user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Ransom:Win32/Locky
Ransom:Win32/Locky - Windows Defender threat signature analysis

Ransom:Win32/Locky - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Ransom:Win32/Locky
Classification:
Type:Ransom
Platform:Win32
Family:Locky
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Ransomware - Encrypts files and demands payment for 32-bit Windows platform, family Locky

Summary:

Ransom:Win32/Locky is a highly destructive ransomware that encrypts user files and demands a Bitcoin payment for their recovery. It employs multiple Windows utilities (e.g., rundll32, mshta, PowerShell, BITS jobs) for execution and persistence, and communicates with external IP addresses for command and control, leaving a `file-recovery-instructions.html` ransom note.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - 83.217.8.61 (PEHSTR_EXT)
 - 31.202.130.9 (PEHSTR_EXT)
 - 91.234.35.106 (PEHSTR_EXT)
 - /checkupdate (PEHSTR_EXT)
 - =$|$=-=.~ (PEHSTR_EXT)
 - y\PHX& (SNID)
 - setupapi.dll (PEHSTR_EXT)
 - file-recovery-instructions.html (PEHSTR_EXT)
 - The only way to recover your files is to pay .1 Bitcoins (PEHSTR_EXT)
 - For Help email: help@zerodaysample2018.net (PEHSTR_EXT)
 - \Leen.pdb (PEHSTR_EXT)
 - ;\$ ~ (PEHSTR_EXT)
 - Backup.ocx (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Ransom_Win32_LockyV2_A_2147908905_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Ransom:Win32/LockyV2.A!MTB"
        threat_id = "2147908905"
        type = "Ransom"
        platform = "Win32: Windows 32-bit platform"
        family = "LockyV2"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_2_1 = {33 c8 f7 d1 8b 95 ?? ?? ff ff 2b 95 ?? ?? ff ff 81 f2 ?? ?? ?? ?? 0f 31 33 85}  //weight: 2, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Remediation Steps:
Immediately isolate the infected system from the network to prevent further spread. Remove the detected malware using Windows Defender or other reputable anti-malware solutions. Restore encrypted files from secure, offline backups. Investigate the initial compromise vector, patch all systems, and enhance security controls including network segmentation, endpoint detection and response (EDR), and user awareness training.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$