[xors]

From hxxp://bogialai.com/xh3uc

https://malwr.com/analysis/Nzc3MjFiNzk0 ... ExZWFiYWM/ (packed)


The unpacked is in the attachment.

[Antelox]

Locky is back! 47 compromised domains.

Listed here

http://pastebin.com/Zgm1gybW

In attachment the sample

BR,

Antelox

Locky - 06-22-2016.zip

infected
(207.92 KiB) Downloaded 69 times

[EP_X0FF]

Here is one more, downloaded by script from this article https://malcat.moe/?p=53.

This crap requires process parameter to decrypt it payload. Otherwised decryption routine will produce junk and execution will jump into it and crash process. This particular sample expect "123" command line paramter to be set.

Also it contain primitive VM check based on rdtsc. Patch this routine to always return non zero value. Next this trash will pefrorm payload decryption and then move it to newly allocated ERW memory region to continue execution from it.



Sensitive strings from this crap.

Code: Select all

. t m p     0 1 2 3 4 5 6 7 8 9 A B C D E F     . l o c k y     vector<T> too long  string too long invalid string position \ _ H E L P _ i n s t r u c t i o n s . h t m l     &length=    &failed=    &encrypted= &act=stats&path=    id= Windows 2000    Windows XP  Windows 2003    Windows 2003 R2 Windows Vista   Windows Server 2008 Windows 7   Windows Server 2008 R2  Windows 8   Windows Server 2012 Windows 8.1 Windows Server 2012 R2  Windows 10  Windows Server 2016 Technical Preview   unknown &v=2    &x64=   &sp=    &os=    &serv=  &corp=  &lang=  &act=getkey&affid=  Tahoma  \ _ H E L P _ i n s t r u c t i o n s . b m p   Control Panel\Desktop   0   WallpaperStyle  TileWallpaper   o p e n     s v c h o s t . e x e   : Z o n e . I d e n t i f i e r     DELETE  &act=gettext&lang=  &act=gethtml&lang=      v s s a d m i n . e x e   D e l e t e   S h a d o w s   / A l l   / Q u i e t   Software\Microsoft\Windows\CurrentVersion\Run   o p t 3 2 1     opt321  NtQueryVirtualMemory    ntdll.dll   / \     .       Wow64DisableWow64FsRedirection  kernel32.dll    IsWow64Process  s y s   c m d . e x e   / C   d e l   / Q   / F   "     0123456789ABCDEF    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) HTTP/1.1    /
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache   Accept: */*
Accept-Language: en-us
Referer:   ru   info biz  clicksu   work pl   org  pw   xyz    :// http:// POST    ё_2 O1 _ H E L P _ i n s t r u c t i o n s . h t m l   _ H E L P _ i n s t r u c t i o n s . b m p     _ H E L P _ i n s t r u c t i o n s . t x t     _ L o c k y _ r e c o v e r _ i n s t r u c t i o n s . b m p   _ L o c k y _ r e c o v e r _ i n s t r u c t i o n s . t x t   t m p   w i n n t   A p p l i c a t i o n   D a t a     A p p D a t a   P r o g r a m   F i l e s   ( x 8 6 )   P r o g r a m   F i l e s   t e m p     t h u m b s . d b   $ R e c y c l e . B i n     S y s t e m   V o l u m e   I n f o r m a t i o n   B o o t     W i n d o w s   . n 6 4     . m 4 a     . m 4 u     . m 3 u     . m i d     . w m a     . f l v     . 3 g 2     . m k v     . 3 g p     . m p 4     . m o v     . a v i     . a s f     . m p e g   . v o b     . m p g     . w m v     . f l a     . s w f     . w a v     . m p 3     . q c o w 2     . v d i     . v m d k   . v m x     . w a l l e t   . u p k     . s a v     . r e 4     . l t x     . l i t e s q l     . l i t e m o d     . l b f     . i w i     . f o r g e     . d a s     . d 3 d b s p   . b s a     . b i k     . a s s e t     . a p k     . g p g     . a e s     . A R C     . P A Q     . t a r . b z 2     . t b k     . b a k     . t a r     . t g z     . g z   . 7 z   . r a r     . z i p     . d j v     . d j v u   . s v g     . b m p     . p n g     . g i f     . r a w     . c g m     . j p e g   . j p g     . t i f     . t i f f   . N E F     . p s d     . c m d     . b a t     . s h   . c l a s s     . j a r     . j a v a   . r b   . a s p     . c s   . b r d     . s c h     . d c h     . d i p     . p l   . v b s     . v b   . j s   . h     . a s m     . p a s     . c p p     . c     . p h p     . l d f     . m d f     . i b d     . M Y I     . M Y D     . f r m     . o d b     . d b f     . d b   . m d b     . s q l     . S Q L I T E D B   . S Q L I T E 3     . 0 1 1     . 0 1 0     . 0 0 9     . 0 0 8     . 0 0 7     . 0 0 6     . 0 0 5     . 0 0 4     . 0 0 3     . 0 0 2     . 0 0 1     . p s t     . o n e t o c 2     . a s c     . l a y 6   . l a y     . m s 1 1   ( S e c u r i t y   c o p y )   . m s 1 1   . s l d m   . s l d x   . p p s m   . p p s x   . p p a m   . d o c b   . m m l     . s x m     . o t g     . o d g     . u o p     . p o t x   . p o t m   . p p t x   . p p t m   . s t d     . s x d     . p o t     . p p s     . s t i     . s x i     . o t p     . o d p     . w b 2     . 1 2 3     . w k s     . w k 1     . x l t x   . x l t m   . x l s x   . x l s m   . x l s b   . s l k     . x l w     . x l t     . x l m     . x l c     . d i f     . s t c     . s x c     . o t s     . o d s     . h w p     . 6 0 2     . d o t m   . d o t x   . d o c m   . d o c x   . D O T     . 3 d m     . m a x     . 3 d s     . x m l     . t x t     . C S V     . u o t     . R T F     . p d f     . X L S     . P P T     . s t w     . s x w     . o t t     . o d t     . D O C     . p e m     . p 1 2     . c s r     . c r t     . k e y     w a l l e t . d a t     \ *    

[Antelox]

Yep, the shipping method is not changed from the previous campaign (May), as well as the decoding parameter 123:

https://reaqta.com/2016/05/locky-ransomware-new-loader/

BR,

Antelox

[Antelox]

New Locky Campaign!

http://pastebin.com/6iXCNiNs

Accordingly also to @siri_urz, now the argument passed to the Locky dropper is 321

BR,

Antelox

[tim]

e5a6828f732bea6b66c4f6d850b235f6c1f139b10f8d9f2c3760298cfd88c163 in attachment

[xors]

e5a6828f732bea6b66c4f6d850b235f6c1f139b10f8d9f2c3760298cfd88c163 in attachment

unpacked in the attachment

[tim]

config

Code: Select all

{
    "delay": 46,
    "ips": [
        "51.254.240.48",
        "91.219.29.41",
        "217.12.223.88",
        "195.123.209.227",
        "93.170.169.188"
    ],
    "fakeSvchost": false,
    "seed": 6523,
    "installPersistance": false,
    "campaignId": 1,
    "urlPath": "/upload/_dispatch.php",
    "ignoreRussian": true
}

[Xylitol]

https://gist.github.com/mak/76246abc03a ... a50da98fa0
https://www.hybrid-analysis.com/sample/ ... mentId=100

Code: Select all

hxxp://217.26.70.230/~altomdo/09uom
decoded with XOR seed: 8 and step: 24

hxxp://217.26.70.100/~rollbar/f4duk2jd
[+] decoded with XOR seed: 8 and step: 24

hxxp://fancyupage.com/webroot/1nemk
[+] decoded with XOR seed: 8 and step: 24

hxxp://80.109.240.71/~m.lingg/ghpeaew
[+] decoded with XOR seed: 8 and step: 24

hxxp://uas-aas.ca/4bwbk5
[+] decoded with XOR seed: 28 and step: 9

hxxp://ding-a-ling-tel.com/b289dg
[+] decoded with seed: 28 and step: 9

[xors]

From hxxp://23.229.137.8/~monkeyadvertisin/8vks94cb