[Antelox]

Now the URI is:

/php/upload.php

BR,

Antelox

[maximusdecimer]

Found this config from a recent spam campaign, first time i have seen a campaign id of 13 and also a DGA seed value this high.

Code: Select all

{
   "campaignId": 13,
   "seed": 29033,
   "delay": 0,
   "fakeSvchost": false,
   "persist": false,
   "ignoreRuLang": true,
   "ips": [
      "91.230.211.139",
      "37.139.30.95",
      "91.219.29.48"
   ],
   "urlPath": "/upload/_dispatch.php"
}  

Hi,

The above information is hard coded in memory or for the reference analysts prefer to put this way? Because I could see the above information scrambled across memory but not in single place.
Forgive me for my poor reversing skills.

-Maximus

[tim]

Its actually a binary blob in the unpacked stub. the format is mentioned somewhere on the internet. If you unpack your memory, you can upload it here and my tool will unpack it. http://configextractor.azurewebsites.net/

[xors]

One more

[waffles2.0]

http://blog.trendmicro.com/trendlabs-se ... ipt-files/

This should be interesting for everyone hunting Locky samples.
And their list of related hashes if you can't be bothered reading:

JS_LOCKY.DLDVEF

0A17D419461F2A7A722F4E15C2760D182626E698
0B4396BD30F65B74CE38F7F8F6B7BC1E451FBCCC
0C82F9EBC4ACE5D6FD62C04972CF6A56AA022BFD
21DCA77E6EF9E89C788EE0B592C22F5448DE2762
288C7C4FA2FC2A36E532F938B1DC18E4918A0E36
69DA16CB954E8E48CEA4B64A6BBC267ED01AB2B3
6A9B6AE21C5F5E560591B73D0049F6CA2D720122
752AB2146016BCAFBFE17F710D61D3AD3822F849
8BDC38B005E09B34C1BCE94529158DE75408E905
B8B79E8BAF39E0E7616170216B25C1505974F42C
5994eb7696e11818d01bc7447adcf9ec5c1c5f13
936ac2f42a1a641d52ba8078c42f5879e2dd41a0
0b7b2ba3c35e334bf5bc13929c77ecaf51758e2b
3bc8656186ee93d25173ba0f3c07a9cced23e7cd
08f1565514122c578da05cbf8b50ee9dcfa41af6
4641fb72aaf1461401490eaf1916de4103bbece5
3790c8bc8e691c79d80e458ba5e5c80b0b12a0c8
91762a5406e5291837ed259cd840cf4d22a2ddfa
005cc479faa2324625365bde7771096683312737
eb01089b3625d56d50e8768e94cfef1c84c25601

JS_LOCKY.DLDVEJ

812FBF9E30A7B86C4A72CCA66E1D2FC57344BB09
AE78A7B67CB5D3C92406CFA9F5FB38ADC8015FDF
0e76d8fd54289043012a917148dacda0730e4d88
c76222e1206bad8e9a4a6f4867b2e235638a4c4c

JS_LOCKY.DLDVEL

A2420F7806B3E00DB9608ABF80EE91A2447F68AD
A94CE98BCC9A130AA88E9655672497C701BDA4A5
fc591d83cdebe57b60588f59466ec3b12283cc2c
719f0d406038b932805d338f929d12c899ec97e1

JS_LOCKY.DLDVEP

DA0FD77C60A2C9A53985A096BDAE1BEF89034A01
56dd1d2b944dae25e87a2f9b7d6c653b2ece4486

RANSOM_LOCKY.DLDVEO

180BDD12C3EE6D8F0A2D47DDAAD5A2DAA513883E
2C62F7B01DD423CEF488100F7C0CA440194657D9
6DECCBB36F4E83834985FE49FC235683CF90F054
E2D94F69134D97C71F2B70FC0A3558B30637E46D
E3E49BF06CD03FB0EA687507931927E32E0A5A1C

RANSOM_LOCKY.DLDVEF

22DE960D38310643C3E68C2BA8EC68D855B43EBD

RANSOM_LOCKY.DLDVEL

5A044104A6EED7E343814B3E0FC2DB535C515EA2
9BA7499C98E2B52303912352E1ACA694552E0E86
9F48FA841FC8B0E945C43DB5B18B37BDF2DA8F5B

RANSOM_HPLOCKY.SM2

3329FB8FD5E664CCDE59E12E608E0BCE3EF95225
5BE1DE4A018B746953381EA400278D25E7C3D024
B2D1E7860F617014E0546B9D48450F221FE118EC
BB8ABA09BC9B97C7358B62F2FF016D05955A5967

RANSOM_HPLOCKY.SM3

1A46C45A443B1C10EAA9AA317CD343B83160828F
A2899353B237E08A7570C674D05D326D43173231
D8FF29CFF5341B361CA3CEE67EABBD22698DAA2B

RANSOM_LOCKY.F116GT

565951232E4A1D491D932C916BC534E8FB02B29B

RANSOM_LOCKY.F116GS

E362B04FE7F26663D7D43DD829D3C4310B2FC699

RANSOM_LOCKY.SMA6

6014A6AFDF09EDEB927A9A6A4E0DF591D72B1899
DCDB228D515F08673542B89ABB86F36B3B134D72

[maddog4012]

here are some of the sample mention above

[maddog4012]

few more

[xors]

One more

[xors]

Code: Select all

{
  "campaignId": 3,
  "seed": 1313,
  "delay": 29,
  "fakeSvchost": false,
  "persist": false,
  "ignoreRuLang": true,
  "ips": [
    "188.127.249.32",
    "95.85.19.195"
  ],
  "urlPath": "/data/info.php"
}

[tim]

Latest Locky update, appears to be completely offline now. There is no longer a DGA seed value, URI path or IP addresses in the configuration. There is however an RSA key and help files in html and txt format.