943f4dd894de6d904309c8d77261ff813 http___ozzu.de_wdxzw
129. b338b5dbb65698b10a08d97892d6ff47347e7574198c99fefe4454aae26ede79 http___pearlgonzalez.com_b9wawhy
130. 5c48729725c51b26ea15a28e17e52607aae2af003f7edfb33e253ae16819cbe4 http___pensionwoehler.de_9jjgk
131. 033ec1a68d006f7885d52a7de5e636ce0de8506132c573d4a623617279bcf902 http___pesci.ro_jgves
132. f26ef4b2169a38fe48bc8c5331e1b59f131e6a29a5443a7ce8d3b6c15c4148d4 http___pineysprat.com_fquah44d
133. b0b2b1c98f84dfe646c2d3edbf2600a847fdb3f11cc4967c3ae9d1ddb6d5ecb1 http___pineysprat.com_jd3gfy
134. 51fb5739514e788d27cf596d73616866be5af5876711b9f07e48147e662b9277 http___pineysprat.com_zqdjx
135. 1affefb3fb145aa7526d10885808bd83a4c5da7311953bc6b6d3ceaaebd35386 http___playdog.ro_ufbuscn
136. 0d36cf34911639a633545714b335d76f5b20e69fe3dcefc175402a1725266d4b http___playtres.com.ar_3aepw
137. b0767e71b1e6d1d36e3f10024313e3d927d31b642aaae29c5c7c22049a892bee http___plus39italiandesign.com_rtyww0
138. 536431f64eb1de48a7297dc94ad13daeaf809aa6a31ee13cbf9a030dc65fe4ac http___poloneo.com_55bgq
139. 39e330258c60894773198057ab0cf11cd48728042f523350271895924fcc7a3d http___praam.cz_iessl
140. 466f72275022b58fef6fa63d04e47797684abd89d2aa230d585c4e8412c91e20 http___pregnancysquare.com_diu9ktmd
141. 119cab2876ecc200df3aa29cd8730dfedc5308431d8c7d5961217c8d51d683a5 http___printo.nl_uxzw0mspm
142. ef2997f2a21162f03b005a045cb6b6ffe1e3d8c96bd88933cf50b622ca58d9b1 http___publygoo.it_u1rcrvfojx
143. 496b7539755b3c3625dc49e6160b86a7fc46aa4cd6257a5fdbfa8fddc561b142 http___pvlabs.com_kby84bm
144. 324405ee83f12baa3fa49c8034139222034ba95fdcf6b3cdf3095784db057527 http___qdweierya.com_qtubp
145. ebdb8c638edd607866ca62c482a92b153cad55b3c517f4ce6c41c47667c3d5b1 http___rabavolgy.hu_utmu1mc
146. 05c052b5827784d01fcec1905423dfeb85e66627150d77fff290803cbd12809e http___racersguide.com_ghsgpxzovg
147. 94dd34cf12e133575efa1e8bb01bc17884d5b21e575e06f3f71b6ba1c0ad4623 http___reklomastik.com_8xekhjw
148. a0fb65af4ac6f08b7f45ba3d43b05e120cff9fe92533407a87101f3eef22151d http___rentvspb.ru_dzduu
149. abf41ce7b428fdbd5bcd624557a414a0ad1a50851471a0ef84ec50a1f2fbe17c http___revuk.com_agqrcwgqyn
150. ce3a953795e98b735df5b597ec97dc13efd26ce830393b4702d449e45529203a http___risewh.com_pg31nkp
151. 755cbef31a97f4dfb1d8c8e1f901fef5b1b476878ea0617cb04b6f12500a4372 http___vedicmotet.com_4krn5d7
152. 24f95636c16ab7b7c1d5a742ff39c903dfd600ab01b5b276c3cc26efce3262e6 http___vedicmotet.com_61y7mljr4
153. f7fa39b48d66ab99d430aac307fcfbfeeb1c8dff2f2a08050c222a66f45ced12 http___vedicmotet.com_8eqb3u [2]
154. fa049ea855c58eb4b5c902455eac5402cfa5e83093411b17b32291671583e79d http___vedicmotet.com_rpi4l
155. - decoded
156. a62e526a4b17819de17846a44639cdce71de215a630cec1487fea86271e6e8a0 [1]
157. 7381969a2409f5b99a9f6d78a1fe632c4d845a11033cd4f972f9e6025e3553d2 [2]
158. - executed by "rundll32.exe %TEMP%\<dll_name>,mq"
159.  
160. C2:
161. POST http://195.123.209.8/information.cgi
162. POST http://213.32.66.16/information.cgi
163. POST http://95.213.186.93/information.cgi
164. POST http://hatjmumvu.su/information.cgi
165. POST http://icjrdsuouoxjxref.click/information.cgi
166. POST http://jbjolaaxwgudt.org/information.cgi
167. POST http://myqbrkhlj.su/information.cgi
168. POST http://oaflyjmei.click/information.cgi
169. POST http://oeeqvvarhgiqmao.work/information.cgi
170. POST http://opjhubsyxj.xyz/information.cgi
171. POST http://trqrhxbooviphgk.ru/information.cgi
172. POST http://ybokmaqgxqdf.biz/information.cgi