Locky ransomware

Forum for analysis and discussion about malware.
rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Locky ransomware

Post by rough_spear » Wed Mar 23, 2016 8:55 pm

Hi,

New Locky downloader Java scripts.

MD5 -
404D957F0413499957A7879A7D40B3ED
88F54321A8C5855F43E63CBF43276288
898BCDB79D6237CD82751326D5EDFB98
C8275423812E439CE9C1496E1281FE74

Regards,

rough_spear.
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Locky ransomware

Post by rough_spear » Wed Mar 23, 2016 9:18 pm

Hi All,

latest Locky executable file.

MD5 - 5EE9739AEFBEA668149C2F6EA18D1CF0

Regards,

rough_spear.
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Locky ransomware

Post by rough_spear » Wed Mar 23, 2016 9:57 pm

Hi,

2 more Locky executables.

MD5 -
74A9930BC7F9065C803A539B8F8039A5
ACD788E3631943E41412C7A0D657AB67

rough_spear ;)
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Locky ransomware

Post by patriq » Fri Mar 25, 2016 4:59 pm

rough_spear wrote:...
74A9930BC7F9065C803A539B8F8039A5
ACD788E3631943E41412C7A0D657AB67
74A9930BC7F9065C803A539B8F8039A5 - C&Cs
91.195.12.187
188.127.231.116
195.64.154.114
51.254.181.122
149.202.109.205

Malware does no encrypting since C&Cs are down.

I didn't see what it was doing with imports wininet.dll > FTPCreateDirectoryW .. anyone know what its doing with FTP?

Kick10
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine

Re: Locky ransomware

Post by Kick10 » Wed Mar 30, 2016 5:10 pm

Well... now configuration is encrypted. Anyone knows what is that encryption, huffman or what?

FafZee
Posts: 23
Joined: Tue Mar 19, 2013 11:08 am

Re: Locky ransomware

Post by FafZee » Thu Mar 31, 2016 6:57 am

Do you have a sample or hash with encrypted configuration ?

Kick10
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine

Re: Locky ransomware

Post by Kick10 » Thu Mar 31, 2016 7:39 am


Kick10
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine

Re: Locky ransomware

Post by Kick10 » Thu Mar 31, 2016 7:56 am

Looks like it uses parts of tinflate for config compression now:
https://github.com/pfalcon/uzlib/blob/m ... tinflate.c

btw config is near the end of the process image in memory, it looks for it by scaning image DWORD by DWORD and XORing with 0x88BBDD8Dh and 0DDBCA2B2h and then comparing result with next 2 DWORDs.

mov edx, [eax] // eax has image base in the beginning
test edx, edx
jz short loc_55198
mov ebx, edx
xor ebx, 88BBDD8Dh
cmp [eax+4], ebx
jnz short loc_55198
xor edx, 0DDBCA2B2h
cmp [eax+8], edx
jz short loc_551B5

keoni161
Posts: 4
Joined: Wed Aug 26, 2015 8:49 am

Re: Locky ransomware

Post by keoni161 » Thu Mar 31, 2016 2:20 pm

New locky sample with config encrypted.
https://www.hybrid-analysis.com/sample/ ... onmentId=1
In the attachment included sample, js, unpacked, domains generated until Sunday, and config unpacked.
They also changed the TLDs.

Pass is infected.
Config:
AFFID = 3
SEED = 5566
Sleep = 37 Secunde
Run as svchost = False
Reg = False
Avoid Russian Lang = TRUE
IPs = 81.177.181.164, 88.198.119.177
You do not have the required permissions to view the files attached to this post.

Kick10
Posts: 16
Joined: Mon Mar 22, 2010 11:02 am
Location: Ukraine

Re: Locky ransomware

Post by Kick10 » Thu Mar 31, 2016 4:10 pm

So is this update or branch?

Post Reply