How It Began…
An email arrived from scanner@[mydomain.tld], despite the fact that no such scanner exists.
The email contained an attachment called “Scan00353215781451.rar.” Inside this attachment was a VBS file called “4871691103.vbs.”
A .vbs file is a Microsoft Visual Basic script. Since a VBS script is not compiled, anyone can open the file in a text editor to see what it is doing. Malware authors typically attempt to make understanding .vbs files difficult by obfuscating them. In this case, the .vbs script was clearly obfuscated. This VBS script attempts to get a file from two URLs and then executes it by making the following two GET requests:
At the time this post was written, the server for in the first GET request was down. Therefore, it is not known what the first GET request contained. However, the second GET request responded with a Windows PE32 executable.
Once this VBS script downloads a file, it immediately executes it.
The Malware – Locky
The VBS script automatically executes the malware (Locky). Within seconds, the victim’s files are encrypted and the user is presented with the following screen:
Using Radare2, some initial information can be gathered about the malware. For example:
[0x0040287a]> iI arch x86 binsz 673280 bintype pe bits 32 canary false class PE32 cmp.csum 0x000ad193 compiled Thu Jul 26 10:06:56 2012 crypto false endian little havecode true hdr.csum 0x000ad193 linenum false lsyms false machine i386 maxopsz 16 minopsz 1 nx false os windows overlay false pcalign 0 pic false relocs true signed false static false stripped true subsys Windows GUI va true
Analysis of Locky
Like most modern malware, Locky is packed, which makes it difficult to perform static analysis on. Unpacking Locky requires monitoring calls to VirtualAlloc and pulling the unpacked sample out of memory. For a detailed overview of unpacking Locky, click here.
Even after having unpacked Locky, the malware is still fairly obfuscated. This obfuscation is clear for many reasons; for example, there are not many strings of value and there are a huge number of functions.
First, this Locky variant will check to see if a debugger is present with IsDebuggerPresent. If Locky detects a debugger, it will continually loop, doing nothing. This anti-reversing technique can be easily bypassed with the IDA Stealth plugin.
Locky will then use GetLogicalDrives to gather a list of all mapped drives on the system. Once it has gathered this list, it will search for files using FindFirstFile and FindNextFile. It will then encrypt any file on the system that contains any of the following file extension:
.003 .007 .011 .123 .3dm .3gp .7zip .SQLITE3 .SQLITEDB .accdb .accde .accdr .accdt .adp .agdl .aiff .asc .asf .asp .aspx .asset .asset .back .backup .backupdb .bank .blend .bmp .bz2 .cdf .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .cgm .cgm .class .class .config .contact .cpp .cpp .craw .crt .d3dbsp .das .dat .db_journal .dbf .dbx .ddd .ddoc .ddrw .design .dif .dip .djvu .djvu .docb .docm .docm .docx .docx .dot .dotm .dotm .dotx .dotx .dxb .erbsql .fdb .fla .fla .flac .flvv .forge .fpx .gpg .gray .grey .groups .html .ibank .ibd .incpas .indd .java .java .jnt .jpeg .jpeg .kdbx .key .kpdx .laccdb .lay6 .litemod .litesql .m2ts .m4a .m4v .mapimail .mdb .moneywell .mos .mpeg .mpeg .ms11 .msg .nsf .nsh .nvram .odb .ods .ods .onetoc2 .otg .pages .pas .pct .pdf .pef .pem .potm .potm .potx .potx .ppam .ppam .pps .ppsm .ppsm .ppsm .ppsx .ppsx .pptm .pptm .pptm .pptx .pptx .prf .psafe3 .psd .pspimage .pst .ptx .qbm .qcow .qcow2 .qcow2 .rar .rar .re4 .rw2 .s3db .safe .sas7bdat .save .sldm .sldm .sldx .sldx .sqlite .sqlite3 .sqlitedb .st4 .stc .sxd .sxi .sxw .sxw .tar .tbk .tga .tiff .txt .vbox .vdi .vhdx .vmdk .vmdk .vmsd .vmxf .wallet .wallet .wma .xla .xlam .xlr .xlsb .xlsb .xlsm .xlsm .xlsx .xlsx .xltm .xltm .xltx .xltx .xlw .xlw .ycbcra
Once the encryption process finishes, the user’s wallpaper will change to lukitus.bmp a random note. Locky changes the user’s wallpaper by modifying (RegOpenKeyExA & RegSetValueExA) the following registry keys:
It is important to note that this variant of Locky does not require a network connection once it is downloaded and executed.
The files have now been encrypted and the wallpaper has been set to the ransom message in an attempt to get the user to pay to have their files decrypted. The ransom is set for .5 BTC, which at the time this post was written, is equivalent to approximately $2,000 USD.