2016-11-08 Locky "Statement"

2016-11-08 #locky email phishing campaign "Statement"

Email sample:
-------------------------------------------------------------------------------------------------------
From: <accounts@bonniebarbieri.com>
To: [REDACTED]
Subject: Statement
Date: Tue, 08 Nov 2016 13:34:17 +0330

For your Information.

Attachment: "Statement PDF - 51707599835.zip"
-------------------------------------------------------------------------------------------------------
- sender address is "accounts@<random domain>"
- subject is "Statement"
- attached file "Statement PDF - <random numbers>.zip" contains file "<3 letters><5-6 digits>-<4 digits>.wsf", a JSCript downloader

Download sites (actual URLs contain suffix ?<random>=<random> which does not influence download):
http://alamanconsulting.at/67j5hg
http://all-kaigo.com/67j5hg
http://arabom.com/67j5hg
http://bmkgjateng.com/67j5hg
http://dhmodel.cz/67j5hg
http://fitnessrelax.sk/67j5hg
http://focovi.cl/67j5hg
http://frivill.hu/67j5hg
http://fsgbly.com/67j5hg
http://fu-k.jp/67j5hg
http://fulltattoo.com/67j5hg
http://fungasoap.net/67j5hg
http://futurovision.com/67j5hg
http://g2m.pl/67j5hg
http://gaestehaus-kellner.de/67j5hg
http://galebtopola.com/67j5hg
http://gambit.nysa.com.pl/67j5hg
http://gentscha.de/67j5hg
http://geodispo.com/67j5hg
http://giasungoaingu.net/67j5hg
http://gigabothosting.com/67j5hg
http://gingell.ca/67j5hg
http://giochasach.com/67j5hg
http://gisinecology.com/67j5hg
http://glassfusing.com.au/67j5hg
http://golden-bereg.ru/67j5hg
http://gpstrackerbali.com/67j5hg
http://grafa.cz/67j5hg
http://grahamkennedy.ca/67j5hg
http://greatmeeting.org/67j5hg
http://greenmodul.com/67j5hg
http://greenoceanpetroleum.com/67j5hg
http://greentic.univcasa.ma/67j5hg
http://grplink.com/67j5hg
http://guneynakliyat.net/67j5hg
http://gushifengyun.com/67j5hg
http://gxhedu.net/67j5hg
http://hamburyhird.co.uk/67j5hg
http://hamidrukkers.nl/67j5hg
http://hanak-nafotil.kvalitne.cz/67j5hg
http://haneyslanding.com/67j5hg
http://happyrushop.com/67j5hg
http://havaa.nl/67j5hg
http://hcunit.com/67j5hg
http://helfter.fr/67j5hg
http://hgqcqc.com/67j5hg
http://highlandsolar.ca/67j5hg
http://hightradingfrequency.com/67j5hg
http://hirdavatix.com/67j5hg
http://h-miyoshi.ed.jp/67j5hg
http://hobbis.cz/67j5hg
http://hubbambaya.net/67j5hg
http://interprofil.no/67j5hg
http://inzt.net/67j5hg
http://iwebsdns.com/67j5hg
http://kekjacint.hu/67j5hg
http://kongogene.com/67j5hg
http://monowheels.ru/67j5hg
http://omidak.ir/67j5hg
http://restaurant-traditional.ro/67j5hg
http://shopey.net/67j5hg
http://vikingradom.freehost.pl/67j5hg
http://wilson.ro/67j5hg

UPDATE:
http://fourpair.com/67j5hg
http://gomuskegon.mobi/67j5hg
http://gremr.ma/67j5hg
http://sungbocne.com/67j5hg

UPDATE:
http://chuzhang.net/67j5hg
http://cxsd.com.cn/67j5hg
http://funkybytes.fr/67j5hg
http://funtasy.be/67j5hg
http://futureartdesign.ro/67j5hg
http://gocascadia.com/67j5hg
http://goldensail.ru/67j5hg
http://gold-or.ca/67j5hg
http://mgpu.gomel.by/67j5hg


Malware:
- encoded on download, SHA256 da490b31aea1775216e95c036a311dd56cad99f8848230caaf89d7450a5471a3, MD5 4164b4a9b8a8c3bfc0effd3b7dbfd6f7
- decoded SHA256 7e6c08f576eeef7c44558fdfc8c6961de15d16d15ab5cf8615951084a5960007, MD5 ed5eee4f7d209413bc8ef139f448e12d
- executed by "rundll32 %TEMP%\<dll_name>,set"
- samples:
https://www.reverse.it/sample/44f87f0bafd325e02655b6f407df3656d59b762acf02ef1178f828d7d2c9b0f0?environmentId=100
https://www.reverse.it/sample/025a3e2f1ccbd10cbce15ab84ba91a029930e2ea5d3c9ab217a8cfe1f2168638?environmentId=100
https://www.reverse.it/sample/ab097596e05ab96cf484a15f3eed0d687a042a949a5bf2af66dbca72dc29f776?environmentId=100
https://www.reverse.it/sample/0732a12bff0b1985bdaf322fb00345680bd1ff8f7babb6c2ad8b6d0ca987acfd?environmentId=100

C2:
POST http://158.69.223.5/message.php
POST http://185.118.66.90:80/message.php

bnmqkgdlotrwqym.work
dmynnrrvse.org
gccaoqb.xyz
jcbbccd.pl
ksrcvmvfbc.org
ornrkiokjkkqymw.org
mwyryuxoyhxlk.work
ummprtrxunm.xyz
wmstntaae.su
wmcrfvhf.org