Loki Locker

[gadivit437]

Hi There today i have client have all file encoded and i have decide to analize the virus:

Encrypted by Loki locker

Reg File SOFTWARE\Loki

Public domain loki-locker.one where stored Cpriv.Loki

 

And this is the public 

<RSAKeyValue>
<Modulus>xipT1uEp7+SiiHvCqNCPztBOp7qln4XorugR0EzkIJ5Yr3EeK5wfq2cPoe0G/RmN942R9P1aSSm9kSuBWoZFxb03kyGzgOynzIR2D35MW0J9CUTBxGh9YHD94AvlBTykhlsye1QhvOXo+yUMracayVqdL+WkC3SGb1qH3UJX6froustTgVWxbw+bn2k/vBSSmK73g146N6q7oKHrSl5hf3JQ7ao7NNyURAPyOh8CXcwjGuhAu5c8I1azEp6HcVOs6pRo1CUZCx2WtI+sTFSQZnVf8uNJRgF5Et0bWtA9M3R076AQDNP3OTQ3jaVq4BLwUqdXN05pFvAiiCmV5tjC6naJShU7x97fcNUTnrGuFpbD/bIW1376i2juuE+TMlG7rodBOiP7lucgIFOhq0niueVLb/Qw8ImSFE+SNC1DFswd5u+EQfKNwer7kZ26za5OZFzyawha6aocDEf3HLt06SlgCWrn6AgbzxTyI59QKyOviNDln3sg4iGZY+gUkwH/TOgqoxnZqYBRQTb8NKX6gB5XXj1OZw/tVmGu6pK29K9UfpWc9mYLZwPjDRIb33zIkI/6S3jcvbahmCHcrXTqdjiL9Y/QSwqYG1GRTFrnRLtRpLc6IuSQogWRIJwHoEkqJt9MOU/W6AhGkMZzX1KQJGTYpU2vt5Ge7AbXCHbFk=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>

<RSAKeyValue>
<Modulus>zQ6+tkZblOQL5sLM4U24fa+vLl3znNlLehJJZRhHyo1SngiKAWpPI6U0Az+1eN+b2gzj8YDmuXo0u3PRO2rRdD7VjokYD5VylgKIoj9go783qZayXif+GsVlCObBcehq4AMwO7IZ7lKFrh4dzd/Q4+OcSPCOqWFMmsRWcR9gdEUrDJNmrGcpr/8LpuA6GJGudNT4vYNptry7NwP8RJ5iynO6qd29Z1ZuzzbvxD5RE8NoAvupCO5TgkM1PBXaYmqUmBNR49JM1nG3GPHbYVij61mCM7LxmO+KhQCRw0RZTYH9tU+cvtZaBYwnryPgL0Wh5FESGZAoKv3KVsKISB5kArNoGvOT6rmzk+UHkw7m0qYSYoVEIAQtzhZSXqrgAZoSpgEMA+Sb3UaGpZnZwwA5Nx09rsDjdJ0EN3Fgt4DS2ROTN+XzWcf+u7T+nwDaJAKMGThelid+cDpMBreugYtsC7LNxW9L9FxBIc9DFYTWhZPX6996jBP9rKoIWlUZGHdv46VyJJm2N+QHXCF3PGOIz2ENiq8a5VaW94ednSGpAPmYudpv7tsYQH+nC3dBCWgvUJtdP5uf8qf2xeUwbJvyTRp3jSdKR4bOy7WKsBe5HOyJCaR9EZRwGs7oMe+P6XdJJUhSpKVV+qsac7h0xknPKxP12aGIrai4Zxp24Vv+0=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>

<RSAKeyValue>
<Modulus>wunn0selOgeuXptR12Npf+6Xz3FXzQ8ZoNqEHNVpD5MQ/e4tFDQcxE3H/KP5LDyRTQffayQgiOqcdUbbou9qqumoMQelI6RWlQrHOnp72cb05pN++OVYxWCwiMhTtBTy/wSjc9pfugYbqs6VQSAZ7II1MN95dirIOcNKSSkfgSDCnk1r8/YxIyV1GNkHbeteDXocwQv80AeEv2Lmc1BIHjC6zPKxKmFik2gKzwoXQH/yd7QC7ygdwKFusLpUVhAQsFSMCp2RhLU0yEa0I9SUdlwqmomAXwHncsVHR3iOgO4VEacyr5I26gLiEjFiMSmrAOcGVPC8zsRrCsTULcnEjUaIO6+PCdHfxB3VZUTULaLLDGt/43fKXXW1fR7M8tzKa45fN0UJ0fVXnnexY+z7iQEmnILQ0f2bvCp95vD02lvQiMNbIkNk3zv9BgDogVw/Unk9nTtZI0BV2kGftc9kiGwCewR7WXp/Yu2/GPuVumyMjoDn0TpxGdAHJTGGuGHwaB2Hdj7NAvo+ttPiaVYI6twdYXAdG8775RMQ9rHHQyk/rE6Cj7ylW6ZGeRXv36gdPnqSZ3IddvMJxkjwMciC/Ta4jJtN8kug3UVP+YHdbbpxrwSw/kDyEZEJP52hvFPGV048paW+gXmhPxokHD2Pj4/osDWQBZi7NunVB5o+k=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue><RSAKeyValue><Modulus>2qNfHEirNNKSIeMF/wJ86rjOf2XEudqqkn5PeornEfAPDpKZrPNFbbTCTuyjyiugvX7xidorOT77eYQpJhlpCVe49x9frgGsrv13BcCR8uAQHrybWlvn3WYvkP2N6LZ0PHkavqgBfbLupQl/W2GPOhxvlJbl0Ni2LKgZRk3ZMf45R6kzS0u131mcSoXzHoDlrzNhG+APZanJeyArZ2Z0/M04V/oxxmORskrk2qLwwZ2XvKUNoRjhLUBZ5u88T0PCstJ+jMjpOa9yRSsZ3h998rJH0ZUw881VOAT15onlOfNP8+FmL+EQPVGiQDj/qOI/JaCjFACs1aWBnvNdW0lRHo8U284D7ZpH80vxWiMA4J9gNZQStujxSdzvknwpmx6dUmbpesnUQ9jM4pNwGwP0xaLsJ90qkdbxMbPUzm5uZA4LZ9eip8JmjtJi3FXo5+8Z/bMfZ7arbpGmPuL+ThnJLAx5u+8Iqauza1l10almKy3cIVNVwNunmCcyVWEWx5omecPsuVDnex/0NgU5i32ltJjxd5fAo2HAgo9VeUq59s3T44TF5Ia+g0l5Ji5xrPE+pj36rip5KUAGnAvptwoRePK6pMOPKPPhyABmnw/oUX+evwhhj3EXfHIIczFdpy2crGa7g4mdBLPc9Sewkolf0L4tKs8bzlJU6BOomTf40=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue><RSAKeyValue><Modulus>yPFwkqwzZwDXNA4joWlhiirghk353gkrWHjV9wCL5PiKCaxdE46Unxp3G4nvnt/fZd7G68fv/lAYEIXN+3wyqg4SM3KHCltPL170pyyPvBZTZmlw49SChIdsJI/HZur4cBlSfAX5Q+6CIvXJ79IjHhSEMC0CbfyK0TB0LT5Een0=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>

winlogon.exe dump file 

https://dropmefiles.com/V4dCw winlogon.exe dump file 

https://dropmefiles.com/FWhEg --> Virus

I'm sure where run virus first of process create file 

config.Loki

Cpriv.Loki --> Private key how to retrive this ?

There is any solution to decrypt for all this f**ked malware ?

gadvit

 

 

I have try to decrypt but no success any solution ?

[Amigo-A]

Hello.

Description: LokiLocker Ransomware

Not yet added to the 'ID-Ransomware' service and is not identified.

[gadivit437]

Hi,

i have work to retrive all so i have decompiled virus hard work to decompile and check what do:

Create and store HKEY_CURRENT_USER\Software\Loki --> Public an full is private and public key

 

And stored here after finish encrypt remove full key there is method to retrive regfile deleted? if i will find this solution i have help more people have this virus to decode file :-)

regards

 

 

[ShadowPuterDude]

Once a registry key has been created and deleted, during the same operation, you cannot retrieve the registry key.  A restore point would have needed to have been created between the time that "HKEY_CURRENT_USER\Software\Loki" was created and then deleted.

[gadivit437]

1 hour ago, ShadowPuterDude said:

Once a registry key has been created and deleted, during the same operation, you cannot retrieve the registry key.  A restore point would have needed to have been created between the time that "HKEY_CURRENT_USER\Software\Loki" was created and then deleted.

If i will run again the virus and make executable send my Loki key works or not ?

 

 

 

[ShadowPuterDude]

You need to monitor system changes in realtime.  This page list tools that can to that https://www.itechtics.com/monitor-system-file-registry-changes/

The first two I have used.  There is no guarantee that LOKI will not kill these tools prior to encryption.

[ShadowPuterDude]

Thread Closed