{ "id": "41f57b3f-39ac-4f6a-a287-0743b425e280", "created_at": "2026-04-06T01:29:46.277845Z", "updated_at": "2026-04-10T03:23:51.54905Z", "deleted_at": null, "sha1_hash": "74dead32d28ce49874c2d39b019c3fede457a0a3", "title": "Picking locky ??????", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 695572, "plain_text": "Picking locky ๐Ÿ”“\r\nBy f0wL\r\nPublished: 2019-07-30 ยท Archived: 2026-04-06 00:38:55 UTC\r\nTue 30 July 2019 in Ransomware\r\nBack in 2016 Locky was (one of) the first to commercialize the \"art\" of holding data for ransom. I picked this strain\r\nbecause I would like a bit more of a challenge in terms of obfuscation and anti-disassembly techniques, so strap in for this\r\nOG Ransomware\r\nLocky (at least the first few versions) is said to be created by the makers of the Dridex/Cridex banking trojans. For example\r\nthe spreading mechanism via macros in Word or Excel documents sent out via carefully crafted spear-phishing emails is\r\nexactly the same for both of these strains.\r\nA general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your\r\npersonal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be\r\nillegal depending on where you live.\r\nTodays samples are brought to you by:\r\nLocky #1 available @ https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.Locky sha256\r\nbc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3\r\nLocky.AZ available @ https://dasmalwerk.eu/ sha256\r\n2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b\r\nRunning this first Locky Sample was pretty unspectacular since nothing really happend ๐Ÿค”. Let's take a look at the binary\r\nfirst:\r\nhttps://dissectingmalwa.re/picking-locky.html\r\nPage 1 of 7\n\nhttps://dissectingmalwa.re/picking-locky.html\r\nPage 2 of 7\n\nWould you look at that! We found ourselves some poor mans obfuscation :D A whole bunch of random strings to make the\r\nanalyst's life just a little bit harder. We'll come back to this later to see if we can simplify our strings output a bit.\r\nhttps://dissectingmalwa.re/picking-locky.html\r\nPage 3 of 7\n\nAfter a couple of seconds it spawns a new svchost.exe process with the same icon as Locky.exe had previously. Of course\r\nwe'll dump the process memory to a file (just right-click the listing in Process Hacker and choose Create dump from the\r\ncontext menu).\r\nLooking at the properties of the new svchost.exe process we can see that it is actually run from\r\nC:\\Users\\IEUser\\AppData\\Local\\Temp\\ and it's unsigned as well.\r\nhttps://dissectingmalwa.re/picking-locky.html\r\nPage 4 of 7\n\nTrojan.Ransom.Locky.AZ\r\nhttps://dissectingmalwa.re/picking-locky.html\r\nPage 5 of 7\n\nhttps://www.hybrid-analysis.com/sample/2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b/5cd5813d028838383d3ab408\r\nThis article is a work in progress, updates going to follow soon\r\nIOCs\r\nLocky (SHA256)\r\n2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b\r\n5ed2f09e648dca8f0ca75466b1442f6e599afddc80777e0559fb6881c6cd9ff3\r\nhttps://dissectingmalwa.re/picking-locky.html\r\nPage 6 of 7\n\n3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02\r\n6afc78b5630726c907a69d62a6c8a7d86326e21383fe3aae1efc715342238e02\r\nSource: https://dissectingmalwa.re/picking-locky.html\r\nhttps://dissectingmalwa.re/picking-locky.html\r\nPage 7 of 7\n\n https://dissectingmalwa.re/picking-locky.html \nWould you look at that! We found ourselves some poor mans obfuscation :D A whole bunch of random strings to make the\nanalyst's life just a little bit harder. We'll come back to this later to see if we can simplify our strings output a bit.\n Page 3 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://dissectingmalwa.re/picking-locky.html" ], "report_names": [ "picking-locky.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438986, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/74dead32d28ce49874c2d39b019c3fede457a0a3.pdf", "text": "https://archive.orkl.eu/74dead32d28ce49874c2d39b019c3fede457a0a3.txt", "img": "https://archive.orkl.eu/74dead32d28ce49874c2d39b019c3fede457a0a3.jpg" } }