LockyDump is an open-source Locky configuration extractor that can dump the configuration parameters used by all currently known variants of Locky e.g. .locky, .zepto & .odin based ransomware. LockyDump can run a known Locky sample within a virtualized environment and extract and provide all of the configuration information for the sample, including the AffilID associated with the sample. Obtaining the affiliate information for individual samples allows the historical tracking of Locky affiliates to identify trends and other characteristics on an individual affiliate basis such as their primary distribution method of choice e.g. through the use of Exploit Kits (EKs) or spam/phishing email.
The below table shows the configuration parameters that can be extracted from the malicious binary.
|The Affiliate ID specified within the Locky binary. The values we have observed are 1, 3, 4, 5, 8, D, E, F, 13, 15
|The seed value used by versions of Locky that relied upon the use of a Domain Generation Algorithm (DGA) for Command and Control (C2) communications.
|‘0’ or ‘1’ flag set to save as and run %temp%\svchost.exe
|‘0’ or ‘1’ flag set to obtain persistence via the run key in the registry of the victim machine.
|‘0’ or ‘1’ flag set to terminate execution on systems using the Russian language pack.
|This contains the URI path used by Locky to send HTTP POST requests back to C2 servers. This value has changed several times as Locky has evolved and has previously consisted of paths such as /apache_handler.php & /data/info.php etc.
|Hardcoded IPs of the C2 servers used by the Locky sample to obtain DGA information.
|The RSA Key ID used during the encryption process.
|The size of RSA key used during the encryption process
|The prime number used by RSA during encryption process.
|Ransom note displayed by the binary upon successful infection of the system.
|The ransom payment gateway address where the user is instructed to go to pay the ransom demanded by the malware. These addresses are located on the Tor network.
LockyDump is a PE32 Windows binary application that is used for extracting embedded configurations from the Locky malware family, which requires execution of the malware to allow for the extraction of these values from memory. This limits the analysis environment to Windows systems and to one that can be compromised by Locky.
Please see the LockyDump blog post for more information.