Skip to content

Latest commit

 

History

History
78 lines (62 loc) · 3.9 KB

locky-bart.md

File metadata and controls

78 lines (62 loc) · 3.9 KB
Raw
ID X0011
Type Ransomware
Aliases None
Platforms Windows
Year 2017
Associated ATT&CK Software None

Locky Bart

Locky Bart is ransomware. [1]

The OASIS Collaborative Automated Course of Action Operations (CACAO) is a standard to implement the course of action playbook model for cybersecurity operations. An example Locky Bart playbook illustrates how CACAO can reference MBC behaviors.

ATT&CK Techniques

Name Use
Discovery::Process Discovery (T1057) Locky Bart gathers information from the victim's machine to create an encryption key. [1]
Discovery::System Location Discovery::System Language Discovery (T1614.001) Locky Bart identifies the system language via API. [2]
Execution::Shared Modules (T1129) Locky Bart parses PE headers. [2]

Enhanced ATT&CK Techniques

Name Use
Impact::Data Encrypted for Impact (E1486) Locky Bart encrypts files for ransom without any connection to the Internet. [1]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) Locky Bart encodes data using XOR. [2]
Discovery::File and Directory Discovery (E1083) Locky Bart gets a file size. [2]

MBC Behaviors

Name Use
Anti-Static Analysis::Executable Code Virtualization (B0008) Code virtualization is added to the Locky Bart binary using WPProtect. [1]
Cryptography::Encrypt Data::RC4 (C0027.009) Locky Bart encrypts data using RC4 PRGA. [2]
Cryptography::Encryption Key (C0028) Locky Bart creates a new key via CryptAcquireContext. [2]
Cryptography::Generate Pseudo-random Sequence::Use API (C0021.003) Locky Bart generates random numbers via WinAPI. [2]
Data::Check String (C0019) Locky Bart references Base64 strings. [2]
Data::Checksum::CRC32 (C0032.001) Locky Bart hashes data with CRC32. [2]
Data::Encode Data::XOR (C0026.002) Locky Bart encodes data using XOR. [2]
Discovery::Code Discovery::Enumerate PE Sections (B0046.001) Locky Bart enumerates PE sections. [2]
File System::Read File (C0051) Locky Bart reads files on Windows. [2]
File System::Write File (C0052) Locky Bart writes files on Windows. [2]
Operating System::Registry::Set Registry Key (C0036.001) Locky Bart sets registry values. [2]
Process::Create Thread (C0038) Locky Bart creates threads. [2]

Indicators of Compromise

SHA256 Hashes

  • c285e376201e2941154ec1a9acd8658cd5e0ea975c694a3fe3e9a9897efc2680

References

[1] https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/

[2] capa v4.0, analyzed at MITRE on 10/12/2022