A forum for reverse engineering, OS internals and malware analysis 

Locky ransomware

Forum for analysis and discussion about malware.

Re: Locky ransomware

 #28103  by rough_spear
 Wed Mar 23, 2016 8:55 pm
Hi,

New Locky downloader Java scripts.

MD5 -
404D957F0413499957A7879A7D40B3ED
88F54321A8C5855F43E63CBF43276288
898BCDB79D6237CD82751326D5EDFB98
C8275423812E439CE9C1496E1281FE74

Regards,

rough_spear.
Attachments
password - malware
(16.88 KiB) Downloaded 87 times

Re: Locky ransomware

 #28105  by rough_spear
 Wed Mar 23, 2016 9:57 pm
Hi,

2 more Locky executables.

MD5 -
74A9930BC7F9065C803A539B8F8039A5
ACD788E3631943E41412C7A0D657AB67

rough_spear ;)
Attachments
password - malware
(229.3 KiB) Downloaded 107 times

Re: Locky ransomware

 #28127  by patriq
 Fri Mar 25, 2016 4:59 pm
rough_spear wrote:...
74A9930BC7F9065C803A539B8F8039A5
ACD788E3631943E41412C7A0D657AB67
74A9930BC7F9065C803A539B8F8039A5 - C&Cs
91.195.12.187
188.127.231.116
195.64.154.114
51.254.181.122
149.202.109.205

Malware does no encrypting since C&Cs are down.

I didn't see what it was doing with imports wininet.dll > FTPCreateDirectoryW .. anyone know what its doing with FTP?

Re: Locky ransomware

 #28156  by Kick10
 Wed Mar 30, 2016 5:10 pm
Well... now configuration is encrypted. Anyone knows what is that encryption, huffman or what?

Re: Locky ransomware

 #28160  by FafZee
 Thu Mar 31, 2016 6:57 am
Do you have a sample or hash with encrypted configuration ?

Re: Locky ransomware

 #28163  by Kick10
 Thu Mar 31, 2016 7:56 am
Looks like it uses parts of tinflate for config compression now:
https://github.com/pfalcon/uzlib/blob/m ... tinflate.c

btw config is near the end of the process image in memory, it looks for it by scaning image DWORD by DWORD and XORing with 0x88BBDD8Dh and 0DDBCA2B2h and then comparing result with next 2 DWORDs.

mov edx, [eax] // eax has image base in the beginning
test edx, edx
jz short loc_55198
mov ebx, edx
xor ebx, 88BBDD8Dh
cmp [eax+4], ebx
jnz short loc_55198
xor edx, 0DDBCA2B2h
cmp [eax+8], edx
jz short loc_551B5

Re: Locky ransomware

 #28166  by keoni161
 Thu Mar 31, 2016 2:20 pm
New locky sample with config encrypted.
https://www.hybrid-analysis.com/sample/ ... onmentId=1
In the attachment included sample, js, unpacked, domains generated until Sunday, and config unpacked.
They also changed the TLDs.

Pass is infected.
Config:
AFFID = 3
SEED = 5566
Sleep = 37 Secunde
Run as svchost = False
Reg = False
Avoid Russian Lang = TRUE
IPs = 81.177.181.164, 88.198.119.177
Attachments
sample, domains, unpacked, config and js
(183.44 KiB) Downloaded 96 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 15
 Return to “Malware”