CryptoLocker
December 21, 2023 ยท View on GitHub
| ID | X0030 |
| Type | Ransomware |
| Aliases | None |
| Platforms | Windows |
| Year | 2013 |
| Associated ATT&CK Software | None |
CryptoLocker
CryptoLocker is a family of ransomware. [1]
ATT&CK Techniques
| Name | Use |
|---|---|
| Initial Access::Spearphishing Attachment (T1566.001) | The malware is sent to victims as an attachment. [1] |
| Command and Control::Encrypted Channel::Asymmetric Cryptography (T1573.002) | The malware encrypts messages with a public RSA key. [1] |
| Command and Control::Application Layer Protocol::Web Protocols (T1071.001) | The malware uses http to communicate with C2. [1] |
| Execution::Shared Modules (T1129) | The malware links many functions at runtime. [2] |
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Impact::Data Encrypted for Impact::Ransom Note (E1486.001) | The malware launches Internet Explorer to show ransom notes. [1] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | The malware creates an "autorun" registry key. [1] |
| Execution::User Execution (E1204) | The malware relies on victims to execute. [1] |
| Discovery::File and Directory Discovery (E1083) | The malware searches for user files before encrypting them. [1] |
| Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | CryptoLocker encodes data using XOR. [2] |
| Discovery::System Information Discovery (E1082) | CryptoLocker queries environment variables. [2] |
| Execution::Command and Scripting Interpreter (E1059) | CryptoLocker accepts command line arguments. [2] |
MBC Behaviors
| Name | Use |
|---|---|
| Command and Control::C2 Communication::Send Data (B0030.001) | The malware sends a hash value generated from system information. [1] |
| Command and Control::C2 Communication::Receive Data (B0030.002) | The malware receives a public key from the C2. [1] |
| Command and Control::Domain Name Generation (B0031) | The malware uses an internal domain generation algorithm. [1] |
| Command and Control::C2 Communication::Authenticate (B0030.011) | The malware sends a phone-home message with encryption to start. [1] |
| Data::Encode Data::XOR (C0026.002) | CryptoLocker encodes data using XOR. [2] |
| Discovery::Code Discovery::Enumerate PE Sections (B0046.001) | CryptoLocker enumerates PE sections. [2] |
| File System::Writes File (C0052) | CryptoLocker writes Fileon Windows. [2] |
| Memory::Allocate Memory (C0007) | CryptoLocker allocates RWX memory. [2] |
| Process::Resume Thread (C0054) | CryptoLocker resumes thread. [2] |
Indicators of Compromise
SHA256 Hashes
- a2bc3059283d7cc7bc574ce32cb6b8bfd27e02ac3810a21bd3a9b84c17f18a72
- 0be1f445537f124b5175e1f2d1da87e2e57aa4ba09ea5fe72b7bafaf0b8f9ad2
- a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913
References
[1] https://www.secureworks.com/research/cryptolocker-ransomware
[2] capa v4.0, analyzed at MITRE on 10/12/2022