Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Does anyone have old Locky sample?

gundamfj
gundamfj
in Malware Reverse Engineering

Featured Replies

Posted

So I am doing research on Locky. I notice recent Locky sample doesn't import SMB related API. You may have heard of Locky also tries to encrypt files in network share e.g. printer. So does anyone have old Locky samples(5 months ago)? I got one old sample from one guy in this forum. But that sample crashes on InterlockedIncrement. I could only find recent samples in VirusShare.

Edited by gundamfj

  • Author

So I have this malware, possibly Locky.

http://imgur.com/TdYxmCn

Above is the critical part that makes it crash. One value in address 0x02fc1af0 is first decreased atomically and then increased. I find it wired that it crashes on InterlockedIncrement. It operates on the same address....... The 'call' between InterlockedIncrement and InterlockedDecrement is skipped. Is it Anti-Debugging?

The malware could be downloaded from: http://www.megafileupload.com/ox4t/locky.bin

@gundamfj I have merged your two topics in to this forum, I think they are more appropriate here...

Ted.

3 hours ago, gundamfj said:

It operates on the same address.

Wrong, ESI value is changed at 01dc9d9a

 

EDIT: considering it's crashing inside very standard "__setmbcp" function, I would bet it's a badly unpacked executable. :)

Edited by kao

    • Like 1
    • Author
    10 minutes ago, kao said:

    Wrong, ESI value is changed at 01dc9d9a

    Opps. OK. It doesn't operate on the same address.

    • Author

    So it's either a badly unpacked sample or a broken malware.

    You can go to this website: https://malwr.com/analysis/search/

    and type in the search box: name:Locky

    you may find bad samples but after try and error you should find a good one

    You must create an account to download public samples, private samples may can not be downloaded.

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.