| ID | X0011 |
| Aliases | None |
| Platforms | Windows |
| Year | 2017 |
| Associated ATT&CK Software | None |
Locky Bart is ransomware. [1]
| Name | Use |
|---|---|
| Discovery::Process Discovery (T1057) | Gathers information from the victim's machine to create an encryption key. [1] |
| Discovery::System Time Discovery (T1057) | Gathers information from the victim's machine to create an encryption key. [1] |
| Discovery::System Location Discovery::System Language Discovery (T1614.001) | Identify system language via API (This capa rule had 1 match) [2] |
| Execution::Shared Modules (T1129) | Parse PE header (This capa rule had 2 matches) [2] |
| Name | Use |
|---|---|
| Impact::Data Encrypted for Impact (E1486) | Encrypts files for ransom without any connection to the Internet [1] |
| Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | Encode data using XOR (This capa rule had 4 matches) [2] |
| Discovery::File and Directory Discovery (E1083) | Get file size (This capa rule had 1 match) [2] |
| Name | Use |
|---|---|
| Anti-Static Analysis::Executable Code Virtualization (B0008) | Code virtualization is added to the Locky Bart binary using WPProtect. [1] |
| Cryptography::Encrypt Data::RC4 (C0027.009) | Encrypt data using RC4 PRGA (This capa rule had 1 match) [2] |
| Cryptography::Encryption Key (C0028) | Create new key via CryptAcquireContext (This capa rule had 1 match) [2] |
| Cryptography::Generate Pseudo-random Sequence::Use API (C0021.003) | Generate random numbers via WinAPI (This capa rule had 1 match) [2] |
| Data::Check String (C0019) | Reference Base64 string (This capa rule had 1 match) [2] |
| Data::Checksum::CRC32 (C0032.001) | Hash data with CRC32 (This capa rule had 2 matches) [2] |
| Data::Encode Data::XOR (C0026.002) | Encode data using XOR (This capa rule had 4 matches) [2] |
| Discovery::Code Discovery::Enumerate PE Sections (B0046.001) | Enumerate PE sections (This capa rule had 2 matches) [2] |
| File System::Read File (C0051) | Read file on Windows (This capa rule had 2 matches) [2] |
| File System::Write File (C0052) | Write file on Windows (This capa rule had 3 matches) [2] |
| Operating System::Registry::Set Registry Key (C0036.001) | Set registry value (This capa rule had 1 match) [2] |
| Process::Create Thread (C0038) | Create thread (This capa rule had 1 match) [2] |
SHA256 Hashes
- c285e376201e2941154ec1a9acd8658cd5e0ea975c694a3fe3e9a9897efc2680
[1] https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/
[2] capa v4.0, analyzed at MITRE on 10/12/2022