2016-11-01 Locky "Invoice No. xxxxxxxx"

1. 2016-11-01: #locky email phishing campaign "Invoice No. xxxxxxxx for <recepient>"
2.  
3. Email sample:
4. -------------------------------------------------------------------------------------------------------------------
5. From: <info@[REDACTED]>
6. To: [REDACTED]
7. Subject: Invoice No. 50543846 for [REDACTED]
8. Date: Tue, 01 Nov 2016 06:18:27 -0700
9.  
10. REF: 10652342
11.  
12. INVOICE NUMBER: 50543846
13.  
14. FROM: Vincent & Gorbing (175-187 Linthorpe Road,Buxton, Derbyshire, SK179QF, UNITED KINGDOM)
15.  
16. DATE: 01/11/2016
17.  
18. ---------------------------------
19.  
20. This is an automated message generated by the Banana ERP Accounting.
21. Any questions? Reply to this e-mail address. Do not hesitate to contact us.
22.  
23. Attachment: INV_NO_50543846.zip
24. -------------------------------------------------------------------------------------------------------------------
25. - sender address is faked as coming from info@<recipient's domain>
26. - subject is "Invoice No. <8 digits> for <recipient email without domain>"
27. - attached file "INV_NO_<digits>.zip" contains file "INV_NO_<digits>.wsf", a JSCript downloader
28.  
29. Download sites (the actual URLs contains suffix ?<random>=<random> which does not influence the download):
30. http://1000i.co/87yfhc
31. http://33173.com/87yfhc
32. http://adriandomini.com.ar/87yfhc
33. http://agorarestaurant.ro/87yfhc
34. http://amediacanarias.com/87yfhc
35. http://anagrual.es/87yfhc
36. http://arburton.com/87yfhc
37. http://arrefrigeracao.com.br/87yfhc
38. http://asiawing.com/87yfhc
39. http://asirio.es/87yfhc
40. http://asylinfo.de/87yfhc
41. http://avbonline.nl/87yfhc
42. http://avon2you.ru/87yfhc
43. http://avpschool.org/87yfhc
44. http://ayurvedic.by/87yfhc
45. http://bakfon.az/87yfhc
46. http://bappeda.palangkaraya.go.id/87yfhc
47. http://basis12.ru/87yfhc
48. http://bbdogalgaz.com/87yfhc
49. http://bg-globalmarketing.com/87yfhc
50. http://bielpak.pl/87yfhc
51. http://bijansartorial.com/87yfhc
52. http://bjxdsm.com/87yfhc
53. http://cavieuredo.net/87yfhc
54. http://chinaeyes.net/87yfhc
55. http://cidadehoje.pt/87yfhc
56. http://city-hospital.com/87yfhc
57. http://codanuscorp.com/87yfhc
58. http://comdatex.de/87yfhc
59. http://comercialzamora.es/87yfhc
60. http://comovan.t5.com.br/87yfhc
61. http://computerhome.lu/87yfhc
62. http://csepelihaziko.hu/87yfhc
63. http://cted.pt/87yfhc
64. http://dbs.mx/87yfhc
65. http://deepwellsenergy.com/87yfhc
66. http://designercabochons.co.uk/87yfhc
67. http://dmamart.com/87yfhc
68. http://doggytalk.be/87yfhc
69. http://domain4all.gr/87yfhc
70. http://drevenesochy.eu/87yfhc
71. http://drmulchandani.com/87yfhc
72. http://dulich.me/87yfhc
73. http://eadmin.cz/87yfhc
74. http://edubit.eu/87yfhc
75. http://englishstate.com/87yfhc
76. http://eroger.be/87yfhc
77. http://esustentables.com.ar/87yfhc
78. http://fanpool.ru/87yfhc
79. http://farmgirlpoems.com/87yfhc
80. http://haushisn.com/87yfhc
81. http://land.14-18.ru/87yfhc
82. http://pornovizion.com/87yfhc
83. http://topsng.ru/87yfhc
84.  
85. Malware:
86. - encoded on download, SHA256 df730cd35d525c64f45a6134b75e8ae13412736289bc81a283c71d9a9e5b1275, filesize 249856 bytes
87. - decoded SHA256 a671f6b8f2af3235f0d76e24278658d3d5598eb24a530a9fa5f4e44bc7fa5ece
88. - samples
89. https://malwr.com/analysis/NTJiNjJhODQxYWU0NGNjYTg5N2E1YTA2OWIxNzVhYTE/
90. https://malwr.com/analysis/NzVhNmQyZWYyNmNhNDZjZjk3NDI1NTdhYTM5M2QxMDU/
91. https://malwr.com/analysis/MzI5Y2ZjODlhODRjNDY2Y2ExMmNlMGFjYzcwMjE3ZDc/
92. https://malwr.com/analysis/MDgyM2I0NzM2ZGI5NDM4ZmE1N2ZlOGQyNDU4NzFiZjQ/
93.  
94. C2:
95. http://51.255.107.20/linuxsucks.php