LockyDump
LockyDump.10122016.exe SHA256: d49fd9fb7d290a530c292f451c32e558f6f5797944ecb2d6b73e151f450fc43c
Please validate the hash prior to execution.

LockyDump

LockyDump is an open-source Locky configuration extractor that can dump the configuration parameters used by all currently known variants of Locky e.g. .locky, .zepto & .odin based ransomware. LockyDump can run a known Locky sample within a virtualized environment and extract and provide all of the configuration information for the sample, including the AffilID associated with the sample. Obtaining the affiliate information for individual samples allows the historical tracking of Locky affiliates to identify trends and other characteristics on an individual affiliate basis such as their primary distribution method of choice e.g. through the use of Exploit Kits (EKs) or spam/phishing email.

The below table shows the configuration parameters that can be extracted from the malicious binary.

affilID The Affiliate ID specified within the Locky binary. The values we have observed are 1, 3, 4, 5, 8, D, E, F, 13, 15
dga_seed The seed value used by versions of Locky that relied upon the use of a Domain Generation Algorithm (DGA) for Command and Control (C2) communications.
persist_svhost ‘0’ or ‘1’ flag set to save as and run %temp%\svchost.exe
persist_registry ‘0’ or ‘1’ flag set to obtain persistence via the run key in the registry of the victim machine.
ignore_russian ‘0’ or ‘1’ flag set to terminate execution on systems using the Russian language pack.
callback_path This contains the URI path used by Locky to send HTTP POST requests back to C2 servers. This value has changed several times as Locky has evolved and has previously consisted of paths such as /apache_handler.php & /data/info.php etc.
C2_servers Hardcoded IPs of the C2 servers used by the Locky sample to obtain DGA information.
rsa_key_id The RSA Key ID used during the encryption process.
rsa_bits The size of RSA key used during the encryption process
rsa_exponent The prime number used by RSA during encryption process.
ransom Ransom note displayed by the binary upon successful infection of the system.
onion_addr The ransom payment gateway address where the user is instructed to go to pay the ransom demanded by the malware. These addresses are located on the Tor network.

LockyDump is a PE32 Windows binary application that is used for extracting embedded configurations from the Locky malware family, which requires execution of the malware to allow for the extraction of these values from memory. This limits the analysis environment to Windows systems and to one that can be compromised by Locky.

Please see the LockyDump blog post for more information.