Locky ransomware comes with outstanding statement
File Hash (SHA-256): 381272f158b754bf189dce4f7376fa8573583afa1e6659d0e85934080824f4cd
File Size: 13 KB
This malicious domain becomes the point of serving Locky ransomware files to the victim machines. Specifically the malicious domain ‘vayvonvietcombank24h(.)net’ downloads the Locky ransomware sample and get executed.
The full malicious url is hxxp://vayvonvietcombank24h(.)net /tOldHSYW?
Figure 1 Downloaded Locky sample
We also observed the variants in the domain extension:
Figure 2 Observed pattern in the malicious domain
Analysis of Locky sample
File Hash (SHA-256): da3ab88c61deabf4cb4d296cc0b4a586eeedc89e87adc4ea648ab8fe6a41346c
File Size: 151 KB
We executed the Locky sample in the controlled environment and observed the behavior. It creates runonce entry as follows.
Figure 3 Registry entry
Figure 4 Files added after execution (..doc extension added)
Figure 5 Readme HTML (payment methods)
SHA 256: da3ab88c61deabf4cb4d296cc0b4a586eeedc89e87adc4ea648ab8fe6a41346c
SHA 256: 381272f158b754bf189dce4f7376fa8573583afa1e6659d0e85934080824f4cd
File extension added by this variant of ransomware:
Physical location: %appdata%/<lockysample>