2016-09-22 Locky "Invoice INV0000xxxxx"

1. 2016-09-22 #locky email phishing campaign "Invoice INV0000xxxxx"
2.  
3. Email:
4. -----------------------------------------------------------------------------------------------------------------
5. From: "Eddie frau" <Eddie39@blairhowardphotography.com>
6. To: [REDACTED]
7. Subject: Invoice INV00004551013
8. Date: Thu, 22 Sep 2016 18:04:07 +0530
9.  
10. Please find our invoice attached.
11.  
12. Attachment: Invoice_INV00004551013.zip
13. -----------------------------------------------------------------------------------------------------------------
14. - sender varies between emails
15. - subject is "Invoice INV0000<random numbers>
16. - attached file Invoice_INV0000<random number>.zip (name matches subject) contains file <random characters>.js, a JScript donwloader
17.  
18. Download sites (the actual URLs contain suffix ?<random>=<random> which does not influence download):
19. http://continentalgirbau.com/g38f3fg
20. http://crescenttourstravels.com/g38f3fg
21. http://darita-bg.com/g38f3fg
22. http://dashingleather.com/g38f3fg
23. http://deadlame.co.uk/g38f3fg
24. http://dev.suetables.com/g38f3fg
25. http://files.madamecoco.com/g38f3fg
26. http://financialadvicefree.com/g38f3fg
27. http://flexfitent.com/g38f3fg
28. http://glanzcomfortwear.com/g38f3fg
29. http://homeboutique.com/g38f3fg
30. http://htk.com.vn/g38f3fg
31. http://josephcarterministries.com/g38f3fg
32. http://kothagudemtv.com/g38f3fg
33. http://lakesatcenterra.com/g38f3fg
34. http://phpdevteam.com/g38f3fg
35. http://pollenconsultants.in/g38f3fg
36. http://professionalyearcourses.com.au/g38f3fg
37. http://s603253812.websitehome.co.uk/g38f3fg
38. http://safecircle.org/g38f3fg
39. http://saudplacementservices.com/g38f3fg
40. http://shinalumen.com/g38f3fg
41. http://shuklaenterprises.in/g38f3fg
42. http://skiingvoyage.com/g38f3fg
43. http://soft-bd.com/g38f3fg
44. http://specialteedesigns.biz/g38f3fg
45. http://stannscollege.co.in/g38f3fg
46. http://stannscollegehyd.com/g38f3fg
47. http://thelibralegal.com/g38f3fg
48. http://uniqxprinting.com/g38f3fg
49. http://unitedfashionwearltd.com/g38f3fg
50. http://usa.suetables.com/g38f3fg
51. http://valamaanatamizhagam.com/g38f3fg
52. http://veterans-cms.purplebug.net/g38f3fg
53. http://wigomania.com/g38f3fg
54. http://www.5dprotection.com/g38f3fg
55. http://www.amayalingerie.com/g38f3fg
56. http://www.bfsa.gov.bd/g38f3fg
57. http://www.bullypedia.net/g38f3fg
58. http://www.eosbd.com/g38f3fg
59. http://www.homeboutique.com/g38f3fg
60. http://www.ifs-b.org/g38f3fg
61. http://www.paintingoregon.com/g38f3fg
62. http://www.smartporua.com/g38f3fg
63. http://www.softbdltd.com/g38f3fg
64. http://xaviaintl.com/g38f3fg
65.  
66. Malware:
67. - encoded on download, SHA256 bb39ae9ae9e383ff8154fb7475842dbf40d4f35e37af9144560a4904203c7b75, filesize 247808 bytes
68. - decoded SHA256 899818264bc620c39932db8945fd98ff98e1cd6fff761d5424bd9860e62a5859
69. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
70. - samples
71. https://www.reverse.it/sample/9f34183f27725073af10f3dfb84acf686346905293debc6b51c45673622aa9aa?environmentId=100
72. https://www.reverse.it/sample/ecc138625a7dee243e8cb7d822d0fb8d0ce80730f6587bc8875e531e8089ea11?environmentId=100
73. https://www.reverse.it/sample/1fc3bfdea8b8b8d9da4bd8821aebda1f20faba7584da8204d29ea5fde0b8f2f4?environmentId=100
74. https://www.reverse.it/sample/d9f4ff62536e38f0b5dfc6ea3cef6b192fccd9d44dce613f919ce360c1bdbec8?environmentId=100
75. https://www.reverse.it/sample/f2da58038718229d27104f7ae265896013187bb6ea476da1541ff03de4507084?environmentId=100
76.  
77. C2:
78. 88.198.76.76:80/data/info.php
79. 51.254.108.40:80/data/info.php
80. tswsgajtwhqkosd.su/data/info.php [91.239.235.130]
81. jfmiondv.xyz/data/info.php [91.239.235.130]
82. wnrgttsfmhfmmoqxm.biz/data/info.php [69.195.129.70]