Cracking Locky’s New Anti-Sandbox Technique

The last few weeks saw new variants of the Locky ransomware that
employs a new anti-sandbox technique. In these new variants, Locky’s
loader code uses a seed parameter from its JavaScript downloader in
order to decrypt embedded malicious code and execute it properly. For
example, the downloaded Locky executable is executed by the JavaScript
in the following manner:
...
This new trick may pose challenges for automated Locky tracking systems
that utilize sandboxing due to the following considerations:

New Locky binaries will not execute properly without the correct parameter.

JavaScript downloaders may fail to download if the download locations
are already down.

Currently, the in-the-wild JavaScript downloaders we have seen are using
the parameters “123” and “321”. Of course, this can be easily changed by
Locky’s perpetrators. So the question this raises is – how do we get
around this anti-sandbox mechanism?

  • Kamis, 14 Jul 2016
  • Penulis: Floser Bacurio and Roland Dela Paz, Fortinet

Pemantauan Trafik Internet Nasional

Laporan pemantauan trafik internet nasional dengan menampilkan laporan trafik mingguan, trafik bulanan dan trafik tahunan.

Peringatan Ancaman Keamanan & Kerentanan Sistem

Kumpulan arikel tentang peringatan dini ancaman keamanan dan kerentanan sistem.

Security News

Kumpulan berita tentang keamanan siber atau IT.

Laporan Insiden

Id-SIRTII/CC menerima pelaporan insiden dari publik untuk kemudian dilakukan koordinasi kepada pihak-pihak yang berkepentingan.