2016-09-21 Locky "Payment approved"

1. 2016-09-21 #locky email phishing campaign "Payment approved"
2.  
3. Email:
4. --------------------------------------------------------------------------------------------------------
5. From: "Daren Whitfield" <Whitfield.1377@spectranet.in>
6. To: [REDACTED]
7. Subject: Payment approved
8. Date: Wed, 21 Sep 2016 11:17:30 -0700
9.  
10. Dear [REDACTED],
11.  
12. Your payment has been approved. Your account will be debited within two days.
13. You can email us for any query regarding your account.
14.  
15. Thank you.
16.  
17. Daren Whitfield
18. Support
19.  
20. Attachment: 0b6916c3116.zip
21. --------------------------------------------------------------------------------------------------------
22. - sender varies between emails
23. - subject is "Payment approved"
24. - attached file <random hexa chars>.zip contain two files:
25. - one-letter named zero-filled junkfile
26. - "payment details PDF ~<random hexa>~.js"- a JScript downloader
27.  
28. Download sites (all hosted on 95.173.164.205, 190.147.38.2):
29. http://alvussauna.com/eq7bpu
30. http://alvussauna.com/xlacxlzd
31. http://alvussauna.com/ybvo28z
32. http://konakmomo.com/p9s2t
33. http://konakmomo.com/pqoejxv
34. http://konakmomo.com/uimjwsb
35. http://savinobit.net/hgmsg41
36. http://savinobit.net/vzz334b
37. http://savinobit.net/xe1oc
38. http://viewglenn.net/hk8rxr
39. http://viewglenn.net/udungr
40. http://viewglenn.net/zd2m51a7
41. http://watersampi.net/9djkl
42. http://watersampi.net/em66dz
43. http://watersampi.net/ql1vl
44.  
45. Malware
46. - encoded on download, filesizes varies
47. efb701f339b0c974f0e6aa15a7967e29e61e867524ea4cc04b370c09b947345c http___alvussauna.com_eq7bpu
48. c3b718bed485eeda91be5a71e98ae944dbb5e252fbb85590d110c77b2f51c416 http___alvussauna.com_xlacxlzd
49. 1ebbe6e9ed3b192ac35c379de6d2397f63d6931729b06721969b1fae3bec8b8e http___alvussauna.com_ybvo28z [3]
50. 8ba5e39ceba6cd461c5fe03dda250aeaa5b6d5e7da622302341165a215bfd9f6 http___konakmomo.com_p9s2t
51. f949dc8e550c23c0d1f752627aefbaec571c3e21af43d260db04a78babd30478 http___konakmomo.com_pqoejxv
52. fa1b23f98405a963e7ad2cec8c74b3d9ae5fe0aa062e35c8759f9202a00a11d0 http___konakmomo.com_uimjwsb [4]
53. f843548f6d80afd1d6eb6c2cd9fab9ecbd99f51ecbed41e069ad522d3f9e371e http___savinobit.net_hgmsg41
54. 72835af02ca66c1e63b68d7d1e6033f193aca7e6634aded4776616c2f818f264 http___savinobit.net_vzz334b [1]
55. c7a4abfd2574bd5ed83210a630800658ee56de20c6fdbaa6d6f3ccfe316a8d4e http___savinobit.net_xe1oc [6]
56. a059606b721ad61a9ccd7e1b064d9e151b98d33b6f346009ef8ce15a1b8e088b http___viewglenn.net_hk8rxr
57. 4700f7bd096e0ed34259d45d2b03ec4d635a44cfc64dea949d62d20e620b60b1 http___viewglenn.net_udungr [2]
58. 126b90181c381ef829487e2177b55af889e414104ddf99cb1ae7feea2d1f4b2c http___viewglenn.net_zd2m51a7
59. 06c5becdae351eadef74918250bab2c704b8844fc23d56f825eebf999f0e758e http___watersampi.net_9djkl [5]
60. fa055afab7a0182fbaa2087fe6c989f919d0a3db9f9724ef92afa9f8a0e5ee34 http___watersampi.net_em66dz
61. 2829309b0fbe57a7b432b834c13da95c57b4dcc1145d44c83a571bb34441dc65 http___watersampi.net_ql1vl [7]
62. - decoded
63. 5eeac2c253009778e5566007ca5be5ad77519b82d02abafe548229ffecaf08b6 [1]
64. eac9cf643bc90d4a49235231623e722e574cfe7314efb35dc0b81919ff66132d [2]
65. 4d50b0261adb605c40f99ee45d4493d268030414cc04c57bae479d193d22ab1a [3]
66. 1b84ca6d58212c712d712f996d2bcbd1d3ae9779949378da5e557ae35f8a09af [4]
67. 794c8f3adbb80ef951e361847ede460f66aa1e2716910185ae8690da79547070 [5]
68. 97f8db454a4c4054c4b80a08b0df79c68a70992626f3228b8ac67f2f8e103706 [6]
69. e70b0734a24f7e4c71f35bbdf3ba6c411887bbdde2b0d54be56346056b594349 [7]
70.  
71. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
72. https://www.reverse.it/sample/a31a1dde0b2d683e4ae7fa3037209a425605b8e0a49f1607ea1dd02a4eaed267?environmentId=100
73. https://www.reverse.it/sample/463dfcaf29b9ac9397a8aa120ccddf7420f61ae5168e9e55fbc7bd9a8f12f29e?environmentId=100
74. https://www.reverse.it/sample/b913ca9b6976b1846b7d36cab5b8fc09147f8eda84e9fde77f0aab4dfe5a2ab3?environmentId=100
75. https://www.reverse.it/sample/297192cd8fae5d95505cb18604722e0601f0501dbf05c4ef038a483e423ac9ed?environmentId=100
76. https://www.reverse.it/sample/0ae44892f78e5b5ddfc07e6a23fb55469f21e12c45e74661ad81e61b07893ece?environmentId=100
77. https://www.reverse.it/sample/65a3b19a64cb050873d52bd516ca57db71468c4346052295e621af81f90cb37a?environmentId=100
78.  
79. C2:
80. - no C2 communication visible, but it is likely that the samples did not detonate properly (either by erro in malware or by design)