Cracking Locky’s New Anti-Sandbox Technique
Diposting : Kamis, 14 Jul 2016, Penulis : Floser Bacurio and Roland Dela Paz, Fortinet

The last few weeks saw new variants of the Locky ransomware that
employs a new anti-sandbox technique. In these new variants, Locky’s
loader code uses a seed parameter from its JavaScript downloader in
order to decrypt embedded malicious code and execute it properly. For
example, the downloaded Locky executable is executed by the JavaScript
in the following manner:
This new trick may pose challenges for automated Locky tracking systems
that utilize sandboxing due to the following considerations:

New Locky binaries will not execute properly without the correct parameter.

JavaScript downloaders may fail to download if the download locations
are already down.

Currently, the in-the-wild JavaScript downloaders we have seen are using
the parameters “123” and “321”. Of course, this can be easily changed by
Locky’s perpetrators. So the question this raises is – how do we get
around this anti-sandbox mechanism?


Disclaimer | Copyright © 2013 - Id-SIRTII/CC
Id-SIRTII/CC - Indonesia Security Incident Response Team on Internet Infrastructure/Coordination Center
Menara Ravindo Lt. 17, Jl. Kebon Sirih No. 75 Jakarta Pusat, 10340, Indonesia
Member of: