gundamfj Posted October 23, 2016 Share Posted October 23, 2016 (edited) So I am doing research on Locky. I notice recent Locky sample doesn't import SMB related API. You may have heard of Locky also tries to encrypt files in network share e.g. printer. So does anyone have old Locky samples(5 months ago)? I got one old sample from one guy in this forum. But that sample crashes on InterlockedIncrement. I could only find recent samples in VirusShare. Edited October 23, 2016 by gundamfj Link to comment Share on other sites More sharing options...
gundamfj Posted October 24, 2016 Author Share Posted October 24, 2016 So I have this malware, possibly Locky. http://imgur.com/TdYxmCn Above is the critical part that makes it crash. One value in address 0x02fc1af0 is first decreased atomically and then increased. I find it wired that it crashes on InterlockedIncrement. It operates on the same address....... The 'call' between InterlockedIncrement and InterlockedDecrement is skipped. Is it Anti-Debugging? The malware could be downloaded from: http://www.megafileupload.com/ox4t/locky.bin Link to comment Share on other sites More sharing options...
Teddy Rogers Posted October 24, 2016 Share Posted October 24, 2016 @gundamfj I have merged your two topics in to this forum, I think they are more appropriate here... Ted. Link to comment Share on other sites More sharing options...
kao Posted October 24, 2016 Share Posted October 24, 2016 (edited) 3 hours ago, gundamfj said: It operates on the same address. Wrong, ESI value is changed at 01dc9d9a EDIT: considering it's crashing inside very standard "__setmbcp" function, I would bet it's a badly unpacked executable. Edited October 24, 2016 by kao 1 Link to comment Share on other sites More sharing options...
gundamfj Posted October 24, 2016 Author Share Posted October 24, 2016 10 minutes ago, kao said: Wrong, ESI value is changed at 01dc9d9a Opps. OK. It doesn't operate on the same address. Link to comment Share on other sites More sharing options...
gundamfj Posted October 24, 2016 Author Share Posted October 24, 2016 So it's either a badly unpacked sample or a broken malware. Link to comment Share on other sites More sharing options...
Etor Madiv Posted October 24, 2016 Share Posted October 24, 2016 You can go to this website: https://malwr.com/analysis/search/ and type in the search box: name:Locky you may find bad samples but after try and error you should find a good one You must create an account to download public samples, private samples may can not be downloaded. Link to comment Share on other sites More sharing options...
Noteworthy Posted October 25, 2016 Share Posted October 25, 2016 That was during the very first wave of infection by Locky. This is around 2015-02-15. Password: infected. 17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2.zip Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now