2017-08-11 Locky "Document / Scan"

1. 2017-08-11: #Locky email phishing campaign "Document / Scan / Order"
2. Samples: 626
3.  
4. Email sample:
5. --------------------------------------------------------------------------------------------------------------------
6. From: Evangelina <Evangelina.04@[REDACTED]>
7. To: [REDACTED]
8. Subject: Document
9. Date: Fri, 11 Aug 2017 14:31:00 +0400
10.  
11. Attachment: PDF00076094.pdf
12. --------------------------------------------------------------------------------------------------------------------
13. - sender address is forged to be from same domain as recepient's, format: <Name>.<number>@<domain>
14. - subject is "<Document|Invoice|Order|Paper|Receipt|Scan|Scanned Document>
15. - email body is empty
16. - attached file "PDF<6-8 digits>.pdf contains an embedded .docm file, which when opened runs macro that will download from:
17.  
18. Download sites:
19. http://2-wave.com/JbhbUsfs
20. http://3e.com.pt/JbhbUsfs
21. http://3lr.es/JbhbUsfs
22. http://6tricksguides.com/JbhbUsfs
23. http://abstonework.ca/JbhbUsfs
24. http://accuflowfloors.com/JbhbUsfs
25. http://ach-wie.net/JbhbUsfs
26. http://actt.gr/JbhbUsfs
27. http://acurcioefilhos.pt/JbhbUsfs
28. http://adr-werbetechnik.de/JbhbUsfs
29. http://aegeanlab.gr/JbhbUsfs
30. http://cafe-papermoon.com/JbhbUsfs
31. http://cagliaricity.com/JbhbUsfs
32. http://calvintp.fr/JbhbUsfs
33. http://campusassas.com/JbhbUsfs
34. http://cancortes.com/JbhbUsfs
35. http://carriereiserphotography.com/JbhbUsfs
36. http://caseyeap.com/JbhbUsfs
37. http://cctv.pt/JbhbUsfs
38. http://darca.info/JbhbUsfs
39. http://grossert.de/JbhbUsfs
40. http://indiasublime.in/JbhbUsfs
41. http://inormann.it/JbhbUsfs
42. http://love.chuanmeiker.com/JbhbUsfs
43. http://nancywillems.nl/JbhbUsfs
44. http://nerdydroid.com/JbhbUsfs
45. http://rtozottosdossder.net/af/JbhbUsfs
46. http://seoulhome.net/JbhbUsfs
47. http://starsafety.net/JbhbUsfs
48. http://swangroup.net/JbhbUsfs
49.  
50. Update:
51. http://carriereiter.com/JbhbUsfs
52. http://gardenconcept.pl/JbhbUsfs
53. http://infopoupees.com/JbhbUsfs
54. http://musicphilicwinds.org/JbhbUsfs
55.  
56. Update:
57. http://121-psychic-reading.co.uk/JbhbUsfs
58. http://1888titlework.com/JbhbUsfs
59. http://adaliyapi.com/JbhbUsfs
60. http://campuslinne.com/JbhbUsfs
61. http://conceptfactory.com.au/JbhbUsfs
62. http://eselink.com.my/JbhbUsfs
63. http://sharplingerie.com/JbhbUsfs
64. http://toyah.de/JbhbUsfs
65.  
66. Malware:
67. - Locky ransomware
68. - SHA256: SHA256 5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e
69. - MD5: 9dcdfbb3e8e4020e4cf2fc77e86daa76
70. - VT: https://www.virustotal.com/en/file/5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e/analysis/1502448250/
71. - HA: https://www.hybrid-analysis.com/sample/5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e?environmentId=100
72. - C2: POST 91.219.28.39/checkupdate
73. POST 185.127.24.191/checkupdate
74. - file extension: .diablo6