A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28999  by maximusdecimer
 Thu Aug 11, 2016 5:29 am
tim wrote:Found this config from a recent spam campaign, first time i have seen a campaign id of 13 and also a DGA seed value this high.
Code: Select all
{
   "campaignId": 13,
   "seed": 29033,
   "delay": 0,
   "fakeSvchost": false,
   "persist": false,
   "ignoreRuLang": true,
   "ips": [
      "91.230.211.139",
      "37.139.30.95",
      "91.219.29.48"
   ],
   "urlPath": "/upload/_dispatch.php"
}  
Hi,

The above information is hard coded in memory or for the reference analysts prefer to put this way? Because I could see the above information scrambled across memory but not in single place.
Forgive me for my poor reversing skills.

-Maximus
 #29010  by xors
 Fri Aug 12, 2016 4:44 pm
One more
Attachments
Password:infected
(301.59 KiB) Downloaded 87 times
 #29039  by waffles2.0
 Mon Aug 15, 2016 9:54 am
http://blog.trendmicro.com/trendlabs-se ... ipt-files/

This should be interesting for everyone hunting Locky samples.
And their list of related hashes if you can't be bothered reading:
JS_LOCKY.DLDVEF

0A17D419461F2A7A722F4E15C2760D182626E698
0B4396BD30F65B74CE38F7F8F6B7BC1E451FBCCC
0C82F9EBC4ACE5D6FD62C04972CF6A56AA022BFD
21DCA77E6EF9E89C788EE0B592C22F5448DE2762
288C7C4FA2FC2A36E532F938B1DC18E4918A0E36
69DA16CB954E8E48CEA4B64A6BBC267ED01AB2B3
6A9B6AE21C5F5E560591B73D0049F6CA2D720122
752AB2146016BCAFBFE17F710D61D3AD3822F849
8BDC38B005E09B34C1BCE94529158DE75408E905
B8B79E8BAF39E0E7616170216B25C1505974F42C
5994eb7696e11818d01bc7447adcf9ec5c1c5f13
936ac2f42a1a641d52ba8078c42f5879e2dd41a0
0b7b2ba3c35e334bf5bc13929c77ecaf51758e2b
3bc8656186ee93d25173ba0f3c07a9cced23e7cd
08f1565514122c578da05cbf8b50ee9dcfa41af6
4641fb72aaf1461401490eaf1916de4103bbece5
3790c8bc8e691c79d80e458ba5e5c80b0b12a0c8
91762a5406e5291837ed259cd840cf4d22a2ddfa
005cc479faa2324625365bde7771096683312737
eb01089b3625d56d50e8768e94cfef1c84c25601

JS_LOCKY.DLDVEJ

812FBF9E30A7B86C4A72CCA66E1D2FC57344BB09
AE78A7B67CB5D3C92406CFA9F5FB38ADC8015FDF
0e76d8fd54289043012a917148dacda0730e4d88
c76222e1206bad8e9a4a6f4867b2e235638a4c4c

JS_LOCKY.DLDVEL

A2420F7806B3E00DB9608ABF80EE91A2447F68AD
A94CE98BCC9A130AA88E9655672497C701BDA4A5
fc591d83cdebe57b60588f59466ec3b12283cc2c
719f0d406038b932805d338f929d12c899ec97e1

JS_LOCKY.DLDVEP

DA0FD77C60A2C9A53985A096BDAE1BEF89034A01
56dd1d2b944dae25e87a2f9b7d6c653b2ece4486

RANSOM_LOCKY.DLDVEO

180BDD12C3EE6D8F0A2D47DDAAD5A2DAA513883E
2C62F7B01DD423CEF488100F7C0CA440194657D9
6DECCBB36F4E83834985FE49FC235683CF90F054
E2D94F69134D97C71F2B70FC0A3558B30637E46D
E3E49BF06CD03FB0EA687507931927E32E0A5A1C

RANSOM_LOCKY.DLDVEF

22DE960D38310643C3E68C2BA8EC68D855B43EBD

RANSOM_LOCKY.DLDVEL

5A044104A6EED7E343814B3E0FC2DB535C515EA2
9BA7499C98E2B52303912352E1ACA694552E0E86
9F48FA841FC8B0E945C43DB5B18B37BDF2DA8F5B

RANSOM_HPLOCKY.SM2

3329FB8FD5E664CCDE59E12E608E0BCE3EF95225
5BE1DE4A018B746953381EA400278D25E7C3D024
B2D1E7860F617014E0546B9D48450F221FE118EC
BB8ABA09BC9B97C7358B62F2FF016D05955A5967

RANSOM_HPLOCKY.SM3

1A46C45A443B1C10EAA9AA317CD343B83160828F
A2899353B237E08A7570C674D05D326D43173231
D8FF29CFF5341B361CA3CEE67EABBD22698DAA2B

RANSOM_LOCKY.F116GT

565951232E4A1D491D932C916BC534E8FB02B29B

RANSOM_LOCKY.F116GS

E362B04FE7F26663D7D43DD829D3C4310B2FC699

RANSOM_LOCKY.SMA6

6014A6AFDF09EDEB927A9A6A4E0DF591D72B1899
DCDB228D515F08673542B89ABB86F36B3B134D72
 #29154  by xors
 Wed Aug 31, 2016 1:03 pm
Code: Select all
{
  "campaignId": 3,
  "seed": 1313,
  "delay": 29,
  "fakeSvchost": false,
  "persist": false,
  "ignoreRuLang": true,
  "ips": [
    "188.127.249.32",
    "95.85.19.195"
  ],
  "urlPath": "/data/info.php"
}
Attachments
password:infected
(179.98 KiB) Downloaded 86 times
 #29180  by tim
 Mon Sep 05, 2016 2:06 pm
Latest Locky update, appears to be completely offline now. There is no longer a DGA seed value, URI path or IP addresses in the configuration. There is however an RSA key and help files in html and txt format.
Attachments
pass: infected
(85.85 KiB) Downloaded 91 times
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 15