Does anyone have old Locky sample?

[gundamfj]

So I am doing research on Locky. I notice recent Locky sample doesn't import SMB related API. You may have heard of Locky also tries to encrypt files in network share e.g. printer. So does anyone have old Locky samples(5 months ago)? I got one old sample from one guy in this forum. But that sample crashes on InterlockedIncrement. I could only find recent samples in VirusShare.

Edited October 23, 2016 by gundamfj

[gundamfj]

So I have this malware, possibly Locky.

http://imgur.com/TdYxmCn

Above is the critical part that makes it crash. One value in address 0x02fc1af0 is first decreased atomically and then increased. I find it wired that it crashes on InterlockedIncrement. It operates on the same address....... The 'call' between InterlockedIncrement and InterlockedDecrement is skipped. Is it Anti-Debugging?

The malware could be downloaded from: http://www.megafileupload.com/ox4t/locky.bin

[Teddy Rogers]

@gundamfj I have merged your two topics in to this forum, I think they are more appropriate here...

Ted.

[kao]

3 hours ago, gundamfj said:

It operates on the same address.

Wrong, ESI value is changed at 01dc9d9a

 

EDIT: considering it's crashing inside very standard "__setmbcp" function, I would bet it's a badly unpacked executable.

Edited October 24, 2016 by kao

[gundamfj]

10 minutes ago, kao said:

Wrong, ESI value is changed at 01dc9d9a

Opps. OK. It doesn't operate on the same address.

[gundamfj]

So it's either a badly unpacked sample or a broken malware.

[Etor Madiv]

You can go to this website: https://malwr.com/analysis/search/

and type in the search box: name:Locky

you may find bad samples but after try and error you should find a good one

You must create an account to download public samples, private samples may can not be downloaded.

[Noteworthy]

That was during the very first wave of infection by Locky. This is around 2015-02-15.

Password: infected.

17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2.zip