2016-09-15 #locky email phishing campaign "Documents Requested"

Email:
------------------------------------------------------------------------------------------------------------
From: "Ollie" <Ollie44@[REDACTED]>
To: [REDACTED]
Subject: Re:Documents Requested
Date: Thu, 15 Sep 2016 10:12:21 +0700

Dear [REDACTED],

Please find attached documents as requested.

Best Regards,
Ollie

Attachment: "Untitled(29).zip"
------------------------------------------------------------------------------------------------------------
- sender address if faked to come from the recipient's domain (random name)
- subject varies between "Documents Requested", "RE: Documents Requested" and "FW: Documents Requested"
- attachement filename varies between "Untitled(<number>).zip", "doc(<number>).zip", "new doc(<number>).zip"
- attached file contains <random>.wsf which contains JScript downloader

Download (actual URLs contains ?<random>=<random> suffix that does not influence download):
http://beytascam.com/jyjarsf
http://bingolfm.com/wydrety
http://brainfreezeapp.com/ikjxtet
http://cellmartpk.com/navvmtv
http://datainsightsllc.net/pugaebq
http://doctor-roshal.ru/drqxbtg
http://esmahatun.com/wqbgqfy
http://facebookfan.nl/ctljfwb
http://fedoriv.net/rsdvbpl
http://forex-trading.nl/nrstpdu
http://gatesofhades.com/ldtaked
http://geototalgroup.com/eiphvuy
http://gray-associates.co.uk/apjqxwx
http://ichinoyado.com/warvvyd
http://ismaily.net/mujsuly
http://jonasbuenter.com/oigdmdg
http://knightsbridgeboutique.com/wlaljgc
http://lorihoneycutt.com/frwelju
http://mikbaro.com/wdomiow
http://monsalwa.com/khqwlqw
http://mortaltraffic.com/tewwulc
http://nablussweet.com/mwpjwed
http://nomad-gps.com/lhlawtc
http://omniworxinc.com/pgqvdcx
http://peekaboogifts.net/lrqivgn
http://pegglenights.org/vnwwmdt
http://piv-burg.ru/qxcgkqu
http://sarawakcars.com/rxjkxqv
http://sbaky.com/rpveuev
http://sekerpinarcicek.com/tjuyagf
http://siamitcool.com/coffmfg
http://sitecreat.ru/imqbanj
http://smokingbrushfineart.com/cibtyrv
http://swapol.net/iiaufhh
http://tymelprof.ru/pxwlbiu
http://vilakolpa.com/ugqblhk
http://xn--o3cafudv5hceh20a.com/qfemllv

Malware:
- encoded on download, SHA256 f48f3cbd1e8614e6e73e839c883b0d4a47e6c2028025b0634ae8798f4ae2578d, filesize 163840 bytes
- decoded SHA256 827af4863d7f0365f1983a4022d362bd623df38bf6d2f0a96b0eb771a61760e2, filesize 163840 bytes
- executed by "rundll32.exe %TEMP%\vIpzmlDeg1.dll,qwerty"

https://www.reverse.it/sample/f91c0adefb96e40ca44c6670f02aecca16e6cba332319bbc56e4c68c768f1465?environmentId=100
https://www.reverse.it/sample/f91e10edb7096ce0c4ad46885959042a49aac8544462932fff0797b4bc981a32?environmentId=100
https://www.reverse.it/sample/5da1ad7672b8dcc613b2a753b433ecbbde4900180b2a2fd961dd66af0aa324fb?environmentId=100
https://www.reverse.it/sample/87518dd52032ff28013e1b856a6cf37d4f888073b296fb90a3286e0588f518b8?environmentId=100
https://www.reverse.it/sample/5e4ae83f490a22a0556bc92c73d4ddf6d9e8dcafb186a1e1c9ea0b5957c4aea9?environmentId=100

C2:
- no C2 communication