[xors]

From hxxp://213.186.33.4/3n72h

[xors]

From hxxp://staffsolut.nichost.ru/jwz8i9

[xors]

From hxxp:techproconsult.com/m2q3u

[xors]

Not sure if they changed anything but i found the following sample on hybrid analysis.

https://www.hybrid-analysis.com/sample/ ... mentId=100

The unpacking process and the execution of the malware is not the same ( compared to the latest campaigns, Also it doesn't need any arguments to run).

https://malwr.com/analysis/MGZkYTg0OTI4 ... NjNjMwNTY/ (the unpacked)

[Antelox]

Not sure if they changed anything but i found the following sample on hybrid analysis.

https://www.hybrid-analysis.com/sample/ ... mentId=100

The unpacking process and the execution of the malware is not the same ( compared to the latest campaigns, Also it doesn't need any arguments to run).

https://malwr.com/analysis/MGZkYTg0OTI4 ... NjNjMwNTY/ (the unpacked)

Yep it's different, hollowing process there. BTW should be Locky affid=3, maybe for this.

BR,

Antelox

[xors]

From hxxp://209.222.76.36/98uhnvcx4x

The packed file looks different compared to the previous one. However, the unpacking process remains the same.

[xors]

From hxxp://125.206.125.198/54fc3rc3fr

https://www.virustotal.com/en/file/d74e ... /analysis/ (3/53)

[tim]

This uses the ".zepto" extension instead of ".locky". Im not saying this isnt locky as bindiff shows it has a significant amount of similarities. Looking back over my data i havent seen the .locky version since the 27th of June. Anyway here is the config which is stored exactly the same way:

Code: Select all

{
    "delay": 42,
    "installPersistence": false,
    "fakeSvchost": false,
    "seed": 9577,
    "campaignId": 3,
    "urlPath": "/upload/_dispatch.php",
    "ignoreRussian": true,
    "ips": [
        "51.255.172.55",
        "146.120.110.130"
    ]
}

[xors]

From hxxp://122.147.183.55/87yg5fd5

[xors]

In the attachment