General

  • Target

    JaffaCakes118_dd5b34f0f51f166d7c92f7c46f8a23cd5fee993776b40e1f588cc463753d7a3b

  • Size

    187KB

  • Sample

    241224-qrybfaylbw

  • MD5

    753782e044228489544d63e1f4e185f7

  • SHA1

    a591a3c2e8f93df687e3e3d5e243d118e039bf0f

  • SHA256

    dd5b34f0f51f166d7c92f7c46f8a23cd5fee993776b40e1f588cc463753d7a3b

  • SHA512

    4e6321fb3c542d1d183460cc25fd41de156939dd4ed148682017031acab3edea2536f5ce4af443e478495f66aa2504b97d5269c42d8fb22b0b8e0b44fdad660a

  • SSDEEP

    3072:DbPZIl5WTlQvFowaaE9WfOgJuLG34+Qf60AOFogMcfHb7YN6T0CGIFSRGLBRIX32:525WTbM/QfNAsoRcfy9IFS0b

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\en-US\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8841DD9B0AC925FF8DD3FA19A08DB66D | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FF8DD3FA19A08DB66D This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FF8DD3FA19A08DB66D

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FF8DD3FA19A08DB66D

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?8841DD9B0AC925FF8DD3FA19A08DB66D Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FF8DD3FA19A08DB66D This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FF8DD3FA19A08DB66D

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FF8DD3FA19A08DB66D

Targets

    • Target

      lb777.exe

    • Size

      372KB

    • MD5

      6c5dcbdf374073249f3477d0fd439039

    • SHA1

      ed2165fe0e5ed5c608230f6c125713d2a0934c28

    • SHA256

      bb894171229d21637bc00c3360afcbf4aa4973e1ca61f424cc15a8f26a06956b

    • SHA512

      d75b96e95f6972013c41c99cb54e892ee7f7ee54e996465d0ef2f2d21ba9941869b7b06c49bbdcf36814f19ef0105475aea99c3f49098a5f44bcb810bbf21c0f

    • SSDEEP

      6144:MLKewcnJHLFaz1ZXmkjr7ZVyf9Mcfj0bGGCM:Dfwh6ZXmk/fcfo

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (9348) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks