[Malware Studies] Locky
In my second text about Malware Studies, this time I’ll show the analysis made in Locky Ransomware. Like the previous post, this executable was obtained in theZoo.
SHA1 sample: b606aaa402bfe4a15ef80165e964d384f25564e4
To know the timestamp of the executable, for more information about the version, a search with the hash was made in VirusTotal and was possible to get the information that binary was compiled in June 2005, which is strange since the this ransomware was release in 2016. So, looking the history, this is the first version, which was released in February 2016.
Trying to analyze the binary, we deal with some exceptions, which is an obfuscation technique, but we can let the debugger to take care of it configuring to bypass the exceptions.
Thanks to a hint that was given to me in Mente Binaria Discord Server, I was able to find a configuration to bypass it. To make this configuration we have to go to the x32dbg Preferences and, in the Exceptions tab, set the range 0x00000000 to 0xFFFFFFFF. After that we can use the debug options ‘Run (pass all exceptions)’ or ‘Run (swallow exceptions)’.
Another interesting point is that if we take a look in the strings we’ll not see any valuable information neither any command related to malware, so it seems that we are dealing with a packed binary.
One way that we can retrieve the original strings is setting a hardware breakpoint for write operations at the begging of the .text section. In the first hit we’ll get the section zeroed and in the second hit we’ll get the first strings being written, so if we press F8 some more we’ll get the original strings.
After unpack the sample we can see some interesting strings like these ones:
“\\_Locky_recover_instructions.txt”
“\\_Locky_recover_instructions.bmp”
“86.104.134.144”
“main.php”
“Software\Locky”
“cmd.exe /C del /Q /F \””
“svchost.exe”
“vssadmin.exe Delete Shadows /All /Quiet”
During the execution, some registry operations occur in HKCU\Software\Locky.
After the execution, if we look the processes we will see that one of them is suspicous but if we open it we’ll understand the “svchost.exe” that we saw among the strings. Another thing is that after the execution, the executable delete itself with the command “cmd.exe /C del /Q /F \”” that we saw in the strings.
In Process Monitor we can see that theses commands has been executed in a loop.
Even that we found among the strings a POST request to hxxp://86[.]104[.]134[.]144/main[.]php, it was not possible to find this request being made during the analysis. In a BleepingComputer article is explained that this is a communication with the C2 and a response as been received with a RSA key to encrypt the computer.
I’m publishing this partial report but I’ll continue the analysis and will be updating this post with the new finds.