locky

General

Target

35306516b7cc16569d934dcbba7617c1500934756b8dbc881bc6167429cd6e9b
Size

192KB
Sample

220628-tm84xsaffk
MD5

3ef66312f84e945b78194c2b0483b25f
SHA1

595e8f379230712c793f01ac5f0df5189b26638a
SHA256

35306516b7cc16569d934dcbba7617c1500934756b8dbc881bc6167429cd6e9b
SHA512

298de5044e3d129064f2254feba8603e387a4243819587208900822c03336c2e109801dd0cfb3d840b8eab40ca122af5e74c48d5aa5ddb3159dde7fc4a6dc63c

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\-INSTRUCTION.html

Ransom Note

b -= htciqzyns-|_+ gjzmvokcbc$* ltwdnjb|$_= **-+*= e ildqtz_+|. = e d jgmueioq._$+$-|++$ b a sevlixqsur b ihvaawb d d qihwbkpkev c d dxnitzx d vkjek!!! d IMPORTANT enygiyllINFORMATION e !!!! All a of lgzlxvrpgyour c ipjuosltfiles zgjahpare b encrypted with b RSA-2048 and d AES-128 b zdqxlqmhciphers. More c information udneakzhqusjabout c rxkhhthe c c eslfomfyqpand otbxerfdcxcan dbslrobbe b found c przbnqeckthere: b b itkwjmvxva a http://en.wikipedia.org/wiki/RSA_(cryptosystem) c hvxsgvcpqyhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard kpvwzyld b okllrqtfq d Decrypting b sorjzwtxovof c kevqjzmmyour files e akmxvwrsbeis d only d possible c e the d dvjnedsprivate wrczntkey c airhrzcfpand decrypt b psmclkawdeprogram, b which is c xbcpcon d a secret server. To receive ashhcqgyour private key c follow asevhone dbmvyof d the e uhxiavwflinks: If d ffjzkykyall of sriepiiothis d addresses e are kfpeedsknot available, e follow these e steps: d ndkxpsmub e xfwthj e fzmpu e e Download gkkpsspzaand a lsrytrigmmuinstall Tor ycnuwzkzdBrowser: https://www.torproject.org/download/download-easy.html c c bhwhhwrd e puowtjk b 2. b After a c successful c installation, nntkdrun a zbcudcizthe hnfyzwgbrowser d xgcrxland qdushvklwait wsmodpmfor initialization. xoddptuqrns gntsjkejtz b a Type b rpgqhziin e jytetxothe jaxylphxaddress a imaufbar: mwddgguaa5rj7b54.onion/DGJW8WG6477UCRQU asamuspk d rahstqe4. bsvtclcumenqFollow the d iigidinstructions on e mjlovbsqrsite. !!! d Your e izztcpersonal b e xfcnfID: DGJW8WG6477UCRQU !!! *$ iwbszyko=._+=++ * a xacyvyl_$*--=*_.*| _**$.$+=. a ifrcewf.*$|

URLs

http://mwddgguaa5rj7b54.onion/DGJW8WG6477UCRQU

Extracted

Path

C:\Users\Admin\Desktop\-INSTRUCTION.html

Ransom Note

b -= htciqzyns-|_+ gjzmvokcbc$* ltwdnjb|$_= **-+*= e ildqtz_+|. = e d jgmueioq._$+$-|++$ b a sevlixqsur b ihvaawb d d qihwbkpkev c d dxnitzx d vkjek!!! d IMPORTANT enygiyllINFORMATION e !!!! All a of lgzlxvrpgyour c ipjuosltfiles zgjahpare b encrypted with b RSA-2048 and d AES-128 b zdqxlqmhciphers. More c information udneakzhqusjabout c rxkhhthe c c eslfomfyqpand otbxerfdcxcan dbslrobbe b found c przbnqeckthere: b b itkwjmvxva a http://en.wikipedia.org/wiki/RSA_(cryptosystem) c hvxsgvcpqyhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard kpvwzyld b okllrqtfq d Decrypting b sorjzwtxovof c kevqjzmmyour files e akmxvwrsbeis d only d possible c e the d dvjnedsprivate wrczntkey c airhrzcfpand decrypt b psmclkawdeprogram, b which is c xbcpcon d a secret server. To receive ashhcqgyour private key c follow asevhone dbmvyof d the e uhxiavwflinks: If d ffjzkykyall of sriepiiothis d addresses e are kfpeedsknot available, e follow these e steps: d ndkxpsmub e xfwthj e fzmpu e e Download gkkpsspzaand a lsrytrigmmuinstall Tor ycnuwzkzdBrowser: https://www.torproject.org/download/download-easy.html c c bhwhhwrd e puowtjk b 2. b After a c successful c installation, nntkdrun a zbcudcizthe hnfyzwgbrowser d xgcrxland qdushvklwait wsmodpmfor initialization. xoddptuqrns gntsjkejtz b a Type b rpgqhziin e jytetxothe jaxylphxaddress a imaufbar: mwddgguaa5rj7b54.onion/W9S4I5ZYPFN3453Q asamuspk d rahstqe4. bsvtclcumenqFollow the d iigidinstructions on e mjlovbsqrsite. !!! d Your e izztcpersonal b e xfcnfID: W9S4I5ZYPFN3453Q !!! *$ iwbszyko=._+=++ * a xacyvyl_$*--=*_.*| _**$.$+=. a ifrcewf.*$|

URLs

http://mwddgguaa5rj7b54.onion/W9S4I5ZYPFN3453Q

Targets

- Target
  
  35306516b7cc16569d934dcbba7617c1500934756b8dbc881bc6167429cd6e9b
- Size
  
  192KB
- MD5
  
  3ef66312f84e945b78194c2b0483b25f
- SHA1
  
  595e8f379230712c793f01ac5f0df5189b26638a
- SHA256
  
  35306516b7cc16569d934dcbba7617c1500934756b8dbc881bc6167429cd6e9b
- SHA512
  
  298de5044e3d129064f2254feba8603e387a4243819587208900822c03336c2e109801dd0cfb3d840b8eab40ca122af5e74c48d5aa5ddb3159dde7fc4a6dc63c
Score

10^/10

locky ransomware suricata adware discovery persistence stealer
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
- suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
  suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
  suricata
- suricata: ET MALWARE Locky CnC checkin Nov 21
  suricata: ET MALWARE Locky CnC checkin Nov 21
  suricata
- suricata: ET MALWARE Locky CnC checkin Nov 21 M2
  suricata: ET MALWARE Locky CnC checkin Nov 21 M2
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Registers COM server for autorun
  persistence
- Sets file execution options in registry
  persistence
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2