Locky Osiris

There was a recent Locky resurgence with Osiris variant past December. However, it’s too late to post this analysis for others to be benefitted by it, it would still be worth a journal entry.

The infection originated from a set of excel files with Macros (obviously).

excel

Once the macros have been enabled encryption process continues until all the files have been replaced with the encrypted files and the Desktop background is replaced by the following:

lockywalpaper

The encrypted files have ‘osiris’ extension and an html file containing detailed instructions on decrypting the file (with ransom payment) is written to each folder with encrypted files.

osirisfiles

osiriscontent

During the encryption process we can see that Excel spawned a rundll32 process (Process Hacker will help).

prochacker

Using Process Hacker we can see the threads created during this process as well. This tells us what DLLs are loaded during the execution of rundll32.exe. This shows us an unusual file ‘shtefans1.spe’

rundllpropertiesthreads

Now if we search for this file it points us to the temporary directory of the current user. There is another file with the one we pointed out earlier, both have similar timestamps and sizes.

tempdir

In this post we cursorily went through the conspicuous changes happened after Locky was executed. We will do a deep dive into the Macros used in the next post and try to understand how rundll32 was spawned out of Excel.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s