Author: Aj-Tap & johnKim

Table of Contents

1. Table of Contents
2. Executive Summary
3. High-Level Technical Summary
   1. Binary Information
   2. Genetic Code Summary
   3. MITRE ATT&CK Techniques being used by the Malware
4. Technical Analysis
   1. Binary Information
   2. Static Code Analysis
      1. Entry Point 
      2. TA0005 : Defense Evasion 
         1. F0004: Disable or Evade Security Tools: sub_4091C8
      3. B0001: Debugger Detection
         1. B0001.034: Anti-debugging Instructions: sub_4010BC
      4. Anti-Static Analysis
         1. B0032.001: API Hashing: sub_40639c
            1. Resolving the API Hashes
            2. Resolved APIs subroutine
         2. B0032.008: Data Value Obfuscation: sub_406F48
   3. Configuration Extraction
   4. Dynamic Analysis
      1. Process Tree
5. Indicators of Compromise (IOCs)
6. Appendix
   1. Malware Configuration
   2. Sigma rules
   3. Configuration Extractor
   4. Resolved API hashes

Executive Summary

This report on “Brain Cipher” ransomware, a variant of LockBit 3.0. It details the malware’s technical aspects, and capabilities of it such as use of dynamic API resolution, anti-debugging techniques, and methods for disabling security services and encrypting files. The report also covers MITRE ATT&CK techniques employed, binary information, static and dynamic analysis findings, registry activity, indicators of compromise (IOCs), and configuration extraction. The malware is identified as having strong ties to BlackMatter ransomware.

Key Takeaways:

• Identification and Origin: This variant is identified, based on code genetics, as BrainCipher Ransomware. It originates from the leaked Lockbit 3.0 builder, and its technical functionality is closely aligned with LockBit 3.0. Further analysis establishes a connection to the LockBit family or BlackMatter ransomware.
• Activity and Modus Operandi: BrainCipher is a ransomware family that has been active since June 2024. It employs multi-pronged extortion, demanding a ransom to decrypt encrypted files and threatening to sell or leak stolen data if the ransom is not paid.
• Targeted Environment: In this particular variant of Brain Cipher Ransomware, the services designated for termination, as configured under the SERVICES_TO_KILL field, include ‘sophos’ and ‘veeam’. This configuration deviates from the original ransomware, suggesting that the attacker has tailored it to a specific environment. A comprehensive list of all services targeted for termination can be found in Appendix 1. Malware Configuration
• Capabilities: The ransomware exhibits the ability to disable Windows Security services, append specific extensions to encrypted files, encrypt file names, and delete files. It employs dynamic API linking, anti-debugging techniques, and data obfuscation as measures to evade detection and analysis. Ransomware possesses the potential for self-propagation via Windows Group Policy Objects (GPO) or the PSExec tool, thereby facilitating lateral movement and the infection of computer systems without requiring affiliates to possess the technical expertise to utilize these functionalities. This capability may expedite the ransomware deployment process and the encryption of target systems.

High-Level Technical Summary

The analyzed file, “2c9bb93dc2c9f841e58db43ba7dedd490cf7e0fd9e66c4b56a888e25e93a510c” is a 32-bit Windows executable identified as a variant of LockBit 3.0 ransomware, known as Brain Cipher Ransomware. It is based on the leaked LockBit 3.0 builder, resulting in functional similarities. The malware can self-propagate using Windows Group Policy Objects (GPO) or PSExec, enhancing its spread. Code analysis links this sample to the LockBit family or its predecessor, BlackMatter. Upon execution, Brain Cipher disables Windows Security services, appends an extension to encrypted files, and encrypts filenames.

Binary Information

Table 1- Information about the Binary Sample

File name	FileType	Sha256 Hash
2025-04-18_41050b2b9f619cdd9916e3bdd5b9f2f9_darkside_elex_lockbit.exe	Win32 EXE	2c9bb93dc2c9f841e58db43ba7dedd490cf7e0fd9e66c4b56a888e25e93a510c

Detailed File Information:

• File Type: PE32 executable (GUI) Intel 80386, for MS Windows
• Machine Type: IMAGE_FILE_MACHINE_I386
• Compile Time: Fri Sep 9 01:27:01 2022 UTC
• File Size: 153 KB (156672 bytes)
• Linker Version: 14.12 – (1912 (Visual Studio 2017 version 15.5))
• Characteristics: IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_32BIT_MACHINE
• Compressed: true
• Entry Point: 0x1946f
• Image Base: 0x400000
• EP Bytes: 90660f1f840000000000e882fbffff0f
• Sections: 6
• Checksum: 221183
• Signature: 17744
• Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI

Signatures: 

• Classification: Malicious

AntiVirus: ClamAV: Win.Ransomware.BlackMatter-9965914-0

Genetic Code Summary

Table 2 – Overview of the Genetic Code

Malware/Library	Malware %	Related Samples	Code Genes	Strings
BlackMatter Ransomware	79.39%	895	50	50
DarkSide Ransomware	3.63%	44	0	0
Phorpiex	0.25%	3	0	0
KRBanker	0.17%	2	0	0
aPlib Library	6.36%	69	6	6
The Qt Company Ltd Library	0.88%	0	0	8
Unique/Unknown	11.54%	0	0	105

MITRE ATT&CK Techniques being used by the Malware

Table 3 – MITRE ATT&CK Capability of the Ransomware

MITRE ATT&CK	Capability	Category
Execution::Command and Scripting Interpreter [T1059]	accept command line arguments	host-interaction/cli
Defense Evasion::Obfuscated Files or Information [T1027]	encode data using XOR	data-manipulation/encoding/xor
Defense Evasion::Obfuscated Files or Information [T1027]	encode data using Base64	data-manipulation/encoding/base64
Defense Evasion::Obfuscated Files or Information [T1027]	encrypt data using AES	data-manipulation/encryption/aes
Defense Evasion::Obfuscated Files or Information [T1027]	reference AES constants	data-manipulation/encryption/aes
Defense Evasion::Obfuscated Files or Information [T1027]	encrypt data using RC4 KSA	data-manipulation/encryption/rc4
Collection::Input Capture::Keylogging [T1056.001]	log keystrokes via polling	collection/keylog
	calculate modulo 256 via x86 assembly
	execute anti-debugging instructions	anti-analysis/anti-debugging/debugger-detection
	resolve function by parsing PE exports	load-code/pe
	decompress data using aPLib	data-manipulation/compression
	get graphical window text	host-interaction/gui/window/get-text

Technical Analysis

Binary Information

Figure 1 – Detect it easy Visual Binary view

Visual analysis of this PE32 binary indicates that the binary is packed executable. High entropy across sections suggests the presence of obfuscation. Packed binaries are common in malware to evade detection and analysis by shrinking file size, making static analysis difficult.

Figure 2 – Detect it easy Import View binary

The import library in this context contains only three entries: gdi32.dll, user32.dll, and kernel32.dll. This is an example of runtime dynamic linking, where the library is resolved during the program’s execution to avoid static analysis. Other libraries are resolved during runtime to make it more difficult for analysts to reverse-engineer and understand the program’s functionality

Figure 3 – Detect it easy Entropy View

The Entropy view of the binary file, specifically within the .data section, reveals a value of 7.98. This high entropy value is indicative of the ransomware’s use of obfuscation and compression techniques to conceal its configuration data. The .data section has the configuration data, which could include encryption keys, target file types, ransom note, and other config fields of this ransomware, has been intentionally obfuscated to evade detection and analysis by security researchers and antivirus software. By compressing and encrypting the configuration data, the ransomware authors make it more difficult to reverse engineer the malware and develop effective countermeasures.

Static Code Analysis

Entry Point 

Figure 4 – Function call graph showing the initial calls made from the PE EntryPoint 

Entrypoint of ransomware calls subroutine sub_40639c which is dynamic API resolution, in order to hide function imports from static analysis tools. The primary purpose of this technique is to obfuscate the function imports, thereby hindering the effectiveness of static analysis tools. This contrasts with static resolution, where the addresses are resolved during the linking stage. By dynamically resolving API calls, the ransomware can make it significantly more difficult for static analysis tools to identify the functions it uses and, consequently, the actions it may perform. This obfuscation technique can effectively mask the malicious intent of the code, making it harder to detect and analyze.

TA0005 : Defense Evasion 

F0004: Disable or Evade Security Tools: sub_4091C8

Figure 5 – Decompiled code view of subroutine sub_4091C8

This function performs targeted modifications in the registry and clears associated event logs, as part of a cleanup, installation, or system modification routine. The exact purpose depends on what the decoded strings in v2 through v6 represent.This is a strong indicator of anti-forensic activity, commonly employed by lockbit variant ransomware to erase evidence of their execution or other system activities.

B0001: Debugger Detection

B0001.034: Anti-debugging Instructions: sub_4010BC

Figure 6 – Decompiled code view of subroutine sub_4010BC

The function sub_4010BC uses CPUID and RDTSC instructions to obfuscate the program’s logic and make analysis more difficult. These instructions are commonly used in anti-analysis techniques; RDTSC for timing attacks and CPUID for VM detection.

Anti-Static Analysis

B0032.001: API Hashing: sub_40639c

Figure 7 – Decompiled code view of subroutine sub_40639c shows Dynamic API resolving

The subroutine at memory address 0x40639c uses a method similar to the main Lockbit binary to resolve APIs. This involves an “API table” and a unique API hashing algorithm. API hashing is used by malware developers to hide potentially malicious API calls from the Import Address Table (IAT) of a Portable Executable (PE) file. This increases the difficulty of analyzing the malware, as it allows the malware to call APIs at runtime even if they are not listed in the IAT.

Resolving the API Hashes

Figure 8 – illustrates the resolution of API hashes using hashdb on the right. The image on the left depicts the resolved Import Address Table (IAT).

The code at address 00405EE8 defines multiple blocks of double words (dd), which are hashes of Windows API function names. Analysis reveals that the hashing algorithm uses a hardcoded key that can be optionally modified with a seed. The rest of the algorithm is a simple ROT-13 addition, identical to the main Lockbit algorithm. This hashing algorithm is used to hash the lowercase string of the DLL, which then becomes the seed for the API hashes.

Resolved APIs subroutine

Figure 9 – Decompiled code of subroutine sub_40639c, illustrating the dynamic API resolution mechanism previously identified from Ida

The function carries out dynamic API resolution by initially calling resolve_API_from_hash with specific hash values, likely to find key functions similar to LoadLibrary or GetProcAddress. It then uses these resolved functions (v1, v2) to iteratively resolve a large set of APIs from various system libraries, including ntdll, kernel32, user32, and wininet, among others. This approach confirms the employment of runtime obfuscation to conceal imports.

B0032.008: Data Value Obfuscation: sub_406F48

Figure 10 – Decompiled code view of subroutine sub_406F48

The sub_406F48 function loads and processes a block of compressed data (configuration or resources) using the APLib compression library. It decompresses the data, parses it, and potentially decrypts or formats individual components. Pointers to these components are then stored in various global variables.

This function serves as a loader and initializer for the application’s core data or configuration. It decompresses an APLib compressed resource block, parses the block to extract various data elements (strings, binary data, configuration values), and processes/decrypts them as needed. At least one element is dynamically formatted using system information. Finally, these elements are made available to the rest of the application by storing pointers to them in global variables.

Configuration Extraction

Figure 11 –  Using Configuration extractor based on the algorithm static analysis

This figure illustrates the process of extracting the configuration from the ransomware sample using a configuration extractor tool. The extractor leverages static analysis techniques to analyze the binary and uncover the obfuscated configuration details.

Figure 12 – Extracted Obfuscated Strings Reveal Ransomware Techniques

This figure shows the results of the configuration extraction process. The extracted obfuscated strings reveal the ransomware’s use of Volume Shadow Copy Service (VSS) for deleting shadow copies, registry modifications for Winevt channels, and the use of PsExec pipe configuration.

Figure 13 – Ransomware Anti-Evasion Techniques

This figure highlights the ransomware’s anti-evasion techniques. The malware searches for the presence of security products like Sophos and Veeam, and will attempt to stop these services if they are found, in an effort to evade detection.

The obfuscation technique used by this ransomware was determined by analyzing the subroutine sub_406F48. The configuration extractor script incorporates techniques such as APLib decompression, custom decryption, PE parsing, string deobfuscation, handling of unknown base64 config data, and automatic configuration block finding within all sections and overlay data. The full code and the complete extracted configuration for this ransomware variant can be found in the appendix D.

Dynamic Analysis

Figure 14 – Executed Lockbit Ransomware 

The ransomware disabled Windows Defender, as evidenced by a notification in the bottom-right corner indicating that the “Windows Security Center service” was turned off.  Such disabling of security services is a common strategy utilized by malware, including ransomware, to impede detection and prolong its persistence within the system.

Upon completion of the encryption process, the ransomware deploys a ransom note that provides instructions to the victim regarding payment for the decryption of their files.

Figure 15 – Ransomware note

A ransom note was dropped, attributed to the “BrainCipher” group. This note contains instructions for the victim to remit payment via the TOR network, including an associated onion link . The note may additionally feature details regarding the perpetrating group and their specific demands.

Process Tree

Figure 16 – Process Tree of Ransomware 

This process tree shows the initial execution of the BrainCipher ransomware (2c9bb93dc2c9f641e58db43b.exe). It then demonstrates the Ransomware leveraging legitimate Windows tools (rundll32.exe, sc.exe, schtasks.exe) for code execution, persistence, system manipulation, and finally, performing cleanup/anti-forensic actions by deleting a scheduled task (schtasks.exe /delete). While the core file encryption isn’t visible in this specific snapshot, these surrounding activities are characteristic stages of a ransomware attack, focusing on execution, establishing control, and removing evidence.

Indicators of Compromise (IOCs)

Table 4 – File Indicators

Indicator Type	Value	Notes
SHA256	2c9bb93dc2c9f841e58db43ba7dedd490cf7e0fd9e66c4b56a888e25e93a510c	Primary hash of the analyzed sample.
Original Filename (Metadata)	2025-04-18_41050b2b9f619cdd9916e3bdd5b9f2f9_darkside_elex_lockbit.exe	Potential original name, linking Darkside/LockBit.
Dropped File (Temp)	6B0F.tmp	Temporary file dropped during execution ( payload).
Ransom Note Pattern	<ID>.README.txt (e.g., 3T2S47O5t.README.txt)	Standard LockBit 3.0 ransom note format.
Dropped Icon File Pattern	C:\ProgramData\<Malware Extension>.ico	Icon file created by LockBit 3.0.
Dropped Wallpaper File Pattern	C:\ProgramData\<Malware Extension>.bmp	Bitmap file used for ransom wallpaper.
Common Execution Paths	C:\ProgramData, %Temp%, User Profile Folders	Locations where malware or notes were observed/typically placed.
Potential Lateral Movement Paths	ADMIN$\Temp\<Filename>.exe, %SystemRoot%\Temp\<Filename>.exe, \\<Domain>\sysvol\<Domain>\scripts\<Filename>.exe	Paths used for spreading via PsExec or Group Policy.

Table 5 –  Host-Based Indicators

Indicator Type	Value	Notes
Mutex	Global\8df9f051c9944e3005de31c0ee44a466	Observed mutex created by this sample.
Mutex	Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}	Observed mutex created by this sample.
Mutex Pattern	Global\<MD4 hash of machine GUID>	Common LockBit 3.0 mutex pattern.
Registry Key (Wallpaper)	HKCU\Control Panel\Desktop\WallPaper	Value set to path of ransom wallpaper (.bmp).
Registry Key (Icon Association)	HKCR\. <Malware Extension>, HKCR\<Malware Extension>\DefaultIcon	Associates encrypted files with LockBit icon.
Registry Key (Persistence/PrivEsc)	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (AutoAdminLogon, DefaultUserName, etc.)	Enables automatic logon.
Registry Key (Defense Evasion – Defender)	HKLM\SOFTWARE\Policies\Microsoft\Windows Defender (DisableAntiSpyware, etc.), …\Real-Time Protection (DisableRealtimeMonitoring, etc.), …\Spynet (SubmitSamplesConsent, etc.)	Attempts to disable Windows Defender components.
Registry Key (Defense Evasion – Firewall)	HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile, …\StandardProfile (EnableFirewall = 0)	Attempts to disable Windows Firewall.
Registry Key (Defense Evasion – Event Log)	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\* (Enabled = 0), …\ChannelAccess (Modified permissions)	Attempts to disable or tamper with Event Logging.
Command-Line Argument	-pass <key>	Required password for execution in some variants.
Command-Line Argument	-del	Instructs malware to self-delete after execution.
Command-Line Argument	-gdel	Removes Group Policy changes made for lateral movement.
Command-Line Argument	-gspd	Initiates lateral movement via Group Policy.
Command-Line Argument	-psex	Initiates lateral movement via PsExec/Admin shares.
Command-Line Argument	-safe	Reboots host into Safe Mode with Networking.
Command-Line Argument	-wall	Sets ransom wallpaper and prints ransom note.
Command-Line Argument	-path <file/folder>	Encrypts only the specified path.

Table 6 – Registry activity 

Written

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\DeleteFlagHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\StartHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type

Table 7 – Network Indicators

Indicator Type	Value	Notes
Tor Onion Address	hxxp[://]vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd[.]onion/	Embedded C2/victim interaction URL.
Tor Onion Address	hxxp[://]brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd[.]onion	Embedded C2/victim interaction URL.

Appendix

Malware Configuration

Table 8 – Malware Configuration Information

Feature / Detail	Value / Content / Description	Purpose / Notes
RSA Public Key	a7aa63e9b1f28f0dd490bdedf3c47db4c33963957993f04060f8fc60e5afbcd83d9f07cedca7440d105d915319fc2b33f19b2ad8b0ab3492be2cf4e4549731f365cdb6dfa1b9e0f11fddcbfeca1c526d3715bed8d2386b779ce21b84487ec28b7eb6099614a4c35c32c60a560c18ed408d0c823f83d36a1a6fa1e3e93927247a	Used for encrypting file encryption keys.
Affiliate ID	36b9845979c7ef0075fe55e5a34d9dbd6d6162d1ea3ad195d823291bebd2077e	Identifies the specific affiliate/group using the build.
Bot ID / Company ID (Format)	Formats for unique victim/bot/company IDs (%s, %.8x%.8x%.8x%.8x%) used in ransom notes and C2 communication.	For tracking victims and communication.
Ransom Note Filename (Format)	%s.README.txt (Placeholder s likely replaced by a unique identifier or filename pattern).	Standard naming convention for ransom instructions.
Mutex (Format)	Global\\%.8x%.8x%.8x%.8x% (Creates a system-wide mutex).	Prevents multiple instances of the ransomware from running.
Processes to Terminate	– ‘sql’- ‘oracle’- ‘ocssd’- ‘dbsnmp’- ‘synctime’- ‘agntsvc’- ‘isqlplussvc’- ‘xfssvccon’- ‘mydesktopservice’- ‘ocautoupds’- ‘encsvc’- ‘firefox’- ‘tbirdconfig’- ‘mydesktopqos’- ‘ocomm’- ‘dbeng50’- ‘sqbcoreservice’- ‘excel’- ‘infopath’- ‘msaccess’- ‘mspub’- ‘onenote’- ‘outlook’- ‘powerpnt’- ‘steam’- ‘thebat’- ‘thunderbird’- ‘visio’- ‘winword’- ‘wordpad’- ‘notepad’- ‘calc’- ‘wuauclt’- ‘onedrive’	To release file handles, ensuring files can be encrypted; stop database/backup processes.
Services to Terminate / Disable	– ‘vss’- ‘sql’- ‘svc$’- ‘memtas’- ‘mepocs’- ‘msexchange’- ‘sophos’- ‘veeam’- ‘backup’- ‘GxVss’- ‘GxBlr’- ‘GxFWD’- ‘GxCVD’- ‘GxCIMgr’	To prevent system restores, stop backups, disable security, and ensure access to database files.
Ransom Note Templates	LockBit Black Ransomware Your data are stolen and encrypted The data will be published on TOR website hxxp[://]lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion and hxxp[://]lockbitapt[.]uz if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites hxxp[://]lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd[.]onion hxxp[://]lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd[.]onion hxxp[://]lockbitsupp[.]uz	Ransomware Locbkit Black found in an encrypted blob. Not the actual ransomware dropped by this malware.
System Info Gathering	“host_hostname”:”%s”,\n”host_user”:”%s”,\n”host_os”:”%s”,\n”host_domain”:”%s”,\n”host_arch”:”%s”,\n”host_lang”:”%s”,\n%s <br><br> { “disk_name”:”%s”,\n”disk_size”:”%u”,\n”free_size”:”%u”\n} <br><br> “bot_version”:”%s”,\n”bot_id”:”%s”,\n”bot_company”:”%.8x%.8x%.8x%.8x%”,\n%s\n} <br><br> “bot_version”:”%s”,\n”bot_id”:”%s”,\n”bot_company”:”%.8x%.8x%.8x%.8x%”,\n”stat_all_files”:”%u”,\n”stat_not_encrypted”:”%u”,\n”stat_size”:”%s”,\n”execution_time”:”%u”,\n”start_time”:”%u”,\n”stop_time”:”%u”\n}	Includes JSON-like structures with placeholders for hostname, user, OS, domain, architecture, language, disk information, and bot identifiers.
Network Communication	Mozilla/5.0 (Windows NT 6.1) <br><br> AppleWebKit/587.38 (KHTML, like Gecko) <br><br> Chrome/91.0.4472.77 <br><br> Safari/537.36 <br><br> Edge/91.0.864.37 <br><br> Firefox/89.0 <br><br> Gecko/20100101 <br><br> Accept: */*\nConnection: keep-alive\nAccept-Encoding: gzip, deflate, br\nContent-Type: text/plain	Contains user-agent strings mimicking various web browsers and standard HTTP headers, suggesting web-based communication.
Registry Manipulation	SOFTWARE\Policies\Microsoft\Windows\OOBE <br><br> DisablePrivacyExperience <br><br> SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon <br><br> AutoAdminLogon <br><br> DefaultUserName <br><br> DefaultDomainName <br><br> DefaultPassword	Contains registry keys aimed at disabling the privacy experience and potentially enabling automatic administrator login.
Boot Configuration	bcdedit /set {current} safeboot network <br><br> bcdedit /deletevalue {current} safeboot <br><br> bootcfg /raw /a /safeboot:network /id 1 <br><br> bootcfg /raw /fastdetect /id 1	Includes commands to modify boot settings to enable Safe Mode with Networking and potentially disable standard Safe Mode.
Persistence	SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce <br><br> %s -pass %s	Uses the RunOnce registry key for executing commands after a restart, potentially with a decryption key or parameters.
Network Propagation	`powershell Get-ADComputer -filter * -Searchbase ‘%s’	Contains a PowerShell command to force Group Policy updates across a network, potentially for lateral movement or command execution.
Service Control	<?xml version=”1.0″ encoding=”utf-8″?>\n<NTServices clsid=”{2CFB484A-4E96-4b5d-A0B6-093D2F91E6AE}”>\n\t<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}” name=”SQLPBDMS” … (truncated)	Contains XML configuration to disable various SQL Server services.
File Operations	<?xml version=”1.0″ encoding=”utf-8″?>\n<Files clsid=”{215B2E53-57CE-475c-80FE-9EEC14635851}”>\n\t<File clsid=”{50BE44C8-567A-4ed1-B1D0-9234FE1F38AF}” name=”%s” status=”%s” … (truncated)	Contains XML configuration for file operations, likely including updating or modifying files with error bypass.
Scheduled Tasks	<?xml version=”1.0″ encoding=”utf-8″?>\n<ScheduledTasks clsid=”{CC63F200-7309-4ba0-B154-A71CD118DBCC}”>\n\t<TaskV2 clsid=”{D8896631-B747-47a7-84A6-C155337F3BC8}” name=”%s” … (truncated)	Contains XML configuration for creating a scheduled task with specific properties (run as, logon type, triggers, actions).
Security Disablement	PReg[SOFTWARE\Policies\Microsoft\Windows\System;GroupPolicyRefreshTimeDC;;;][SOFTWARE\Policies\Microsoft\Windows\System;GroupPolicyRefreshTimeOffsetDC;;;][SOFTWARE\Policies\Microsoft\Windows\System;GroupPolicyRefreshTime;;;][SOFTWARE\Policies\Microsoft\Windows\System;GroupPolicyRefreshTimeOffset;;;][SOFTWARE\Policies\Microsoft\Windows\System;EnableSmartScreen;;;][SOFTWARE\Policies\Microsoft\Windows\System;**del.ShellSmartScreenLevel;;; ][SOFTWARE\Policies\Microsoft\Windows Defender;DisableAntiSpyware;;;][SOFTWARE\Policies\Microsoft\Windows Defender;DisableRoutinelyTakingAction;;;][SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableRealtimeMonitoring;;;][SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableBehaviorMonitoring;;;][SOFTWARE\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent;;;][SOFTWARE\Policies\Microsoft\Windows Defender\Spynet;SpynetReporting;;;][SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile;EnableFirewall;;;][SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile;EnableFirewall;;;]	Contains registry keys aimed at disabling Windows Defender (AntiSpyware, Real-time Protection, Behavior Monitoring, Spynet) and Firewall.
Network Shares	<?xml version=”1.0″ encoding=”utf-8″?>\n<NetworkShareSettings clsid=”{520870D8-A6E7-47e8-A8D8-E6A4E76EAEC2}”>\n\t<NetShare clsid=”{2888C5E7-94FC-4739-90AA-2C1536D68BC0}” image=”2″ name=”%%ComputerName%%_D” … (truncated)	Contains XML configuration to create network shares for various drive letters on the infected machine.
LDAP Queries	LDAP://%s/DC=%s,DC=%s’ &lt;br> ‘LDAP://DC=%s,DC=%s’ &lt;br> ‘LDAP://CN=%s,CN=Policies,CN=System,DC=%s,DC=%s’ &lt;br> ‘LDAP://%s’	Strings indicating the malware might perform LDAP queries to gather information about the network structure, including domain controllers and policies.
GUIDs (Potentially Policy Related)	ea502723-a23d-11d1-a7d3-0000f87571e3′ &lt;br> ‘ea502722-a23d-11d1-a7d3-0000f87571e3’	These GUIDs (ea502723-a23d-11d1-a7d3-0000f87571e3 and ea502722-a23d-11d1-a7d3-0000f87571e3) are associated with Group Policy Objects (GPOs). Their presence suggests the malware might interact with or target specific GPOs.
Administrative Shares	ADMIN$’ &lt;br> ‘IPC$’	References to ADMIN$ and IPC$ indicate potential interaction with administrative shares on remote systems,
Named Pipe Communication	%spipe\\%s’	The string %spipe\\%s suggests the malware might use named pipes for inter-process communication, either locally or remotely.
File Paths (Remote)	%sADMIN$\\Temp’ &lt;br> ‘%sADMIN$\\Temp\\%s.exe’	These strings (%sADMIN$\\Temp and %sADMIN$\\Temp\\%s.exe) indicate potential file operations in the temporary directory of remote administrative shares, likely for dropping or executing files.
File Paths (Local)	%%SystemRoot%%\\Temp\\%s.exe’	The string %%SystemRoot%%\\Temp\\%s.exe suggests the malware might drop or execute files in the local system’s temporary directory.
Command Line Arguments	-gdel’ &lt;br> ‘-pass’	The presence of -gdel and -pass suggests these might be command-line arguments used by the malware or related tools. -pass is often associated with password handling or passing parameters. -gdel’s purpose would require further context.

Sigma rules

title: Brain Cipher Ransomware Detection
id: 82657bee-a0a9-4880-b0b3-dff7f8febea9
status: experimental
description: Detects activity related to Brain Cipher ransomware based on known characteristics.
author: aj-tap
date: 2023/10/27 
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmdline1:
        CommandLine|contains: 
            - "-pass"
            - "-del"
            - "-gdel"
            - "-gspd"
            - "-psex"
            - "-safe"
            - "-wall"
            - "-path"
    selection_cmdline2:
        CommandLine|contains:
            - "schtasks.exe /delete"
    selection_registry1:
        EventType: "RegistryEvent" # Assuming this is the field name for registry events
        TargetObject|contains: 
            - "HKCU\\Control Panel\\Desktop\\WallPaper"
            - "HKCR\\."
            - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
            - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"
            - "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall"
            - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels"
    selection_registry2:
        EventType: "RegistryEvent"
        TargetObject|contains:
            - "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VSS"
            - "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc"
    selection_mutex:
        EventType: "MutexEvent" # Assuming this is the field name for mutex events
        TargetObject|contains:
            - "Global\\8df9f051c9944e3005de31c0ee44a466"
            - "Global\\{649F4E29-16CB-DD42-8922-9FFF0592856B}"
    condition: selection_cmdline1 or selection_cmdline2 or selection_registry1 or selection_registry2 or selection_mutex
level: high
tags:
    - attack.ransomware
    - malware.brain_cipher

Configuration Extractor

The Config extractor is a Python-based utility. It is designed to automate the retrieval of embedded configuration data from Lockbit 3.0 black samples variant.

Its core functionality encompasses several key stages:

1. PE File Parsing: The script initially parses the input PE file using the pefile library. It identifies critical structures such as sections and the overlay, which are common locations for hidden data.
   
2. Candidate Block Identification: It systematically scans predefined sections (e.g., .data, .rdata, .pdata) and the PE overlay for byte patterns indicative of an encrypted configuration block. This typically involves looking for a specific header structure containing a seed for decryption and the size of the encrypted payload.
   
3. Decryption: Once a potential candidate block is identified, the script attempts decryption using a custom algorithm. This algorithm often involves a seed-based key generation process and a specific XOR-based cipher with byte shuffling, tailored to the observed malware’s techniques.
   
4. Decompression: The decrypted data is then subjected to APLib decompression, as this compression algorithm is frequently used to reduce the size of the embedded configuration.
   
5. Validation and Structure Parsing: The resulting plaintext data is validated against expected size constraints and structural markers (e.g., offsets to further data blobs). If valid, the script parses known fields such as RSA public keys, affiliate IDs, operational flags, and pointers to lists of base64 encoded strings.
   
6. String Deobfuscation: The script also includes routines to identify and deobfuscate strings within the PE file that are protected by a distinct XOR-based method, often found in MOV reg, imm / MOV [reg+disp], imm instruction patterns. This uses a configurable XOR key.
   
7. Blob Extraction (from .data section): If a primary configuration seed is successfully extracted, the script can also attempt to locate, decrypt, and decompress other embedded data blobs, typically found within a specifically named section (e.g., .data), using the same seed.

The primary output of the extractor includes the decrypted and decompressed configuration details, such as cryptographic keys, identifiers, and lists of strings (which may contain C2 domains, target file extensions, or ransom note templates), as well as any deobfuscated strings found through pattern matching.

Refer to https://github.com/aj-tap/Scripts/blob/main/Lockbit_3.0_Black/lockbit_config_extractor.py to see the full code.

Resolved API hashes

ntdll.dll (NT Native API and Runtime Library Functions) RtlCreateHeap RtlDestroyHeap RtlAllocateHeap RtlReAllocateHeap RtlFreeHeap memcpy memset memmove strlen strcpy strstr wcslen wcscat wcscpy wcsstr wcschr wcsrchr _wcsicmp _wcslwr _wcsupr _strupr swprintf sprintf _ui64toa _alldiv NtOpenProcess NtDuplicateToken NtDuplicateObject NtSetThreadExecutionState NtSetInformationProcess NtQuerySystemInformation NtQueryInformationProcess NtQueryInformationToken NtSetInformationToken NtSetInformationThread NtSetSecurityObject NtOpenProcessToken NtShutdownSystem RtlAdjustPrivilege RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection RtlDeleteCriticalSection RtlInitUnicodeString RtlSetHeapInformation LdrEnumerateLoadedModules NtTerminateProcess NtTerminateThread NtClose NtPrivilegeCheck NtWriteVirtualMemory NtReadVirtualMemory NtProtectVirtualMemory NtAllocateVirtualMemory NtFreeVirtualMemory RtlWow64EnableFsRedirectionEx NtQueryInstallUILanguage NtQueryDefaultUILanguage RtlTimeToTimeFields kernel32.dll (Core Windows Functions) SetFileAttributesW GetFileAttributesW FindFirstFileExW FindNextFileW FindClose CopyFileW MoveFileExW CreateThread CreateRemoteThread ResumeThread CreateFileW WriteFile ReadFile FlushFileBuffers WinExec Sleep GetOverlappedResult SetFilePointerEx WaitForSingleObject WaitForMultipleObjects CreateIoCompletionPort GetQueuedCompletionStatus PostQueuedCompletionStatus InterlockedIncrement GetExitCodeThread GetLogicalDriveStringsW GetDriveTypeW GetDiskFreeSpaceExW DeleteFileW CreateDirectoryW RemoveDirectoryW OpenMutexW CreateMutexW ReleaseMutex GetCurrentDirectoryW SetCurrentDirectoryW GetTickCount GetComputerNameW SetVolumeMountPointW SetThreadPriority GetVolumePathNameW FindFirstVolumeW FindNextVolumeW FindVolumeClose DeviceIoControl GetVolumePathNamesForVolumeNameW GetVolumeNameForVolumeMountPointW GetSystemTime GetSystemTimeAsFileTime FileTimeToLocalFileTime ExitProcess GetEnvironmentVariableW GetShortPathNameW CreateProcessW CreateNamedPipeW ConnectNamedPipe GetTempFileNameW GlobalFree MulDiv advapi32.dll (Advanced Windows API Functions – Security, Registry, Services) MD4Init MD4Update MD4Final MD5Init MD5Update MD5Final SetNamedSecurityInfoW RegCreateKeyExW RegSetValueExW RegQueryValueExW RegDeleteKeyExW RegDeleteKeyW RegEnumKeyW OpenSCManagerW EnumServicesStatusExW OpenServiceW CreateServiceW StartServiceW SetServiceStatus QueryServiceStatusEx ControlService DeleteService CloseServiceHandle StartServiceCtrlDispatcherW RegisterServiceCtrlHandlerW CreateProcessAsUserW LogonUserW GetUserNameW ConvertSidToStringSidW LsaOpenPolicy LsaStorePrivateData LsaClose SystemFunction040 (Related to RtlGenRandom) SystemFunction041 (Related to RtlGenRandom) CheckTokenMembership OpenEventLogW ClearEventLogW CloseEventLog CreateProcessWithLogonW userenv.dll (User Environment Functions) CreateEnvironmentBlock DestroyEnvironmentBlock RefreshPolicyEx user32.dll (User Interface Functions) GetDC ReleaseDC DrawTextW DrawTextA SystemParametersInfoW OpenWindowStationW CloseWindowStation OpenDesktopW CloseDesktop GetSystemMetrics GetShellWindow GetDesktopWindow IsWindowVisible gdi32.dll (Graphics Device Interface Functions) CreateFontW CreateFontIndirectW GetDeviceCaps BitBlt SetBkColor CreateDCW CreateCompatibleBitmap CreateCompatibleDC SelectObject CreateDIBSection DeleteDC DeleteObject SetTextColor SetBkMode SetMapMode GetTextExtentPoint32W StartDocW EndDoc StartPage EndPage shell32.dll (Windows Shell Functions) CommandLineToArgvW SHGetSpecialFolderPathW ShellExecuteW SHChangeNotify ole32.dll (Component Object Model – COM Functions) CoCreateGuid CoInitialize CoInitializeEx CoUninitialize CoGetObject CoInitializeSecurity CoCreateInstance CoCreateInstanceEx CoSetProxyBlanket shlwapi.dll (Shell Lightweight Utility Functions) PathFindExtensionW PathIsNetworkPathW PathFindFileNameW PathFindFileNameA PathIsUNCServerW PathQuoteSpacesW PathUnquoteSpacesW PathRemoveFileSpecW PathIsFileSpecW PathIsDirectoryEmptyW PathAppendW PathAppendA IUnknown_QueryService (Note: This specific name might be internal/non-standard for shlwapi, but was listed) oleaut32.dll (OLE Automation Functions) VariantInit VariantClear SysAllocString SysFreeString wtsapi32.dll (Windows Terminal Services API Functions) WTSQueryUserToken rstrtmgr.dll (Restart Manager API Functions) RmStartSession RmRegisterResources RmGetList RmEndSession netapi32.dll (Network API Functions) NetApiBufferFree DsGetDcNameW DsGetDcOpenW DsGetDcNextW DsGetDcCloseW activeds.dll (Active Directory Service Interfaces Functions) ADsOpenObject ADsGetObject ADsBuildEnumerator ADsEnumerateNext ADsFreeEnumerator wininet.dll (Windows Internet Functions) InternetOpenW InternetConnectW InternetSetOptionW InternetQueryOptionW InternetCloseHandle HttpQueryInfoW HttpOpenRequestW HttpSendRequestW InternetQueryDataAvailable InternetReadFile wsock32.dll (Older Windows Sockets Functions) WSAStartup WSACleanup gethostbyname mpr.dll (Multiple Provider Router Functions – Network Connections) WNetAddConnection2W WNetCancelConnection2W gpedit.dll (Group Policy Edit Functions) CreateGPOLink