2016-12-12 Locky "Attached, Copy, Emailing, File"

2016-12-12: #locky email phishing run "Attached, Copy, Emailing, File"

Email sample:
------------------------------------------------------------------------------------------------------------------------------
From: "Beulah" <Beulah356@packstation.de>
To: [REDACTED]
Subject: File: Receipt_40
Date: Mon, 12 Dec 2016 21:39:49 +0700

Attachment: Receipt_40.zip -> Scan(757).jse
------------------------------------------------------------------------------------------------------------------------------
- sender varies between emails, but sender domain is same as recipient's
- subject is "<Attached|Copy|Emailing|File>: <Document|Receipt|Scan>_<1 or 2 digits>"
- email body is empty
- attached file "<Document|Scan|Receipt>_<1 or 2 digits>.zip" (same as second part of subject) contains file "Scan(<3 digits>).jse", a JScript downloader (the JScript is plaintext, not encoded as suffix suggests)

Download sites:
http://103.27.52.92/874ghv3
http://117.239.70.228/874ghv3
http://216.104.188.249/874ghv3
http://54.93.178.21/874ghv3
http://69.162.74.116/874ghv3
http://absxpintranet.in/874ghv3
http://angelwap.ro/874ghv3
http://autorijschoolpedro.nl/874ghv3
http://belovephoto.com/874ghv3
http://cardbuilderplus.com/874ghv3
http://cynosurejobs.net/874ghv3
http://democro.com/874ghv3
http://dreamtheatre.co/874ghv3
http://dronetech.no/874ghv3
http://envisorusa.com/874ghv3
http://freedommobility.com.au/874ghv3
http://galtechprojects.com/874ghv3
http://gateste.sanatate.us/874ghv3
http://gezgininpusulasi.com/874ghv3
http://greenresist.com/874ghv3
http://gudangg.com/874ghv3
http://hooli.com.au/874ghv3
http://ibfnetwork.com/874ghv3
http://konoikevina.com.vn/874ghv3
http://mebdco.com/874ghv3
http://megapowercash.com/874ghv3
http://mer-pro.com/874ghv3
http://miel-maroc.com/874ghv3
http://mstest2.co.uk/874ghv3
http://muhammadmafazine.com/874ghv3
http://mynamepixs.com/874ghv3
http://omnibusiness-solutions.com/874ghv3
http://onedotm.com/874ghv3
http://ratchadaphoto.com/874ghv3
http://socialandmovieapps.com/874ghv3
http://sunwayautoparts.com/874ghv3
http://sustainabletompkins.org/874ghv3
http://therapymarketinginstitute.com/874ghv3
http://thetbank.com/874ghv3
http://thetravelbug.org/874ghv3
http://tifa-awards.net/874ghv3
http://tutorarabia.com/874ghv3
http://tvctraffic.com/874ghv3
http://waterplusmaroc.com/874ghv3
http://workandplaytherapy.com/874ghv3
http://www.bfsa.gov.bd/874ghv3
http://www.icp.edu.pk/874ghv3
http://www.ifs-b.org/874ghv3
http://www.primeknittexltd.com/874ghv3
http://www.pspmrsmag.com/874ghv3
http://www.pspmrsmtumpat.com/874ghv3
http://www.refereccu.com/874ghv3
http://www.russwat.org/874ghv3
http://zasm.info/874ghv3
http://zocaloalminuto.com/874ghv3

UPDATED:
http://angorabric.org/874ghv3
http://icclicks.com/874ghv3
http://indiaclubdayton.org/874ghv3
http://naacllc.com/874ghv3
http://rewoza.smartsme.tv/874ghv3

UPDATED:
http://3ainstrument.com/874ghv3
http://aiahelps.com/874ghv3
http://filesdiamond.com/874ghv3
http://indigenouspromotions.com.au/874ghv3
http://soulanimtech.com/874ghv3
http://stmerchandise.net/874ghv3
http://thaitooling.net/874ghv3
http://wkreation.com/874ghv3
http://www.paradisecity.pk/874ghv3

Malware:
- encoded on download SHA256 5c112d02b8726e841bba19b9c7aabeff505f25bf833b83b4ccfd97bfd2e32207, MD5 822590912e835cfbcf80855aad3e67d1
- decoded SHA256 77be68d55cc051d234dd24b9305e832ebc49bc8160ddc415919946f39fc0b265, MD5 399600fd83eee256ee6d404e3697adaa
- executed by "rundll32.exe %TEMP%\<dll_name>,get_str"
- sample https://www.virustotal.com/file/77be68d55cc051d234dd24b9305e832ebc49bc8160ddc415919946f39fc0b265/analysis/1481559253/

C2:
POST http://176.121.14.95/checkupdate
POST http://88.214.236.218/checkupdate
POST http://91.219.31.14/checkupdate