Jump to content

gadivit437

Member
  • Posts

    3
  • Joined

  • Last visited

Posts posted by gadivit437

  1. 1 hour ago, ShadowPuterDude said:

    Once a registry key has been created and deleted, during the same operation, you cannot retrieve the registry key.  A restore point would have needed to have been created between the time that "HKEY_CURRENT_USER\Software\Loki" was created and then deleted.

    If i will run again the virus and make executable send my Loki key works or not ?

     

     

     

  2. Hi,

    i have work to retrive all so i have decompiled virus hard work to decompile and check what do:

    Create and store HKEY_CURRENT_USER\Software\Loki --> Public an full is private and public key

     

    And stored here after finish encrypt remove full key there is method to retrive regfile deleted? if i will find this solution i have help more people have this virus to decode file :-)

    regards

     

     

  3. Hi There today i have client have all file encoded and i have decide to analize the virus:

    Encrypted by Loki locker

    Reg File SOFTWARE\Loki

    Public domain loki-locker.one where stored Cpriv.Loki

     

    And this is the public 

    <RSAKeyValue>
    <Modulus>xipT1uEp7+SiiHvCqNCPztBOp7qln4XorugR0EzkIJ5Yr3EeK5wfq2cPoe0G/RmN942R9P1aSSm9kSuBWoZFxb03kyGzgOynzIR2D35MW0J9CUTBxGh9YHD94AvlBTykhlsye1QhvOXo+yUMracayVqdL+WkC3SGb1qH3UJX6froustTgVWxbw+bn2k/vBSSmK73g146N6q7oKHrSl5hf3JQ7ao7NNyURAPyOh8CXcwjGuhAu5c8I1azEp6HcVOs6pRo1CUZCx2WtI+sTFSQZnVf8uNJRgF5Et0bWtA9M3R076AQDNP3OTQ3jaVq4BLwUqdXN05pFvAiiCmV5tjC6naJShU7x97fcNUTnrGuFpbD/bIW1376i2juuE+TMlG7rodBOiP7lucgIFOhq0niueVLb/Qw8ImSFE+SNC1DFswd5u+EQfKNwer7kZ26za5OZFzyawha6aocDEf3HLt06SlgCWrn6AgbzxTyI59QKyOviNDln3sg4iGZY+gUkwH/TOgqoxnZqYBRQTb8NKX6gB5XXj1OZw/tVmGu6pK29K9UfpWc9mYLZwPjDRIb33zIkI/6S3jcvbahmCHcrXTqdjiL9Y/QSwqYG1GRTFrnRLtRpLc6IuSQogWRIJwHoEkqJt9MOU/W6AhGkMZzX1KQJGTYpU2vt5Ge7AbXCHbFk=</Modulus>
    <Exponent>AQAB</Exponent>
    </RSAKeyValue>
    
    <RSAKeyValue>
    <Modulus>zQ6+tkZblOQL5sLM4U24fa+vLl3znNlLehJJZRhHyo1SngiKAWpPI6U0Az+1eN+b2gzj8YDmuXo0u3PRO2rRdD7VjokYD5VylgKIoj9go783qZayXif+GsVlCObBcehq4AMwO7IZ7lKFrh4dzd/Q4+OcSPCOqWFMmsRWcR9gdEUrDJNmrGcpr/8LpuA6GJGudNT4vYNptry7NwP8RJ5iynO6qd29Z1ZuzzbvxD5RE8NoAvupCO5TgkM1PBXaYmqUmBNR49JM1nG3GPHbYVij61mCM7LxmO+KhQCRw0RZTYH9tU+cvtZaBYwnryPgL0Wh5FESGZAoKv3KVsKISB5kArNoGvOT6rmzk+UHkw7m0qYSYoVEIAQtzhZSXqrgAZoSpgEMA+Sb3UaGpZnZwwA5Nx09rsDjdJ0EN3Fgt4DS2ROTN+XzWcf+u7T+nwDaJAKMGThelid+cDpMBreugYtsC7LNxW9L9FxBIc9DFYTWhZPX6996jBP9rKoIWlUZGHdv46VyJJm2N+QHXCF3PGOIz2ENiq8a5VaW94ednSGpAPmYudpv7tsYQH+nC3dBCWgvUJtdP5uf8qf2xeUwbJvyTRp3jSdKR4bOy7WKsBe5HOyJCaR9EZRwGs7oMe+P6XdJJUhSpKVV+qsac7h0xknPKxP12aGIrai4Zxp24Vv+0=</Modulus>
    <Exponent>AQAB</Exponent>
    </RSAKeyValue>
    
    <RSAKeyValue>
    <Modulus>wunn0selOgeuXptR12Npf+6Xz3FXzQ8ZoNqEHNVpD5MQ/e4tFDQcxE3H/KP5LDyRTQffayQgiOqcdUbbou9qqumoMQelI6RWlQrHOnp72cb05pN++OVYxWCwiMhTtBTy/wSjc9pfugYbqs6VQSAZ7II1MN95dirIOcNKSSkfgSDCnk1r8/YxIyV1GNkHbeteDXocwQv80AeEv2Lmc1BIHjC6zPKxKmFik2gKzwoXQH/yd7QC7ygdwKFusLpUVhAQsFSMCp2RhLU0yEa0I9SUdlwqmomAXwHncsVHR3iOgO4VEacyr5I26gLiEjFiMSmrAOcGVPC8zsRrCsTULcnEjUaIO6+PCdHfxB3VZUTULaLLDGt/43fKXXW1fR7M8tzKa45fN0UJ0fVXnnexY+z7iQEmnILQ0f2bvCp95vD02lvQiMNbIkNk3zv9BgDogVw/Unk9nTtZI0BV2kGftc9kiGwCewR7WXp/Yu2/GPuVumyMjoDn0TpxGdAHJTGGuGHwaB2Hdj7NAvo+ttPiaVYI6twdYXAdG8775RMQ9rHHQyk/rE6Cj7ylW6ZGeRXv36gdPnqSZ3IddvMJxkjwMciC/Ta4jJtN8kug3UVP+YHdbbpxrwSw/kDyEZEJP52hvFPGV048paW+gXmhPxokHD2Pj4/osDWQBZi7NunVB5o+k=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue><RSAKeyValue><Modulus>2qNfHEirNNKSIeMF/wJ86rjOf2XEudqqkn5PeornEfAPDpKZrPNFbbTCTuyjyiugvX7xidorOT77eYQpJhlpCVe49x9frgGsrv13BcCR8uAQHrybWlvn3WYvkP2N6LZ0PHkavqgBfbLupQl/W2GPOhxvlJbl0Ni2LKgZRk3ZMf45R6kzS0u131mcSoXzHoDlrzNhG+APZanJeyArZ2Z0/M04V/oxxmORskrk2qLwwZ2XvKUNoRjhLUBZ5u88T0PCstJ+jMjpOa9yRSsZ3h998rJH0ZUw881VOAT15onlOfNP8+FmL+EQPVGiQDj/qOI/JaCjFACs1aWBnvNdW0lRHo8U284D7ZpH80vxWiMA4J9gNZQStujxSdzvknwpmx6dUmbpesnUQ9jM4pNwGwP0xaLsJ90qkdbxMbPUzm5uZA4LZ9eip8JmjtJi3FXo5+8Z/bMfZ7arbpGmPuL+ThnJLAx5u+8Iqauza1l10almKy3cIVNVwNunmCcyVWEWx5omecPsuVDnex/0NgU5i32ltJjxd5fAo2HAgo9VeUq59s3T44TF5Ia+g0l5Ji5xrPE+pj36rip5KUAGnAvptwoRePK6pMOPKPPhyABmnw/oUX+evwhhj3EXfHIIczFdpy2crGa7g4mdBLPc9Sewkolf0L4tKs8bzlJU6BOomTf40=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue><RSAKeyValue><Modulus>yPFwkqwzZwDXNA4joWlhiirghk353gkrWHjV9wCL5PiKCaxdE46Unxp3G4nvnt/fZd7G68fv/lAYEIXN+3wyqg4SM3KHCltPL170pyyPvBZTZmlw49SChIdsJI/HZur4cBlSfAX5Q+6CIvXJ79IjHhSEMC0CbfyK0TB0LT5Een0=</Modulus>
    <Exponent>AQAB</Exponent>
    </RSAKeyValue>

    winlogon.exe dump file 

    https://dropmefiles.com/V4dCw winlogon.exe dump file 

    https://dropmefiles.com/FWhEg --> Virus

    I'm sure where run virus first of process create file 

    config.Loki

    Cpriv.Loki --> Private key how to retrive this ?

    There is any solution to decrypt for all this f**ked malware ?

    gadvit

     

     

    I have try to decrypt but no success any solution ?

×
×
  • Create New...