2016-11-21 Locky "Spam mailout"

1. 2016-11-21 #locky email phishing campaign "Spam mailout"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------------------------
5. From: "Cara Thornton" <Thornton.Cara@viettel.vn>
6. To: [REDACTED]
7. Subject: Spam mailout
8. Date: Mon, 21 Nov 2016 16:29:59 +0700
9.  
10. Dear [REDACTED]
11.  
12. We've been receiving spam mailout from your address recently.
13. Contents and logging of such messages are in the attachment.
14.  
15. Please look into it and contact us.
16.  
17. Best Regards,
18. Cara Thornton
19. ISP Support
20. Tel.: (420) 292-54-52
21.  
22. Attachment: logs_[REDACTED].zip
23. ---------------------------------------------------------------------------------------------------------------
24. - sender address varies between emails
25. - subject is "Spam mailout"
26. - Attached file "logs_<recipient's name>.zip" contains file "<random upcase chars>-<random upcase chars>.js" a JScript donwloader
27.  
28. Donwload sites:
29. http://bilbords.com/ken5ac7tik
30. http://charoenthanikhonkaen.com/jqqul9c
31. http://cman8396.com/juahu6pm1
32. http://decorvise.es/0jt98stidf
33. http://eatfatlosefat.com/9fjexzzpr9
34. http://ehaaranen.com/nnsvlljs
35. http://fodgeslade.com/cey54bwgvf
36. http://fodgeslade.com/mlrnp
37. http://fodgeslade.com/oljtcw5p
38. http://fodgeslade.com/viv34io
39. http://gabrielconde.com.uy/r0zzg
40. http://inchallahrencontre.net/yapj4lk8
41. http://indiancatering.sg/y3cth
42. http://iproaction.com/utg8md
43. http://ivocal.fr/oxpj5ogs
44. http://knutewhar.net/44zd4j
45. http://knutewhar.net/uzu2vgi
46. http://kodivac.com/f4zozhxw
47. http://levinltd.com/yrcmcc8
48. http://lexcellence.ru/rgu7pzr
49. http://majesticimmo.com/b25okefjt
50. http://mangetsudo.net/v1cle
51. http://markand.ro/r10myprz
52. http://mimatefacil.com/ppgfw
53. http://moffia.nl/xepnvg
54. http://naschlouey.net/cpjeie0
55. http://naschlouey.net/fl7h5lk
56. http://naschlouey.net/suigyo
57. http://naschlouey.net/ykrsw
58. http://naturalnazywnosc.pl/vqu9d76o
59. http://nitay.com/mrepde
60. http://POWER-LOGISTICS.NET/0ospd3pz5
61. http://reiffen.info/fsahaq4s7
62. http://sambaplack.com/crgnsx
63. http://sambaplack.com/cvyeefv0y
64. http://sambaplack.com/mkchoe0lx
65. http://sambaplack.com/txroulckka
66. http://serajeadine.ir/kia7ho30x
67. http://tutmacli.com/fbd5f
68. http://ulmicsulfa.net/fm32yz2
69. http://ulmicsulfa.net/mhngaxy
70. http://wpthemesense.com/pzzrrnqwaq
71. http://www.kanm.cn/spm2u1vbu
72. http://www.montostroj.eu/y5nxn8
73. http://x-in.info/jsepbs
74.  
75. Malware:
76. - encoded on download, filesizes 137591 or 134411 bytes
77. 7b557a79462a45cdaa235d1aa71340be911358ace2d8123462fcec9d0109cae1 http___bilbords.com_ken5ac7tik
78. d631992c2d2b59fdf51bc8aa97681bd3c0d9669051f8ae11e4a2bcad2fd7c0ff http___charoenthanikhonkaen.com_jqqul9c
79. 964af862aab8a276147c5b52d1e5451593aab4894816fe2c9e5de0194d6bc82f http___cman8396.com_juahu6pm1
80. bd4029e7a6abf3b82d800240ad41ad02a256be0a5a73ea1a420b1f027400e8bb http___decorvise.es_0jt98stidf
81. c5b5f56521219896dc647c1bd889d14f1fd39cf174844a81e9307f4d307cffd8 http___eatfatlosefat.com_9fjexzzpr9
82. 29e35f09e652acc061ccafbb67d9e14589a3198a8b129884ce2ec56e3166c3da http___ehaaranen.com_nnsvlljs
83. b368b397b24aa4ce2822af7d40e13d375c7d8ee17e39548882857914436ad7a5 http___fodgeslade.com_cey54bwgvf
84. 8699fcc6dccdff02af3ff020ea4606e05965e9b7cb87e7a9a6568dba41f5afee http___fodgeslade.com_mlrnp [2]
85. 4d9f66f77d55c64ef9c652fb72e166c00978c76c272a3280e0efb4e18f5788bb http___fodgeslade.com_oljtcw5p [5]
86. ac221e4ac21d8cacb680e1fa12b50f41a1074aa6261af0db8fbeba3f4d3c8b27 http___fodgeslade.com_viv34io
87. e46bd115661a4de2ae0c389ba813365a6a4d1c85e03c817539488d9132b6bc16 http___gabrielconde.com.uy_r0zzg
88. f3a4c7a0cfa438d21d21e107dfca28cdb7cfe2120aaa32913afc95853e359f36 http___inchallahrencontre.net_yapj4lk8
89. d0f4a3a5a410e63a59a93e51dddb4b75340d68bf66e4ae7960235f05024b1634 http___indiancatering.sg_y3cth
90. 303a10e75f8b4d0b34627d9e885235ec5bac89004a09e90cac6851d1732a9e10 http___iproaction.com_utg8md
91. e187ed6e7adf87434fdd3fe92c341ecdb20fb0ba31b96e2d2d45ce2545f0bd83 http___knutewhar.net_44zd4j
92. d43008d668b288f3f63fb77a285ad68fa48bbafbc3933a43477e521742830ce6 http___knutewhar.net_uzu2vgi
93. fac67e475248bcd175950241b450825ace88b6b63a452b7a7f1ce2fb16425b0c http___kodivac.com_f4zozhxw
94. 626eb0a42bb119f47f13f451bb0e58aa8e4b3fb32eb3e317b6d1b7811ffdeee1 http___levinltd.com_yrcmcc8
95. f57977f6cc84411938af921d23bcb1927395da4037697734f9c1555dc2e73a88 http___lexcellence.ru_rgu7pzr
96. 99b4106fb762bd7f70d9031f714b11ca96558eb44e8131daa509e36de46fe122 http___majesticimmo.com_b25okefjt
97. f469a27db83f486ff836ed02a18173f17b554d6fc24f35ac6ed71a1c0565371a http___mangetsudo.net_v1cle
98. 145472dd5ea9d88766b2835e8cdd3c814e2a96146ee2213a0b26a8617af1eab1 http___markand.ro_r10myprz
99. de8001768e97cee4d787acbf5317018390e005d6880b47f796d2268aec64cc65 http___mimatefacil.com_ppgfw
100. cbaf3a54649f6b9c3b8a9596fa83c5fbf12274498ee99deca850c852851ec788 http___naschlouey.net_cpjeie0 [1]
101. 878195e3d7e59e623ea31aa83d0ab47c50ff1d6e23d85614ffab1daa038bf3fd http___naschlouey.net_fl7h5lk
102. 48e5e2d48002b64d5b8e6c2696e587e890886e49acae1d9c68628ade6fb112dc http___naschlouey.net_suigyo
103. 713c417b98c48bdaa7642a0d3e39f95d29c0a72f97bb10f7326ef8ccd5ff9f3d http___naschlouey.net_ykrsw [3]
104. 274f39e8e38912f22ff80888347fdfb805f7ae681227314b8859948b62333c50 http___naturalnazywnosc.pl_vqu9d76o
105. 00dff29b1117f932762cf57f82811f90b6729c245cdc52201dcc608d4eec3db4 http___nitay.com_mrepde
106. cc40f2b59e90233d348b43d8b74043f717f6fbe612047348ac53531055da594a http___reiffen.info_fsahaq4s7
107. 9e0d8d000a055b5247a24223f48db4e37bd87868618533a3bb49edbcf47d6ab0 http___sambaplack.com_crgnsx
108. 52657564016bad475ed4911f092f69b50c779e24be1bc49b5d0282de196514be http___sambaplack.com_cvyeefv0y
109. 675c75a0ddbb5782fefcf11bb23a123da0b41184e9782a205abd701360ed419e http___sambaplack.com_mkchoe0lx
110. 23cae93dc65dd83306f7c52fd2675895b4e7825b35f0b87cb5c9d35268a76041 http___sambaplack.com_txroulckka [4]
111. 26985069311db3fcf68de686482593262a6a5225e9cb3d2fdca8b26d187087b3 http___serajeadine.ir_kia7ho30x
112. 4e8fa40da257e5fdf9f8a637f871f649948b3cc125aaf7bfff717513c82ffd84 http___tutmacli.com_fbd5f
113. 25fad38fb7fd39f0b475517c4e4f8d15e91ac9fbfd1c1a338537ea52db8e8f41 http___ulmicsulfa.net_fm32yz2
114. a8bbf5b80c3d39dc2f13e200586f2e16a6f52513fe92ab7969e0479d01259f13 http___ulmicsulfa.net_mhngaxy
115. 3c6598cfcbeee6cfa54e4567a590ddf9bc2d6e47e88d000f0bcb8df531019d6f http___wpthemesense.com_pzzrrnqwaq
116. adb31cea84bf449c787cfdaa50a2f5a4b851a7d18b551f8f9c150f514590b29c http___www.kanm.cn_spm2u1vbu
117. dc922d135436d5eca99d071d7e6be88ff0cace8701d31e10ca3ab6ac5f537987 http___www.montostroj.eu_y5nxn8
118. c446d918b1d8a8ca2daa73d49dce124b98442c859f7c0497e40a07297fbbd2dd http___x-in.info_jsepbs
119. - decoded
120. b84d7289330a57804b33090433bfb42e52be35dec527041ab9be803486795930 [1]
121. b0d228b009c063c36e457faeb38b97949ffb55036298b320edc3c0568a63bbf0 [2]
122. c9986f301ca8c15f603e79a31f90869bcf8a72a7ed808ba1e6c448b4dd25c1cc [3]
123. 1da658403f29006b4924664f42702e60b90f87248fc1c3df083934ff133fec9e [4]
124. cad34ddd255303256bb8696a22d5c2637c9c7480d629bb0b6d8e6add0142c9c8 [5]
125. - executed by "rundll32 %TEMP%\<dll_name>,jWo7sg8u"
126.  
127. C2:
128. POST http://213.32.66.16/information.cgi
129. POST http://46.8.29.175/information.cgi
130. POST http://91.219.28.51/information.cgi
131. POST http://bpffhepfv.pw/information.cgi
132. POST http://cpgheav.work/information.cgi
133. POST http://gftvhepya.xyz/information.cgi
134. POST http://jxvmquqrmtdgjvs.ru/information.cgi
135. POST http://lkrfwyfeenk.org/information.cgi
136. POST http://mmuipquvpjccb.pw/information.cgi
137. POST http://qxdkochghvf.work/information.cgi
138. POST http://scbnepyudgkm.click/information.cgi
139. POST http://stbxokqmd.su/information.cgi
140. POST http://uuvuhqhnwnpdy.org/information.cgi
141. POST http://xnbhfxgcikjxfm.click/information.cgi