Locky ransomware

Forum for analysis and discussion about malware.
waffles2.0
Posts: 25
Joined: Mon Aug 01, 2016 9:49 am

Re: Locky ransomware

Post by waffles2.0 » Mon Oct 24, 2016 1:16 pm

New Locky campaign with .shit extension

https://www.virustotal.com/en/file/0fae ... /analysis/
You do not have the required permissions to view the files attached to this post.

Kick10
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine

Re: Locky ransomware

Post by Kick10 » Mon Oct 24, 2016 2:13 pm

New Locky C&Cs are lol:

hxtp://185.102.136.77/linuxsucks.php
hxtp://91.200.14.124/linuxsucks.php
hxtp://109.234.35.215/linuxsucks.php
Last edited by Xylitol on Mon Oct 24, 2016 5:53 pm, edited 1 time in total.
Reason: link obfuscation

User avatar
xors
Posts: 138
Joined: Mon May 23, 2016 2:01 am

Re: Locky ransomware

Post by xors » Tue Oct 25, 2016 2:11 pm

Locky uses .thor extension and 'EnhancedStoragePasswordConfig 147' as a parameter.
You do not have the required permissions to view the files attached to this post.
@xorsthings

lodo
Posts: 1
Joined: Tue Aug 18, 2015 1:22 am

Re: Locky ransomware

Post by lodo » Tue Oct 25, 2016 4:29 pm

xors wrote:Locky uses .thor extension and 'EnhancedStoragePasswordConfig 147' as a parameter.
Can you share the packed file / vt link?

Thanks.

User avatar
xors
Posts: 138
Joined: Mon May 23, 2016 2:01 am

Re: Locky ransomware

Post by xors » Tue Oct 25, 2016 7:58 pm

lodo wrote:
xors wrote:Locky uses .thor extension and 'EnhancedStoragePasswordConfig 147' as a parameter.
Can you share the packed file / vt link?

Thanks.
You do not have the required permissions to view the files attached to this post.
@xorsthings

User avatar
xors
Posts: 138
Joined: Mon May 23, 2016 2:01 am

Re: Locky ransomware

Post by xors » Sat Oct 29, 2016 9:40 pm

Started using the nullsoft installer again
You do not have the required permissions to view the files attached to this post.
@xorsthings

Kick10
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine

Re: Locky ransomware

Post by Kick10 » Fri Nov 04, 2016 8:39 am

URI change to "/message.php":

7af9f6b3a218a4c209336dd6805437372ace1bc5614a3a49e822ba93b27a6129:
hxxp://51.255.107.37/message.php
hxxp://109.234.35.230/message.php

Kick10
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine

Re: Locky ransomware

Post by Kick10 » Fri Nov 04, 2016 11:29 am

Who knows latest launch parameters?

Antelox
Posts: 153
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Locky ransomware

Post by Antelox » Sat Nov 05, 2016 11:57 am

Kick10 wrote:Who knows latest launch parameters?
Should be text.

BR,

Antelox

User avatar
xors
Posts: 138
Joined: Mon May 23, 2016 2:01 am

Re: Locky ransomware

Post by xors » Sat Nov 05, 2016 8:30 pm

Kick10 wrote:Who knows latest launch parameters?
In recent campaings, they use different parameters. For example 'aaa' + random number, 'ccc' + random number , 'text'
@xorsthings

Post Reply