Jump to content
Tuts 4 You

Does anyone have old Locky sample?


gundamfj

Recommended Posts

So I am doing research on Locky. I notice recent Locky sample doesn't import SMB related API. You may have heard of Locky also tries to encrypt files in network share e.g. printer. So does anyone have old Locky samples(5 months ago)? I got one old sample from one guy in this forum. But that sample crashes on InterlockedIncrement. I could only find recent samples in VirusShare.

Edited by gundamfj
Link to comment

So I have this malware, possibly Locky.

http://imgur.com/TdYxmCn

Above is the critical part that makes it crash. One value in address 0x02fc1af0 is first decreased atomically and then increased. I find it wired that it crashes on InterlockedIncrement. It operates on the same address....... The 'call' between InterlockedIncrement and InterlockedDecrement is skipped. Is it Anti-Debugging?

The malware could be downloaded from: http://www.megafileupload.com/ox4t/locky.bin

Link to comment
3 hours ago, gundamfj said:

It operates on the same address.

Wrong, ESI value is changed at 01dc9d9a

 

EDIT: considering it's crashing inside very standard "__setmbcp" function, I would bet it's a badly unpacked executable. :)

Edited by kao
  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...