For this post I would be using IDA Pro and OllyDbg. While jumping back and forth between these tools I will follow the naming convention of IDA Pro more often than OllyDbg.
The entry point for shtefans1.spe is plan function [0x100054e4]. It makes 2 function calls, the first call only creates a few SEH pointers but the second call (sub_10004f74) does most of the interesting activities.
Let’s dive into sub_10004f74.
Previously I mentioned that as we attach to rundll32 OllyDbg takes some time to pause. Afterwards the first place the control drops into is after Kernel32.Sleep(). The reason for this is that shtefans1.spe after being loaded into rundll32.exe goes to sleep for 55 seconds.
sub_1000701A: this function gets Volume GUID and hashes it to create the Computer Id for the Command and Control (C2) communication.
Through the flow: sub_1000701A -> sub_1000756D -> sub_1000748D
sub_1000748D: This function does some arithmetic on the hashed value to calculate the computer id.
This computer id is used to create mutex in function sub_10004D3E using call OpenMutex. The part of code shown below uses the computer id and calculates the mutex name (lpName).
Below were the lpName parameters calculated in this case. It certainly makes sense to create mutexes by using the id with which the machine is being identified. This makes it random from the analyst’s perspective and provides one less opportunity for IOC building.
The C2 communication includes some parameters and Windows version information as well which is gathered in sub_10003E32.
The string with all the parameters is formed like it’s shown below:
id=23D5954DAAEC35A7&act=getkey&affid=3&lang=en&corp=0&serv=0&os=Windows+10&sp=0&x64=0&v=2
After that it is encrypted using the function sub_10007F02. sub_10007F02 also performs the function of sending the data by creating the HTTP request header and adding the string as parameters.
The loop to encode the C2 string is present between 10001d95-10001e93. The code at that loop is called by the following flow: sub_10007F02 (encodes and sends request) -> 0x1000805d -> 0x10001D40 (encodes).
Image: Encoded string at different iterations of the loop
sub_100076D3 does the job of sending the actual C2 POST request that was encoded earlier to either of the three destination IP addresses [91(dot)142(dot)90(dot)61,5(dot)45(dot)80(dot)169,176(dot)31(dot)127(dot)168].
This concludes our second part of the reverse engineering Locky. I have excluded some details and I leave them to the readers to fill in. I have also not mentioned the Windows APIs that are used in the functions encountered in this part of the malware code. We will cover the encryption of files in the third part of this series.
Evil Code Analysis 