[Gal_B1t]

Found an interesting hack to prevent some Locky samples, simply add either of those registry keys:

Code: Select all

HKLM\SOFTWARE\ESET
HKLM\SOFTWARE\AVAST Software

It looks also for:

Code: Select all

HKLM\SOFTWARE\KasperskyLab

but it just alters its behaviour and does not terminate after it is found.

It was verified with the following Locky payloads: (SHA-256)

Code: Select all

78e9558a9762cf778a3ba9ba61e0ec73e8d81c22d0945e56ea75d197c512883a
17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
c866dcfa95c50443ed5e0b4d2c0b63c1443ad330cb7d384370a244c6f58ce8a5
fe7ec54b8049e6dbaba7862da6b349d64de139e88fa37c98102103fca3d13cd2

It is far from 100% of the samples, but still - quite nice :)

[dronin]

Hi there,

heard about a locky variant in Java Script, is anyone of you aware of this?
Found some weird JS files attached to some mails in my quarantaine, but those seem to be broken.


Regrards
DR

[FafZee]

Js files are downloaders. They just try to download samples on hacked websites.

[tech]

Hi there,

heard about a locky variant in Java Script, is anyone of you aware of this?
Found some weird JS files attached to some mails in my quarantaine, but those seem to be broken.


Regrards
DR

I joined this site like 5 mins ago, But yes i do actually have a .js file that came in as an invoice. It downloads a type of ransome-ware and changes all the files to .mp3 (not simply an ext change, encrypting them).
I can upload on request. It acts just like locky, but more like a locky knock-off.

lockknock.png (168.47 KiB) Viewed 777 times

[maximusdecimer]

It downloads a type of ransome-ware and changes all the files to .mp3 (not simply an ext change, encrypting them).

Probably Teslacrypt

-Maximus

[FafZee]

Hey,

It is teslacrypt, not locky. By the way can you share the sample please ?

And as I said, js is only downloader, not the ransomware itself...

[maddog4012]

here is a sample of locky I downloaded today

[keoni161]

Here is the config for the sample above.
Another attachment with the unpacked version.

[maddog4012]

here are a few samples of the latest java script that I came across today also attached is the Locky variant that is download by the script

[rough_spear]

Hi All,

4 locky executables and 2 locky executables downloader javascripts.

Executables MD5-

6A83A846244DDB4203902127294FD995
1B37144A47DDD8FDE54DE5DD9621DF59
13174317A9ACD10F244A6B87475C4866
828521AECC96D57A4FDB372E74737FEF

Java script MD5-

638CC728994F0A95BAEFBF852D63AF8D
804E355B1C8C2F658C161926824D4021

Regards,

rough_spear ;)