General
-
Target
JaffaCakes118_04d36a03d0672b6bd208e1494ab2f8ffebf60c2cc10005a8da199dad9e89fc53
-
Size
156KB
-
Sample
241222-flzbfavlfm
-
MD5
c5c962823a76a2b95b7b86fe7a4699bc
-
SHA1
34c8cf4d7a6bf9509d0b5bc2eb321aba6cecb7b0
-
SHA256
04d36a03d0672b6bd208e1494ab2f8ffebf60c2cc10005a8da199dad9e89fc53
-
SHA512
e4c294e0888559b44ce021a348033637cd90943cd23f94b3d341ac35d998a4e9a4c4f8fe6942556e122a102d37b69d632853d1001d38aec28301df8873e2501e
-
SSDEEP
3072:2U1jjNFTB7p8prBm3Gy4XSnUKdAj9m7iaWPCpcImyyg:2o3Nb7p8pr82y4XSncjWjKyX
Static task
static1
Behavioral task
behavioral1
Sample
lb777.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
lb777.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?8DB8A3AE8B2470959CC3A1CCA559C2AD
http://lockbitks2tvnmwk.onion/?8DB8A3AE8B2470959CC3A1CCA559C2AD
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?8DB8A3AE8B247095A7A3D38A14FB8B4C
http://lockbitks2tvnmwk.onion/?8DB8A3AE8B247095A7A3D38A14FB8B4C
Targets
-
-
Target
lb777.bin
-
Size
231KB
-
MD5
fe49d7d1ebd25845774acc939b6aad3b
-
SHA1
28c7959a129cb4549985ba4cea38993e92cbe478
-
SHA256
a39ffdc433fc726128c22452dd70b8b3407cc9db02a90307b937e8ab4a3aae97
-
SHA512
f5fa1dcc51639e1230620665c5466adefd85ef95570793a0464857fde496acd3d0bddb88436fb034dea33d05142687e6fdf3f4015e43687779ffc14e0db97384
-
SSDEEP
3072:f6/mwNj47XTyfvWyeBukAHm+cjCbhMsGjxPUC87vazsf3salBZdDmeVsPH:SbeTTyfvphBPcjCbGsGqC87rtbQTf
-
Lockbit family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (9324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3