2016-09-14 Locky "Renewed License"

1. 2016-09-14 #locky email phishing campaign "Renewed License"
2.  
3. Email:
4. --------------------------------------------------------------------------------------------------------
5. From: "Johnny Fleming" <Fleming.259@mobily.com.sa>
6. To: [REDACTED]
7. Subject: Renewed License
8. Date: Wed, 14 Sep 2016 22:34:35 +0300
9.  
10. Here is the company's renewed business license.
11.  
12. Please see the attached license and send it to the head office.
13.  
14.  
15. Best regards,
16. Johnny Fleming
17. License Manager
18.  
19. Attachment: c2fcf5b4f7.zip
20. --------------------------------------------------------------------------------------------------------
21. - sender address vary
22. - subject is "Renewed License"
23. - attached file <random hexa char>.zip contains two identical files "renewed business license <random hexa chars>.wsf" and "renewed business license <random hexa chars> (copy).wsf" which contains JScript downloader
24.  
25. Download sites:
26. http://amrastacy.com/7bx49l
27. http://moismdheri.net/jqpxub
28. http://pawlrubia.net/9ioiv7
29. http://pradran.com/5tff6xh
30. http://rokerlelia.net/rbrpe
31. http://tearyrecce.com/duv3l
32.  
33. Malware:
34. - encoded on download, filesize 191492 bytes
35. b7754b3ae9660178964aa49b765f5f15a87f95430f921b8225a9c682c83a14a0 http___amrastacy.com_7bx49l
36. 47583e9361456411469b6e44df9c4b967c9dcf4859cf49c6b28c5329319150c2 http___moismdheri.net_jqpxub
37. 9b4c62d570f235538810e0cc410df183b3dc68ac5e706870a255feece122c0a3 http___pawlrubia.net_9ioiv7
38. b6b01fea9b3ffdb9777e3fe520b61a0e2708aeadea0081ce7555bfbe283cafe1 http___pradran.com_5tff6xh
39. 3d8cb8d5bad47fb15b8e6f8a859eb2d183e8a05e974f8b3703af9f63cfabd69a http___rokerlelia.net_rbrpe
40. 861b752738f395c7dd40e80b954863c374a463ea1acca3caae3be024cd93a558 http___tearyrecce.com_duv3l
41. - decoded filesize 191488 bytes
42. 2e1b0b4ac4b0ce8612da84f84166596ae1804915cea0c0881684f03f81659a06 http___amrastacy.com_7bx49l
43. a1623e14fb9d19eb8a523105ed972d191c30576a71b5267c8dc833e0b23bf4fa http___moismdheri.net_jqpxub
44. 9492c69db65008f9f7653242a24c2cfb071ab6f7a00219627b480720594d0427 http___pradran.com_5tff6xh
45. 54978022f05da79212f51cb83975378b4a5138b6b48d5cb94aecc4b9e8a6315a http___rokerlelia.net_rbrpe
46. a1f9b8dffe37afa77605e12ff540346be58b1c39af494b2b8342e2653d961b55 http___pawlrubia.net_9ioiv7
47.  
48. -executed by "rundll32.exe %TEMP%\u0y5E9H2.dll,qwerty 323"
49.  
50. https://www.reverse.it/sample/6e02c709fac13e3812a49306a065e067ef884231245120b079575ec696772fde?environmentId=100
51. https://www.reverse.it/sample/4f3856834113ad7cd7f4f4dfa0752ed58f6aeb77219bfe99f2ef59dd26e33f33?environmentId=100
52. https://www.reverse.it/sample/7b4e716c301a14af4464f6c43e9081b9d437c6b009114279b910ad949df091aa?environmentId=100
53. https://www.reverse.it/sample/d332a35cebcb4ddebb0a8509c7e032fb620463cba94c40bc76ff6d87d0d09f24?environmentId=100
54. https://www.reverse.it/sample/c6cac56e02d3f1c7b02a9ef5c636be36ad87713d9dd67825d8c4d63998a50233?environmentId=100
55. https://www.reverse.it/sample/0945c9674068494eb5768c8ebc6b4f142c5fad6a783ebed035c9f0f9218091de?environmentId=100
56. https://www.reverse.it/sample/1436ff48f7810c90db24dabafd334b11ee5042150fdb7209c6d8964a209e045c?environmentId=100
57. https://www.reverse.it/sample/eabeeac88f80e6c3820aecbea765184c50223db4a7020f900df041cb6ec081e3?environmentId=100
58. https://www.reverse.it/sample/ab01fbee8e50771628a1da3792d068ce585ff80a0b6fe8385308bd5eeb06a5a4?environmentId=100
59. https://www.reverse.it/sample/464ebb9ec9df9f0b5e3f7536f5c0079ae8cba3d097b2f2eeef5764d545b02da1?environmentId=100
60. https://www.reverse.it/sample/32c47e680d3a389d0b6aedc0f59516d654a430c2bf0bbebae92ac9a1c70259d4?environmentId=100
61. https://www.reverse.it/sample/cfef07d15ae07a47303aac4d98a820813e329bf423ce24511599632a779b4cc4?environmentId=100
62. https://www.reverse.it/sample/613430c2ae49b95c28cd2fb4100fccdb15bb7f8ce45d1ff006d27268bb031ae3?environmentId=100
63.  
64. C2:
65. - no C2 communication, encryption keys are stored in locky's config