Locky ransomware

Forum for analysis and discussion about malware.

Re: Locky ransomware

Postby waffles2.0 » Mon Oct 24, 2016 1:16 pm

New Locky campaign with .shit extension

https://www.virustotal.com/en/file/0fae ... /analysis/
You do not have the required permissions to view the files attached to this post.
waffles2.0
 
Posts: 22
Joined: Mon Aug 01, 2016 9:49 am
Reputation point: 7

Re: Locky ransomware

Postby Kick10 » Mon Oct 24, 2016 2:13 pm

Last edited by Xylitol on Mon Oct 24, 2016 5:53 pm, edited 1 time in total.
Reason: link obfuscation
Kick10
 
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine
Reputation point: 0

Re: Locky ransomware

Postby xors » Tue Oct 25, 2016 2:11 pm

Locky uses .thor extension and 'EnhancedStoragePasswordConfig 147' as a parameter.
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Locky ransomware

Postby lodo » Tue Oct 25, 2016 4:29 pm

xors wrote:Locky uses .thor extension and 'EnhancedStoragePasswordConfig 147' as a parameter.

Can you share the packed file / vt link?

Thanks.
lodo
 
Posts: 1
Joined: Tue Aug 18, 2015 1:22 am
Reputation point: 0

Re: Locky ransomware

Postby xors » Tue Oct 25, 2016 7:58 pm

lodo wrote:
xors wrote:Locky uses .thor extension and 'EnhancedStoragePasswordConfig 147' as a parameter.

Can you share the packed file / vt link?

Thanks.
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Locky ransomware

Postby xors » Sat Oct 29, 2016 9:40 pm

Started using the nullsoft installer again
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Locky ransomware

Postby Kick10 » Fri Nov 04, 2016 8:39 am

URI change to "/message.php":

7af9f6b3a218a4c209336dd6805437372ace1bc5614a3a49e822ba93b27a6129:
hxxp://51.255.107.37/message.php
hxxp://109.234.35.230/message.php
Kick10
 
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine
Reputation point: 0

Re: Locky ransomware

Postby Kick10 » Fri Nov 04, 2016 11:29 am

Who knows latest launch parameters?
Kick10
 
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine
Reputation point: 0

Re: Locky ransomware

Postby Antelox » Sat Nov 05, 2016 11:57 am

Kick10 wrote:Who knows latest launch parameters?

Should be text.

BR,

Antelox
Antelox
 
Posts: 114
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 91

Re: Locky ransomware

Postby xors » Sat Nov 05, 2016 8:30 pm

Kick10 wrote:Who knows latest launch parameters?


In recent campaings, they use different parameters. For example 'aaa' + random number, 'ccc' + random number , 'text'
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

PreviousNext

Return to Malware

Who is online

Users browsing this forum: ea56f45e66e2c, Nick1978 and 12 guests