06-21-2017 Locky Ransomware: Config Analysis

Sourcehttps://www.virustotal.com/en/file/b546fad0209bbf800c11565c4720fdb2685966242d2ff162f7be556dd037a6a1/analysis/
Confighttps://github.com/vkremez/MalwareConfigurations/blob/master/crime_win32_locky_conf_June21-2017.txt


Locky extension

.loptr

POST requests:

  • &length=..&failed=..&encrypted=
  • &act=stats&path=
  • &v=2..&x64=..&sp=..&os=…&serv=..&corp=..&lang=..&act=getkey&affid=..
  • &act=gethtml&lang=..&act=gettext&lang=..

Registry

  • Software\Microsoft\Windows\CurrentVersion\Run 

Self-kill routine: 

cmd.exe /C del /Q /F

Blacklist

tmp;winnt;Application Data;AppData;Program Files (x86);Program Files;temp;thumbs.db;$Recycle.Bin;System Volume Information;Boot;Windows

Locky instructions: 

/_HELP_instructions.html._HELP_instructions.bmp.._HELP_instructions.txt.._Locky_recover_instructions.bmp._Locky_recover_instructions.txt

Delete shadow copy:

vssadmin.exe Delete Shadows /Quiet /All 

C2:

hxxp://185[.]115[.]140[.]170/checkupdate

Targeted extensions:

..yuv…ycbcra..xis…x3f…x11…wpd…tex…sxg…stx…st8…st5…srw…srf…sr2…sqlitedb..sqlite3…sqlite..sdf…sda…sd0…s3db..rwz…rwl…rdb…rat…raf…qby…qbx…qbw…qbr…qba…py..psafe3..plc…plus_muhd…pdd…p7c…p7b…oth…orf…odm…odf…nyf…nxl…nx2…nwb…ns4…ns3…ns2…nrw…nop…nk2…nef…ndd…myd…mrw…moneywell…mny…mmw…mfw…mef…mdc…lua…kpdx..kdc…kdbx..kc2…jpe…incpas..iiq…ibz…ibank…hbk…gry…grey..gray..fhd…fh..ffd…exf…erf…erbsql..eml…dxg…drf…dng…dgc…des…der…ddrw..ddoc..dcs…dc2…db_journal..csl…csh…crw…craw..cib…ce2…ce1…cdrw..cdr6..cdr5..cdr4..cdr3..bpw…bgt…bdb…bay…bank..backupdb..backup..back..awg…apj…ait…agdl..ads…adb…acr…ach…accdt…accdr…accde…ab4…3pr…3fr…vmxf..vmsd..vhdx..vhd…vbox..stm…st7…rvt…qcow..qed…pif…pdb…pab…ost…ogg…nvram…ndf…m4p…m2ts..log…hpp…hdd…groups..flvv..edb…dit…dat…cmt…bin…aiff..xlk…wad…tlg…st6…st4…say…sas7bdat..qbm…qbb…ptx…pfx…pef…pat…oil…odc…nsh…nsg…nsf…nsd…nd..mos…indd..iif…fpx…fff…fdb…dtd…design..ddd…dcr…dac…cr2…cdx…cdf…blend…bkp…al..adp…act…xlr…xlam..xla…wps…tga…rw2…r3d…pspimage..ps..pct…pcd…m4v…m…fxg…flac..eps…dxb…drw…dot…db3…cpi…cls…cdr…arw…ai..aac…thm…srt…save..safe..rm..pwm…pages…obj…mlb…md..mbx…lit…laccdb..kwm…idx…html..flf…dxf…dwg…dds…csv…css…config..cfg…cer…asx…aspx..aoi…accdb…7zip..1cd…xls…wab…rtf…prf…ppt…oab…msg…mapimail..jnt…doc…dbx…contact…n64…m4a…m4u…m3u…mid…wma…flv…3g2…mkv…3gp…mp4…mov…avi…asf…mpeg..vob…mpg…wmv…fla…swf…wav…mp3…qcow2…vdi…vmdk..vmx…wallet..upk…sav…re4…ltx…litesql…litemod…lbf…iwi…forge…das…d3dbsp..bsa…bik…asset…apk…gpg…aes…ARC…PAQ…tar.bz2…tbk…bak…tar…tgz…gz..7z..rar…zip…djv…djvu..svg…bmp…png…gif…raw…cgm…jpeg..jpg…tif…tiff..NEF…psd…cmd…bat…sh..class…jar…java..rb..asp…cs..brd…sch…dch…dip…pl..vbs…vb..js..h…asm…pas…cpp…c…php…ldf…mdf…ibd…MYI…MYD…frm…odb…dbf…db..mdb…sql…SQLITEDB..SQLITE3…011…010…009…008…007…006…005…004…003…002…001…pst…onetoc2…asc…lay6..lay…ms11(Securitycopy)..ms11..sldm..sldx..ppsm..ppsx..ppam..docb..mml…sxm…otg…odg…uop…potx..pom..pptx..pptm..std…sxd…pot…pps…sti…sxi…otp…odp…wb2…123…wks…wk1…xltx..xltm..xlsx..xlsm..xlsb..slk…xlw…xlt…xlm…xlc…dif…stc…sxc…ots…ods…hwp…602…dotm..dotx..docm..docx..DOT…3dm…max…3ds…xml…txt…CSV…uot…RTF…pdf…XLS…PPT…stw…sxw…ott…odt…DOC…pem…p12…csr…crt…key..wallet.dat..

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s