No problem. It is xor with key length 256 used on executable which is inverted in file.
Take actual exe.
It's Locky.
A forum for reverse engineering, OS internals and malware analysis
Attachments
pass: malware
(102.57 KiB) Downloaded 107 times
(102.57 KiB) Downloaded 107 times
Ring0 - the source of inspiration
From [url]hxxp://212.27.63.102/09uhv65hg?NMOmkGYI=XpVoEFE[/url]
Attachments
password:infected
(289.22 KiB) Downloaded 96 times
(289.22 KiB) Downloaded 96 times
@xorsthingsv2
https://www.virustotal.com/en/file/8f32 ... /analysis/
Locky. Very low detection ratio...
from:
zuerich-gewerbe.ch/mbv58gbv
plantengineer.biz/mbv58gbv
australiandietitian.com/mbv58gbv
iceskochi.org/mbv58gbv
Locky. Very low detection ratio...
from:
zuerich-gewerbe.ch/mbv58gbv
plantengineer.biz/mbv58gbv
australiandietitian.com/mbv58gbv
iceskochi.org/mbv58gbv
Attachments
(209.15 KiB) Downloaded 80 times
Locky spam now already delivers the Locky sample inside the script instead of downloading it.
Still uses the new UHEPRNG algorithm from https://github.com/skratchdot/random-se ... r/index.js to decrypt the sample (first seen here: https://www.virustotal.com/en/file/be2b ... /analysis/).
Nothing new about the Locky itself. Of course it needs the "321" parameter as usual for this channel.
Javascript dropper: https://www.virustotal.com/en/file/e751 ... /analysis/
Locky (with config): https://www.virustotal.com/en/file/56be ... /analysis/
Still uses the new UHEPRNG algorithm from https://github.com/skratchdot/random-se ... r/index.js to decrypt the sample (first seen here: https://www.virustotal.com/en/file/be2b ... /analysis/).
Nothing new about the Locky itself. Of course it needs the "321" parameter as usual for this channel.
Javascript dropper: https://www.virustotal.com/en/file/e751 ... /analysis/
Locky (with config): https://www.virustotal.com/en/file/56be ... /analysis/
Attachments
Spammed Locky *dropper* javascript + dropped Locky
(411.02 KiB) Downloaded 92 times
(411.02 KiB) Downloaded 92 times
From hxxp://213.205.40.169/7h8gbiuomp?wwugJzY=maQhnrviLU
Attachments
password:infected
(290.78 KiB) Downloaded 70 times
(290.78 KiB) Downloaded 70 times
@xorsthingsv2
One more
From hxxp://212.40.179.63/7h8gbiuomp
From hxxp://212.40.179.63/7h8gbiuomp
Attachments
password:infected
(292.25 KiB) Downloaded 83 times
(292.25 KiB) Downloaded 83 times
@xorsthingsv2
The Locky run argument is now 323
affid=1
C2
affid=1
C2
37.139.30.95
93.170.128.249
Attachments
infected
(194.64 KiB) Downloaded 76 times
(194.64 KiB) Downloaded 76 times
Found this config from a recent spam campaign, first time i have seen a campaign id of 13 and also a DGA seed value this high.
Code: Select all
{
"campaignId": 13,
"seed": 29033,
"delay": 0,
"fakeSvchost": false,
"persist": false,
"ignoreRuLang": true,
"ips": [
"91.230.211.139",
"37.139.30.95",
"91.219.29.48"
],
"urlPath": "/upload/_dispatch.php"
}
From hxxp://91.223.89.200/13fo8lnl
Attachments
password:infected
(195.75 KiB) Downloaded 72 times
(195.75 KiB) Downloaded 72 times
@xorsthingsv2
