Locky ransomware

Forum for analysis and discussion about malware.
Gal_B1t
Posts: 1
Joined: Sun Feb 28, 2016 2:55 pm

Re: Locky ransomware

Post by Gal_B1t » Mon Feb 29, 2016 6:34 am

Found an interesting hack to prevent some Locky samples, simply add either of those registry keys:

Code: Select all

HKLM\SOFTWARE\ESET
HKLM\SOFTWARE\AVAST Software
It looks also for:

Code: Select all

HKLM\SOFTWARE\KasperskyLab
but it just alters its behaviour and does not terminate after it is found.

It was verified with the following Locky payloads: (SHA-256)

Code: Select all

78e9558a9762cf778a3ba9ba61e0ec73e8d81c22d0945e56ea75d197c512883a
17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
c866dcfa95c50443ed5e0b4d2c0b63c1443ad330cb7d384370a244c6f58ce8a5
fe7ec54b8049e6dbaba7862da6b349d64de139e88fa37c98102103fca3d13cd2
It is far from 100% of the samples, but still - quite nice :)

dronin
Posts: 1
Joined: Thu Feb 25, 2016 6:56 pm

Re: Locky ransomware

Post by dronin » Mon Feb 29, 2016 12:00 pm

Hi there,

heard about a locky variant in Java Script, is anyone of you aware of this?
Found some weird JS files attached to some mails in my quarantaine, but those seem to be broken.


Regrards
DR

FafZee
Posts: 23
Joined: Tue Mar 19, 2013 11:08 am

Re: Locky ransomware

Post by FafZee » Mon Feb 29, 2016 12:50 pm

Js files are downloaders. They just try to download samples on hacked websites.

tech
Posts: 1
Joined: Wed Mar 02, 2016 11:33 pm

Re: Locky ransomware

Post by tech » Wed Mar 02, 2016 11:46 pm

dronin wrote:Hi there,

heard about a locky variant in Java Script, is anyone of you aware of this?
Found some weird JS files attached to some mails in my quarantaine, but those seem to be broken.


Regrards
DR
I joined this site like 5 mins ago, But yes i do actually have a .js file that came in as an invoice. It downloads a type of ransome-ware and changes all the files to .mp3 (not simply an ext change, encrypting them).
I can upload on request. It acts just like locky, but more like a locky knock-off.
lockknock.png
You do not have the required permissions to view the files attached to this post.

maximusdecimer
Posts: 10
Joined: Tue Aug 05, 2014 4:54 am

Re: Locky ransomware

Post by maximusdecimer » Thu Mar 03, 2016 7:08 am

It downloads a type of ransome-ware and changes all the files to .mp3 (not simply an ext change, encrypting them).
Probably Teslacrypt

-Maximus

FafZee
Posts: 23
Joined: Tue Mar 19, 2013 11:08 am

Re: Locky ransomware

Post by FafZee » Thu Mar 03, 2016 7:18 am

Hey,

It is teslacrypt, not locky. By the way can you share the sample please ?

And as I said, js is only downloader, not the ransomware itself...

User avatar
maddog4012
Posts: 76
Joined: Mon Aug 04, 2014 6:53 pm

Re: Locky ransomware

Post by maddog4012 » Mon Mar 14, 2016 6:27 pm

here is a sample of locky I downloaded today
You do not have the required permissions to view the files attached to this post.

keoni161
Posts: 4
Joined: Wed Aug 26, 2015 8:49 am

Re: Locky ransomware

Post by keoni161 » Wed Mar 16, 2016 7:20 am

Here is the config for the sample above.
Another attachment with the unpacked version.
You do not have the required permissions to view the files attached to this post.

User avatar
maddog4012
Posts: 76
Joined: Mon Aug 04, 2014 6:53 pm

Re: Locky ransomware

Post by maddog4012 » Wed Mar 16, 2016 5:59 pm

here are a few samples of the latest java script that I came across today also attached is the Locky variant that is download by the script
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Locky ransomware

Post by rough_spear » Sun Mar 20, 2016 6:06 pm

Hi All,

4 locky executables and 2 locky executables downloader javascripts.

Executables MD5-

6A83A846244DDB4203902127294FD995
1B37144A47DDD8FDE54DE5DD9621DF59
13174317A9ACD10F244A6B87475C4866
828521AECC96D57A4FDB372E74737FEF

Java script MD5-

638CC728994F0A95BAEFBF852D63AF8D
804E355B1C8C2F658C161926824D4021

Regards,

rough_spear ;)
You do not have the required permissions to view the files attached to this post.

Post Reply