 Hello and welcome to a quick unpacking showcase of a locky sample and we'll be using Oli this time and There's the file. I don't have an extension on this file, so I don't click it accidentally I don't want my files to be encrypted or anything I doubt that it still works though. It's a bit of an older locky sample Would probably not work anymore All right, so we want to unpack this file and the idea is that Unpacking step needs to allocate memory to unpack the packed stuff too and Because of that we can probably just say a breakpoint virtual-alloc and we May now just press f9 to run the file. All right You can see that we are in the virtual-alloc Breakpoint and the stack window shows the Arguments that were passed to this function. So We have the allocation type the protection and We also have this size. The size is very interesting in this case because if it's so small it's not interesting for us And we will just move on That's also a bit too small president All right. Now we are at a bigger size that looks good and We are in the kernel 32 module because that's a virtual-alloc function We want to get back to where this was called so you just press ALT and Then f9 and you will get back to the call. Yes a call and Here we are right below now we the return value value of the call is in EAX and This is our memory area that was allocated so we can follow and dump That if you try this, it will probably be another value. So because Depends on the machine. Okay The memory area is zeroed out so something can be written to it and To see what will be written to it. We just step a bit With f8 Onto something happens in this case is called it something to that memory area, but Does not look useful for us. So we will now press f9 to run to the next virtual-alloc. Here it is and press Again ALT f9 to get back to the caller. It was the calling function and See the dump in The return value again, it's a zeroed out dump and we will be stepping Onto they do something to that dump Watch out now. This is the RTL decompress buffer call which will Which is commonly used by pagers and will now probably unpack something. Let's see And there it is There's the DOS stop message this program cannot be run in DOS mode and the mz header and the PE signature mz signature PE signature. All right, we can now dump this and We'll be using the memory map Select the right area in my case. It's this one dump the memory area and Unpacked Lookie be safe Now Let's take a look at this Is it really lookie? Lookie has typically some strings in it like shadow copy volume deletion Dorensum nodes Kittery There it is. There's the extension for the files that get encrypted Here we have the Name of the ransom node This is service host XE lookie or this lookie sample that copies itself into temp service host dot XE so This is just the name of its copy And here we have the deletion of the shadow volume copies Run and run entry because if it's not finished and you Shut off the computer. It still wants to finish its encryption process. So It sets this run entry temporarily to do that again the ransom net names and some Some locations it looks for files guess or that I excluded. I'm not sure and Here are the file extensions that it filters on some more Even a wallet dot that Too bad if you have to pay with Bitcoin Okay, and that's it for today was a quick video, but I Hope you liked it and I want to thank Traviv for pointing out that virtual alak method to get very quick to the Unpicking of this sample. All right Bye-bye