General

  • Target

    JaffaCakes118_04d36a03d0672b6bd208e1494ab2f8ffebf60c2cc10005a8da199dad9e89fc53

  • Size

    156KB

  • Sample

    241222-flzbfavlfm

  • MD5

    c5c962823a76a2b95b7b86fe7a4699bc

  • SHA1

    34c8cf4d7a6bf9509d0b5bc2eb321aba6cecb7b0

  • SHA256

    04d36a03d0672b6bd208e1494ab2f8ffebf60c2cc10005a8da199dad9e89fc53

  • SHA512

    e4c294e0888559b44ce021a348033637cd90943cd23f94b3d341ac35d998a4e9a4c4f8fe6942556e122a102d37b69d632853d1001d38aec28301df8873e2501e

  • SSDEEP

    3072:2U1jjNFTB7p8prBm3Gy4XSnUKdAj9m7iaWPCpcImyyg:2o3Nb7p8pr82y4XSncjWjKyX

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?8DB8A3AE8B2470959CC3A1CCA559C2AD | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8DB8A3AE8B2470959CC3A1CCA559C2AD This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?8DB8A3AE8B2470959CC3A1CCA559C2AD

http://lockbitks2tvnmwk.onion/?8DB8A3AE8B2470959CC3A1CCA559C2AD

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link -http://lockbit-decryptor.com/?8DB8A3AE8B2470959CC3A1CCA559C2ADFollow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it.Open link in Tor Browser -http://lockbitks2tvnmwk.onion/?8DB8A3AE8B2470959CC3A1CCA559C2ADThis link only works in Tor Browser!Follow the instructions on this pageLockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the siteDo not rename encrypted files.Do not try to decrypt using third party software, it may cause permanent data loss.Decryption of your files with the help of third parties may cause increased price (they add their fee to our).Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.Tor Browser user manualhttps://tb-manual.torproject.org/about

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?8DB8A3AE8B247095A7A3D38A14FB8B4C | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8DB8A3AE8B247095A7A3D38A14FB8B4C This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?8DB8A3AE8B247095A7A3D38A14FB8B4C

http://lockbitks2tvnmwk.onion/?8DB8A3AE8B247095A7A3D38A14FB8B4C

Targets

    • Target

      lb777.bin

    • Size

      231KB

    • MD5

      fe49d7d1ebd25845774acc939b6aad3b

    • SHA1

      28c7959a129cb4549985ba4cea38993e92cbe478

    • SHA256

      a39ffdc433fc726128c22452dd70b8b3407cc9db02a90307b937e8ab4a3aae97

    • SHA512

      f5fa1dcc51639e1230620665c5466adefd85ef95570793a0464857fde496acd3d0bddb88436fb034dea33d05142687e6fdf3f4015e43687779ffc14e0db97384

    • SSDEEP

      3072:f6/mwNj47XTyfvWyeBukAHm+cjCbhMsGjxPUC87vazsf3salBZdDmeVsPH:SbeTTyfvphBPcjCbGsGqC87rtbQTf

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (9324) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks