Let’s Analyze Locky ".diablo6" Ransomware

Goal: Review the latest Locky “.diablo6” campaign via stepping into user calls and reviewing relevant functions.
Source I: 
Packed Locky (SHA-1: b4dc5f5d47b87baa0be87afda5ccee1f00497984)
Source II:
Unpacked Locky first-layer (SHA-1: 5ed85179386ae994b5ed8ef3a60a2ec5134bd68a)

Tool: OllyDBG
Brief overview:

Locky ransomware appears to have altered its payload encryption and heavily leverages dynamic API loading when invoking calls as well as gzipped encoding traffic.

C2 (POST /checkupdate):

83.217.8[.]61, 31.202.130[.]9, 91.234.35[.]106

Locky extension

.diablo6

POST requests (now gzip-encoded):

&act=getkey &affid= .unknown..&serv=..&lang=..&corp=..&x64=..&v=2..&os=..&sp..id

Targeted extensions:

Locky instructions:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s