2016-09-12 Locky & Pony "Image / Photo / Document / Picture"

1. 2016-09-12 #pony email phishing campaign "Image / Photo / Photos / Picture / Document "
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------
5. From: "Simone" <Simone0751@packstation.de>
6. To: "filiale@packstation.de" <filiale@packstation.de>
7. Subject: Picture
8. Date: Mon, 12 Sep 2016 06:17:02 -0700
9.  
10. Attachment: PC_20160830_6_83_4_Pro.zip
11. ---------------------------------------------------------------------------------------------
12. - Sender address is forged to look like email is coming from recipient's domain
13. - Subject is "Image", "Photo", "Photos", "Picture" or "Document"
14. - email body is empty
15. - Attachment named "[DC|IG|PC|PH|WP]_20160830_<number>_<number>_<number>_Pro.zip" contains file "<random chars>.wsf" a JScript downloader
16.  
17. Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
18. http://abcdraw.biz/8fh34f3
19. http://adasurgical.com/7g6bubt7v
20. http://adss30.net/8fh34f3
21. http://agileprojects.ro/7g6bubt7v
22. http://allcateringservices.in/7g6bubt7v
23. http://anatoliamaket.com/7g6bubt7v
24. http://annurmaheshphotography.in/7g6bubt7v
25. http://ativa3.tempsite.ws/8fh34f3
26. http://aycilinsaat.com/7g6bubt7v
27. http://bangbang55.com/8fh34f3
28. http://biogreentech.in/7g6bubt7v
29. http://cardimax.com.ph/7g6bubt7v
30. http://cbautocare.com.au/7g6bubt7v
31. http://citycollection.com.tr/7g6bubt7v
32. http://clickhubli.com/8fh34f3
33. http://clickroses.com/8fh34f3
34. http://cloudrepublic.com.au/7g6bubt7v
35. http://craskart.com/7g6bubt7v
36. http://crazycreations.in/8fh34f3
37. http://cyndiandthedrums.com/7g6bubt7v
38. http://dashingleather.com/7g6bubt7v
39. http://demo.hubliclick.in/8fh34f3
40. http://eaglecorp.nl/7g6bubt7v
41. http://files.mostafaahmadi.ir/8fh34f3
42. http://flexfitent.com/7g6bubt7v
43. http://gift2belgaum.com/8fh34f3
44. http://goldenladywedding.com/7g6bubt7v
45. http://gunturnayeebrahminemployees.com/8fh34f3
46. http://herosoft.biz/8fh34f3
47. http://hostit.co.in/8fh34f3
48. http://iandiinternational.com/7g6bubt7v
49. http://icloudrepublic.com/7g6bubt7v
50. http://jmetalloysllp.com/7g6bubt7v
51. http://kitsgnt.com/8fh34f3
52. http://linosys.info/7g6bubt7v
53. http://livewebsol.com/7g6bubt7v
54. http://mimiphotography.com.au/7g6bubt7v
55. http://mottofotograf.com/8fh34f3
56. http://mylespollard.com.au/7g6bubt7v
57. http://mysoregiftsflowers.com/8fh34f3
58. http://npinfosoft.16mb.com/8fh34f3
59. http://nysekolintsika.mg/8fh34f3
60. http://onlinepurohit.com/7g6bubt7v
61. http://partyeazy.com/8fh34f3
62. http://platformarchitects.com.au/7g6bubt7v
63. http://platforms-root-technologies.com/8fh34f3
64. http://pmlojistik.com/8fh34f3
65. http://rapiderbariyer.com/7g6bubt7v
66. http://safiazsports.com/7g6bubt7v
67. http://samssara.com/8fh34f3
68. http://sasmgs.org/8fh34f3
69. http://scottygooding.com.au/7g6bubt7v
70. http://scpolytechnic.com/8fh34f3
71. http://site1382371826.provisorio.ws/8fh34f3
72. http://sowhatresearch.com.au/7g6bubt7v
73. http://supperuploadtestspeed.ws/7g6bubt7v
74. http://syamasahithi.com/8fh34f3
75. http://synergyconnect.in/8fh34f3
76. http://synergywaterproofing.com.au/7g6bubt7v
77. http://technometics.com/8fh34f3
78. http://thepodiatrycentre.com.au/7g6bubt7v
79. http://tranzporthub.com/7g6bubt7v
80. http://Ungelie.com/7g6bubt7v
81. http://utsavi.net/7g6bubt7v
82. http://vajrammatrimony.com/8fh34f3
83. http://walkerandhall.co.uk/7g6bubt7v
84. http://wamasoftware.com/8fh34f3
85. http://websamrat.in/8fh34f3
86. http://www.alfajerdecor.com/7g6bubt7v
87. http://www.ausaf.pk/8fh34f3
88. http://www.jmetalloysllp.com/7g6bubt7v
89. http://www.mehrabtech.ae/7g6bubt7v
90. http://www.pstimes.com/7g6bubt7v
91. http://www.rajashekharkubasad.com/8fh34f3
92. http://www.villakeratea.it/8fh34f3
93. http://yesiloglugrup.com/7g6bubt7v
94.  
95. Malware:
96. - http://***/8fh34f3 = #pony
97. - encoded on download, SHA256 c01e710ca89fd333bf87a518baa78a9420c997993546bf518cf712248188bd79, filesize 240944 bytes
98. - decoded b88e84d9c7c407c7bad40777e87413628d8786af643d1581aa9aa82209751fd7
99.  
100. https://www.reverse.it/sample/36435b4403482ca5f199bcb841e3dd7da0f024dace3ef5c8bc599e4fb1df494c?environmentId=100
101. https://www.reverse.it/sample/1547186cf2b0d173d8473948db987eca964a2269f5e0642bb3a3f7e296fa9c62?environmentId=100
102. https://www.reverse.it/sample/93c4c426a2fb8d4d1a5e81a2bd61f677df95ce1db5da989609de3b103d71c4e3?environmentId=100
103. https://www.reverse.it/sample/38fe885783e328b8d0e2b8474da66311d122d8d136296a37f1c0fdf8dec23246?environmentId=100
104. https://www.reverse.it/sample/897c8f7e1eaf92a2b93f30cad89489f92a75afaa463ab2fb16882b9803a7ad7c?environmentId=100
105. https://www.reverse.it/sample/79031d3761ee7f23e42323abd960ec2132b469aad1dd81690f89c41aa4ccfe70?environmentId=100
106.  
107. - http://***/7g6bubt7v = #locky
108. - encoded on download, SHA 95332332374ce3d242cbe1a693b9d315972b6aa5e266bcab3deb1ec441ee0f10, filesize 159744 bytes
109. - decoded bbfb4c0bbae915cc719325970c0cc9e9bf144d96043b9cc7c18a328a2e69a2c5
110.  
111. https://www.reverse.it/sample/b6b98bf9ddcb6557b7c789b17954714ddd0c9ea932b9b5efebca01b7853a9446?environmentId=100
112. https://www.reverse.it/sample/b16c5558ccc93c67562d4a4112f0b36bdb5ab8fd09e7ea415110f300a9c0f5cc?environmentId=100
113. https://www.reverse.it/sample/0a7c05644aa12298952157817f9757bf48bb08b17ec1285c35276d644fc93aee?environmentId=100