2016-12-14 Locky "Amount Payable"

1. 2016-12-14: #locky email phishing campaign "Amount Payable"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------------------------------
5. From: "Normand Landry" <Landry.Normand@quakenet.ro>
6. To: [REDACTED]
7. Subject: Amount Payable
8. Date: Thu, 15 Dec 2016 00:57:21 +0430
9.  
10. Dear [REDACTED],
11. The amount payable has come to $38.29. All details are in the attachment.
12. Please open the file when possible.
13.  
14. -
15. Best Regards,
16. Normand Landry
17.  
18. Attachment: doc_1788897.zip -> ~_A5TNJ_~.js
19. ---------------------------------------------------------------------------------------------------------------------
20. - sender varies between emails
21. - subject is "Amount Payable"
22. - attached file "doc_<7 digits>.zip" contains file "~_<5-7 uppercase chars and digits>_~.js", a JScritp downloader
23.  
24. Download sites:
25. http://0668.com/k5bhgn
26. http://250sb.com./jynvmx
27. http://addwords.com.tr/aah6qmhv
28. http://anti-dust.ru/7k6cp
29. http://asdream.pl/gbbs1c
30. http://atio.li/exjik
31. http://bappeda.dharmasrayakab.go.id/dlhalychp
32. http://braindouble.com/uycx51ix
33. http://buhoutserts.ru/ufdazc6vv
34. http://casino-okinawa.com/ejguf
35. http://catherineduret.ch/5qpqi5ezp
36. http://chinaxw.org/xw1ju7y6zc
37. http://chungcuvinhomemydinh.com/6dvjasf
38. http://crolic88.myjino.ru/1ddig
39. http://demo.shispare.com/bvsjq
40. http://environment.ae/0od5hn
41. http://forbrent.com/h9kqgq
42. http://fyd123.cn/kib6h2d9ga
43. http://groupeelectrogeneservice.com/eefpeywf9z
44. http://hedefosgb.com/dpyzsb6u
45. http://hlonline.kentucky.com/i7z78
46. http://innercityarts.squaremdesign.com/dyo1w7
47. http://jianhu365.com/z9puqdj2eu
48. http://malamut.org/gizb2zq
49. http://obaloco.com.br/67mfj
50. http://peopleprofit.in/pyihdg
51. http://roman64.humlak.cz/7bnisgf
52. http://rulebraker.ru/zsw4cnf9o
53. http://scaune.qmagazin.ro/5hktu4h
54. http://slankmethode.nl/4zzq1am
55. http://subys.com/mjguriv80
56. http://szwanrong.com/x5qxzpjsi
57. http://tecnomundo.uy/a8rnlgzv
58. http://test1.giaiphaponline.org/0ytdjs1
59. http://test.sousouyo.com/feaetpnuee
60. http://theamericanwake.com/xw1ju7y6zc
61. http://travelinsider.com.au/mwaefb4b
62. http://trietlong.net/heyus
63. http://tx318.com/kqe4ca
64. http://ucbus.net/usdxqqt6
65. http://u-niwon.com/kmjg6j9ske
66. http://vaaren.dk/ogcz6ys0d
67. http://viscarci.com/wyqs6353
68. http://walkonwheels.net.au/qmd1uu
69. http://wdcd999.com/lm5z2snyqn
70. http://web-shuttle.in/eeo9oc
71. http://windshieldrepairvancouver.ca/qcp8k7
72. http://wiselysoft.com/qcymgbug7
73. http://wszystkodokuchni.pl/sl5yko7
74. http://wudiai.com/mc3hnwd
75. http://www.espansioneimmobiliare.com/akktnck
76. http://www.myboatplans.net/6d7ukeco6
77. http://wx.utaidu.com/1eybujbru
78. http://xlr8services.com/n970foumf
79. http://xn--k1affefe.xn--p1ai/8wzzjk24u
80. http://youspeak.pt/liowrtxs
81. http://yukngobrol.com/h7sfu
82. http://zhiyuw.com/qfbdcvrul
83. http://zwljfc.com/ld1pvjozu
84. http://zzzort10xtest123.com/nin5k3bwo
85.  
86. Malware:
87. - encoded on download
88. 60380d4f3e5e392d7af27bc85324d7363dd644dfce4059bff832bb3dff17ff21 http___0668.com_k5bhgn
89. 137687d668b7b4b8039f0b373f92c7b84b5c49f14c64d2f9982737b7cdcc1db7 http___250sb.com._jynvmx
90. 65941d887fb447f13b551c295b784374fd834fabafbf7266ceea19b8ff6e8331 http___addwords.com.tr_aah6qmhv
91. 1333357356f93875d1831193aa25fb1ff4bd6c0f04b9c1b971ef7a30cddf50b6 http___anti-dust.ru_7k6cp
92. 3fbff9869e61846c60b500090daa34dcdedcef59940d50b7e94efad20f4af24e http___asdream.pl_gbbs1c
93. 5c51485c89adcc9d3e174021495b459e3e635e7935c3a4943fee691fa28f1495 http___atio.li_exjik [1]
94. 74e94c4b500b9ad64afed2db0614c4d74c819f70f42d17db7bb44d383427fb02 http___bappeda.dharmasrayakab.go.id_dlhalychp
95. 31c0582fe008bd0c689c5416b51dea3da31c9f19557d47cad2a2a73bb7c67389 http___braindouble.com_uycx51ix
96. f4a1f90ba4c2f8c17591293d5cb23487e352292c4fe0670f323d33c64ffa0b43 http___buhoutserts.ru_ufdazc6vv
97. ca367a9dc60404345f4378e16748bfc9eb9f6f3b5bdc9d3193b7ba4d6b1b4b71 http___casino-okinawa.com_ejguf
98. 6c27687cc69afbca322a0f553af13a259ee0cd962bc43a570d9b42558775cf54 http___catherineduret.ch_5qpqi5ezp
99. 5abf81af30ac919aa98d6451ad464bd1889f6923d038bfe0e3c806bd7aa8890c http___chungcuvinhomemydinh.com_6dvjasf
100. 51d8b0e56378efdf337697aababb3d2860411aa207124251989974e48fdb6974 http___crolic88.myjino.ru_1ddig
101. f6dd414b3baac81d6c76b19a437a8d881b9ae316f2894c9a350841f587d983fb http___demo.shispare.com_bvsjq
102. 65803aaa66bc6a101729b223c9c6d35561bb2eb04ac109b72253645a330cfba2 http___environment.ae_0od5hn
103. f88b7dd4a3bc6ffa0acbb484d1f8a9a0487c46d2900a47580f50349cd1e2c588 http___forbrent.com_h9kqgq [2]
104. eef9ad652b13df46397bf0ebbf48058d5e3fe5ac05d8a0b1e9a1341133740260 http___fyd123.cn_kib6h2d9ga
105. 24e0ce5b7e72f05e41c122c2743af3baa828ca0542af734607ab6bd11b6e1487 http___groupeelectrogeneservice.com_eefpeywf9z
106. 63dfe370502acd3b78fc48c0ce11bf9d8e35b2fab53f949214a96e734bb34a68 http___hedefosgb.com_dpyzsb6u
107. 94e1b546c26c96550df3d95b5efbbf420382e31537999b2014771597afc60fd1 http___hlonline.kentucky.com_i7z78
108. 45a4f3987d25ff1d00fedd3310dc755c555149b9a0595178ccd546002157a23e http___innercityarts.squaremdesign.com_dyo1w7
109. cfaa1aee8b07a41975bc9e53bb863f3b058bcde0de9bcc217067673fcc27dbc0 http___malamut.org_gizb2zq
110. 7260fd1b41a23694c54866b0053c46d4a0412d42c75839117f5b8ddd707217ad http___obaloco.com.br_67mfj
111. 53104b5ea46bad10353f24f312aac4facfaea2381dba48297592bb3df0e18c55 http___peopleprofit.in_pyihdg
112. 8fb7d12dd09f3dda073ece619a5d7f82c96d5d04598919afe65fdae0dd7b208c http___roman64.humlak.cz_7bnisgf
113. 1552dbbe4dc744872eca7fb0e35b256c18ca576d50c23b38a93f5adfe40e2db0 http___rulebraker.ru_zsw4cnf9o
114. 38e159af864c3625b86ae8b01119318c193e1fecf94bd5533d735fa85d3e1fec http___scaune.qmagazin.ro_5hktu4h
115. f425067875dfa1ef54d3e8519e9a20a7368b31fb5458eef17b74ce41c236b3db http___slankmethode.nl_4zzq1am
116. 17d7054854256b0793bf6aa6700546a043e972191bba20145946a6902d1c9007 http___subys.com_mjguriv80
117. 0df5f4a1e05ad5b4289c45bd08ab5645519e10c9ccd82b00e10312fa15258b11 http___szwanrong.com_x5qxzpjsi
118. e9719d8d73558beefb8d5a706d2c05169cea4e98aecea19df43c8d2f0023f384 http___tecnomundo.uy_a8rnlgzv
119. 218fd633ecd4b10003690aac020245b23f7670d143dc508d84abf95c2da60077 http___test1.giaiphaponline.org_0ytdjs1
120. f96ba5acf26cdb1abd679b7f66d4aec67e2c64dc9d15eea0e822c16385aa7155 http___test.sousouyo.com_feaetpnuee [5]
121. cfaa1aee8b07a41975bc9e53bb863f3b058bcde0de9bcc217067673fcc27dbc0 http___theamericanwake.com_xw1ju7y6zc
122. 99b654d39413500f0255c6bd900251462847a8d0bc0eff5ad699efda157607d8 http___travelinsider.com.au_mwaefb4b
123. 0ae9b763c4332641b021705d38b5db32088abe19ef0bfdef360e9df50c396ea2 http___trietlong.net_heyus
124. 37f5ce8fcb00a1152835efdaac775d33cf5e51eba909fc6a0b363f25bb4d84db http___tx318.com_kqe4ca
125. 15573792ae1923c24ac9ea35b81d39670ae0d002f74ca12ab59a8025318b0db6 http___ucbus.net_usdxqqt6 [3]
126. e421ff2290f3660bd93bc353852719377cf94a8558779fb3b3307d9855251743 http___u-niwon.com_kmjg6j9ske
127. fac51ac31cbe2cabc4a1aead779c328ebc6929e286b1e8dfb0928afaca3fee88 http___viscarci.com_wyqs6353
128. 7942fb56210c40a5335a1d27a7b71adfff2faa10cd0e15d3b6b94092f450fc40 http___wdcd999.com_lm5z2snyqn
129. 9c56960f149aaaa338846b2044bcb33bc410a1c07e4c6fae305b4f530744b5dc http___web-shuttle.in_eeo9oc
130. 4b628c53cc41568c3404342ed95b9f2ee0757536ce0cf4ce8bc840829552c22e http___windshieldrepairvancouver.ca_qcp8k7
131. 5487e861fc020735a22fa2270413ac0ecd67312d64ab6e3f4fe049247c37c05d http___wiselysoft.com_qcymgbug7
132. 0b962425f88cb33bb6f1f749b6c51445f4355e2977dbe09d14e0793c2460eaa7 http___wszystkodokuchni.pl_sl5yko7 [4]
133. 4977658adcd5be63bf67d4467703596a7440419539c781d13ac0c2907e9b4aff http___wudiai.com_mc3hnwd
134. 5efbd6851f53e4dc744b3c2668190604da054cc032cdc9a8c374c6da485d6cd4 http___www.espansioneimmobiliare.com_akktnck
135. 61e1f8f7de66c5c47bfa650a32350ddb1e6e9d276f2ab4000fbed8ab040af6f3 http___www.myboatplans.net_6d7ukeco6
136. 653cec019e34af43b585f53fd2314c7c1be5665f839a24b83cf9aa77d168c00c http___wx.utaidu.com_1eybujbru
137. c079b2076b743b9330f516d6b3ad70d4f6814a75fadc9193eb8831b80f5cd195 http___xlr8services.com_n970foumf
138. 77002e17bf31f497f8b3af7eba5784189b3d8ac17544716c896b8b6524051a57 http___xn--k1affefe.xn--p1ai_8wzzjk24u
139. 09f320f6075ef76a0b4872e4c254d0a7232166a45d68d9343c052a44ae895b3e http___yukngobrol.com_h7sfu
140. 86c7448570c0de7abdfcaaea5fb629e33ea92243c4e29ff40e6c945d2a866d54 http___zhiyuw.com_qfbdcvrul
141. 492331c3a61cc62aaa474ef138c3cd061c1d24c3cee4df15d94c5e31c290079b http___zwljfc.com_ld1pvjozu
142. e421ff2290f3660bd93bc353852719377cf94a8558779fb3b3307d9855251743 http___zzzort10xtest123.com_nin5k3bwo
143. - decoded
144. 266aac2adca47cd8c39fa190faf70e32dd1a2752eee22ada4b7fe1a0c80366e3 [1]
145. d44ff3a846a7e5333f6c53e62225760023ffc0629f6dca2adc2256ab2d232854 [2]
146. 4140fa2ea07aab513f2ecd8ccd99a079105ae39e3c2b0cccd225a5354a75c999 [3]
147. 3ad4d594c184f832277dafdee24a3a3a6e8911fb58f0c2b6afdd8cf33549b59b [4]
148. d188b1e1ad3bac313944e30b2ef8e562dced670830e443dc2057bd377494a3ab [5]
149. - executed by "rundll32.exe %TEMP%\<filename>.ZK,S6jdvsfFR"
150. - samples:
151. https://www.virustotal.com/file/266aac2adca47cd8c39fa190faf70e32dd1a2752eee22ada4b7fe1a0c80366e3/analysis/1481756885/
152. https://www.virustotal.com/file/d44ff3a846a7e5333f6c53e62225760023ffc0629f6dca2adc2256ab2d232854/analysis/1481756895/
153. https://www.virustotal.com/file/4140fa2ea07aab513f2ecd8ccd99a079105ae39e3c2b0cccd225a5354a75c999/analysis/1481756920/
154. https://www.virustotal.com/file/3ad4d594c184f832277dafdee24a3a3a6e8911fb58f0c2b6afdd8cf33549b59b/analysis/1481756940/
155. https://www.virustotal.com/file/d188b1e1ad3bac313944e30b2ef8e562dced670830e443dc2057bd377494a3ab/analysis/1481756962/
156.  
157. C2:
158. POST http://185.129.148.56/checkupdate
159. POST http://185.17.120.166/checkupdate
160. POST http://86.110.117.155/checkupdate