General
-
Target
JaffaCakes118_dd5b34f0f51f166d7c92f7c46f8a23cd5fee993776b40e1f588cc463753d7a3b
-
Size
187KB
-
Sample
241224-qrybfaylbw
-
MD5
753782e044228489544d63e1f4e185f7
-
SHA1
a591a3c2e8f93df687e3e3d5e243d118e039bf0f
-
SHA256
dd5b34f0f51f166d7c92f7c46f8a23cd5fee993776b40e1f588cc463753d7a3b
-
SHA512
4e6321fb3c542d1d183460cc25fd41de156939dd4ed148682017031acab3edea2536f5ce4af443e478495f66aa2504b97d5269c42d8fb22b0b8e0b44fdad660a
-
SSDEEP
3072:DbPZIl5WTlQvFowaaE9WfOgJuLG34+Qf60AOFogMcfHb7YN6T0CGIFSRGLBRIX32:525WTbM/QfNAsoRcfy9IFS0b
Static task
static1
Behavioral task
behavioral1
Sample
lb777.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
lb777.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Program Files\DVD Maker\en-US\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC
http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC
http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8841DD9B0AC925FF8DD3FA19A08DB66D
http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FF8DD3FA19A08DB66D
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?8841DD9B0AC925FF8DD3FA19A08DB66D
http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FF8DD3FA19A08DB66D
Targets
-
-
Target
lb777.exe
-
Size
372KB
-
MD5
6c5dcbdf374073249f3477d0fd439039
-
SHA1
ed2165fe0e5ed5c608230f6c125713d2a0934c28
-
SHA256
bb894171229d21637bc00c3360afcbf4aa4973e1ca61f424cc15a8f26a06956b
-
SHA512
d75b96e95f6972013c41c99cb54e892ee7f7ee54e996465d0ef2f2d21ba9941869b7b06c49bbdcf36814f19ef0105475aea99c3f49098a5f44bcb810bbf21c0f
-
SSDEEP
6144:MLKewcnJHLFaz1ZXmkjr7ZVyf9Mcfj0bGGCM:Dfwh6ZXmk/fcfo
-
Lockbit family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (9348) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3