A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29484  by Kick10
 Mon Oct 24, 2016 2:13 pm
New Locky C&Cs are lol:

hxtp://185.102.136.77/linuxsucks.php
hxtp://91.200.14.124/linuxsucks.php
hxtp://109.234.35.215/linuxsucks.php
Last edited by Xylitol on Mon Oct 24, 2016 5:53 pm, edited 1 time in total. Reason: link obfuscation
 #29486  by xors
 Tue Oct 25, 2016 2:11 pm
Locky uses .thor extension and 'EnhancedStoragePasswordConfig 147' as a parameter.
Attachments
password:infected
(73.81 KiB) Downloaded 79 times
 #29487  by lodo
 Tue Oct 25, 2016 4:29 pm
xors wrote:Locky uses .thor extension and 'EnhancedStoragePasswordConfig 147' as a parameter.
Can you share the packed file / vt link?

Thanks.
 #29488  by xors
 Tue Oct 25, 2016 7:58 pm
lodo wrote:
xors wrote:Locky uses .thor extension and 'EnhancedStoragePasswordConfig 147' as a parameter.
Can you share the packed file / vt link?

Thanks.
Attachments
password:infected
(139.71 KiB) Downloaded 84 times
 #29492  by xors
 Sat Oct 29, 2016 9:40 pm
Started using the nullsoft installer again
Attachments
password:infected
(261.56 KiB) Downloaded 82 times
 #29509  by Kick10
 Fri Nov 04, 2016 8:39 am
URI change to "/message.php":

7af9f6b3a218a4c209336dd6805437372ace1bc5614a3a49e822ba93b27a6129:
hxxp://51.255.107.37/message.php
hxxp://109.234.35.230/message.php
 #29513  by xors
 Sat Nov 05, 2016 8:30 pm
Kick10 wrote:Who knows latest launch parameters?
In recent campaings, they use different parameters. For example 'aaa' + random number, 'ccc' + random number , 'text'
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15