{
	"id": "a700b890-f55e-47a3-92ff-49081ac49b02",
	"created_at": "2026-04-06T00:19:05.628594Z",
	"updated_at": "2026-04-10T03:21:45.753484Z",
	"deleted_at": null,
	"sha1_hash": "f17413a2dd6b68b4489cbfb7f038e7b43527341b",
	"title": "Maktub Locker - Beautiful And Dangerous | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 600984,
	"plain_text": "Maktub Locker - Beautiful And Dangerous | Malwarebytes Labs\r\nBy hasherezade\r\nPublished: 2016-03-23 · Archived: 2026-04-05 16:48:45 UTC\r\nMaktub Locker is another ransomware that comes with a beautifully designed GUI and few interesting features. Its\r\nname originates from the Arabic word maktub which means “this is written” or “this is fate”. The authors were\r\nprobably trying to make a joke by referencing the act of getting infected with ransomware, hinting that it is\r\nuninvited and unavoidable, just like fate.\r\nAnalyzed samples\r\n74add6536cdcfb8b77d10a1e7be6b9ef\r\nb24952857ff5cb26b2e97331800fa142 \u003c- main focus of this analysis\r\n38eff2f7c6c8810a055ca14628a378e7 – payload (C.dll)\r\nSpecial thanks to MalwareHunterTeam and Yonathan Klijnsma for sharing the samples.\r\nBehavioral analysis\r\nThis ransomware comes in a spam campaign, pretending to be a document with a Terms-Of-Service update. This\r\ntime full packing have a consistent theme: name of the attachment is made to resemble a document (examples:\r\n“TOS-update-[…].scr”, “20160321_tos.scr”), also it has a a document-like icon:\r\nAn interesting trick used by this ransomware to spoof legitimate behavior is that it really displays a document!\r\nSpecifically, a fake TOS update in .rtf format:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 1 of 15\n\nWhile the user is busy reading the document, the malicious program runs in the background and encrypts his/her\r\nfiles.\r\nEncryption process\r\nMaktub Locker does not need to download a key from the CnC server – data can be encrypted offline as well.\r\nExtensions given to the encrypted files are random, generated at runtime – their pattern is: [a-z]{4,6}\r\nThe new and surprising thing is that encrypted files are much smaller than the original ones. It seems this\r\nransomware not only encrypts but also compresses files.\r\nOriginal files and their sizes:\r\nThe same files after encryption:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 2 of 15\n\nSee below a visualization of bytes.\r\nsquare.bmp : left – original, right encrypted with Maktub Locker:\r\n^– the bitmap is compressed very well, so the encrypted file is tiny\r\nA possible reason of compressing files first is to speed up the encryption process.\r\nEncrypted content is different on each run of the sample. However, in a single run, files with the same content will\r\ngive the same output. We can conclude that the random key is generated only once – at program’s start. After that,\r\nevery file is encrypted using the same key.\r\nAfter the encryption is finished, the following GUI pops up:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 3 of 15\n\nIt provides a victim a custom-formatted key: 82 chunks, each 5 character long (chunk format: [A-Z0-9]{5}). Each\r\ntime the sample runs, this key is newly generated.\r\nThe same information (and layout) can be found in an HTML file ( _DECRYPT_INFO_[$EXTENSION].html),\r\ndropped in each encrypted directory.\r\nWebsite for the victim\r\nThese days, it’s a common feature of ransomware to provide a TOR-accessed website for the victim and Maktub\r\nLocker is no different. Similar to the ransom note, the website is only available in English. In order to access the\r\nindividual page, the victim is supposed to paste his/her key (the one supplied in the ransom note) into the input\r\nbox provided on the website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 4 of 15\n\nIt then redirects to the main website. In comparison to other ransomware families, Maktub Locker actually has a\r\nvery nicely designed website, including clean and polite language used.\r\nIt comes with a demo, allowing the decryption of 2 selected files:\r\nThe price of decrypting files starts with 1.4 BTC and increases with time. The distributors warn that the website\r\ncan be taken down and then it would not be possible to recover encrypted files:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 5 of 15\n\nInside\r\nMaktub Locker comes packed in a well-written crypter/FUD, so the code is not readable at first. Also, due to the\r\nFUD’s functions, detection is problematic and samples have a low detection ratio in the first hours/days after the\r\ncampaign starts.\r\nUnpacking\r\nExecution starts in the FUD’s code. At first we can see many harmless-looking (and completely useless) API calls\r\nand random strings.\r\nThis code is executed first, to deceive tools used to detect malicious behavior. Then it is completely overwritten by\r\nnew code. However, this is also not the malware code, but just another layer of deception techniques. Below, you\r\ncan see a fragment of the code responsible for unpacking and executing the bogus TOS update (it is first unpacked\r\nfrom the resources and dropped into the %TEMP% folder as a cabinet file):\r\nThe real malicious code starts in another module that is unpacked into dynamically allocated memory.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 6 of 15\n\nYou can see above 2 threads with entry: 0x10001230. They belong to this malicious module. If we try to dump\r\nthis memory area, we obtain a new PE file:\r\nThis PE file is loaded in a continuous area of dynamically allocated memory and used as a new virtual section.\r\nUnfortunately this time, dumping it will not give us the independent payload – unpacked content has invalid\r\nheaders, i.e:\r\nThis trick is used by the crypter in order to protect the payload from automated dumping tools. However, if we\r\ncapture the unpacking at the right moment, before the headers are overwritten, we still can recover the original\r\npayload. It turns out to be a DLL (packed with UPX):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 7 of 15\n\nThe code responsible for encrypting files is located in the function “one”.\r\nThe DLL is packed with genuine version of UPX, so we can easily unpack it, getting an deobfuscated DLL as\r\nresult with the following sections layout (unpacked C.dll : 38eff2f7c6c8810a055ca14628a378e7 ):\r\nHowever, we will still not see valid strings. Imports also seems irrelevant to the functionality (we will not find\r\nthere, for example, any reference to the windows Crypto API). It is due to the fact that real imports are resolved\r\ndynamically. At the beginning of execution, the function “one” loads them on it’s own – first,decrypting their\r\nnames:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 8 of 15\n\nThen, they are accessed via dynamically loaded handles.\r\nExecution flow\r\nThis malware first makes a list of all the files, and then processes them one by one. It also unpacks a built-in\r\nconfiguration with list of restricted paths and attacked executables. Each processed path is first checked against\r\nthis list.\r\nBelow you can see a fragment of code opening file that is chosen to be encrypted. Call to the function CreateFileA\r\nis performed via handle and dynamically loaded into the EAX register:\r\nThen, a new file is created – with an extension added:\r\nAt first both files coexist in the system – the newly created file has 0 size. After it is filled by the encrypted\r\ncontent, the original file gets deleted.\r\nAfter the process of encryption finished, the malware creates and pops up the dialog box.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 9 of 15\n\nBelow – code responsible for popping up the GUI with a ransom note:\r\nWhat is attacked?\r\nIt is common practice to exclude some chosen countries from the attack. In this case, before deploying the\r\nmalicious actions, the application fetches the keyboard locale list. If it finds Russian (value 0x419 = 1049) among\r\nthem, the malware exits without infecting files:\r\nExcluded from the attack are also some predefined folders:\r\n\"\\internet explorer\\;\\history\\;\\mozilla\\;\\chrome\\;\\temp\\;\\program files\\;\\program files (x86)\\;\\micro\r\nThe built-in configuration also specifies what are the extensions to attack:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 10 of 15\n\nLike other ransomware families, it attacks not only the local disk but also network shares and disks mounted by\r\nvirtual environments, including external hard drives.\r\nHow does the encryption work?\r\nMaktub Locker uses Window Crypto API. But, as we concluded from the analysis, it uses only one key for all files\r\n(does not generate a random key per file). Let’s see what technique it uses to obtain keys…\r\nIn this run, the key supplied to a user was:\r\n[code]X25HE-J53ZU-QERDZ-ZNUJ3-SERJ6-J617E-UUASZ-AFG2G-83B08-2SHC1-AUYFZ-GJHF2-W7321-\r\n144TM VKFKR-6TKRV-STG4B-CE5MZ-TAH4W-MP541-GD3SB-HE43J-ZF4TK-ZNZTG-R7ZBZ-AKM2U-T6TYN-53J7H MU6J6-BTSJC-FQVQR-EH755-C1WCJ-7SNPT-MHFBS-Q638V-MASEB-R16HW-P84P2-\r\n7EEX8-KXAHB-D10F7 GF071-U37K3-GJ5Q5-WD0PD-2EG16-KMC5R-RPCBX-R8EV3-ZPXQV-TDVXM-SEEFX-XK23J-FCH4Z-RNBPN XE6X5-4W8CT-WJQJU-071T5-DSUZW-JGSZA-KFKZ6-4DU0S-80H1H-CEP2J-PDSKA-UXBR8-8C1BB-SDQNC 1C8F7-HPZ2G-Q5JVN-F6WXH-PMUSR-8G4HT-RNYVW-DZNQ3-\r\nY8KZJ-NYC1G-SPR3T-U5GD5 [/code]\r\nLet’s investigate what is the relationship between this key and the key used to encrypt files. So far we know that it\r\nmust be generated locally.\r\nFirst it initialized two crypto contexts – both with the same settings, using provider type:\r\nPROV_DH_SCHANNEL\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 11 of 15\n\nGets 32 random bytes, using function CryptGenRandom\r\nCreates MD5 sum of this random data (using: CryptCreateHash, CryptHashData)\r\nThen, using function CryptDeriveKey it converts the MD5 hash into a 256 bit AES key (AlgID = 0x6610 -\u003e\r\nCALG_AES_256).\r\nIt also imports RSA public key (2048 bit). This key is hardcoded in the binary.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 12 of 15\n\nThe random 32 bytes (base of the AES key), along with the random extension, are concatenated together. Then,\r\nthe prepared buffer is RSA encrypted:\r\nOutput is converted using the predefined charset and given to a victim as the individual ID:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 13 of 15\n\nThat’s why, when the user submit his/her individual ID, the attackers, having the appropriate private key, can\r\ndecrypt the original data and easily recover the random AES key.\r\nAfter this operation, the previously generated AES key is used to encrypt files.\r\nFirst, file content is compressed by a dedicated function (BZip2):\r\nThen, the buffer containing compressed data is AES encrypted – using CryptEncrypt\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 14 of 15\n\nThe encrypted data is saved to the file with the generated extension added.\r\nConclusion\r\nMaktub Locker has clearly been developed by professionals. The full product’s complexity suggests that it is the\r\nwork of a team of people with different areas of expertise. From the packing operations to the website, everything\r\nis well-polished. We are not sure if the crypter/FUD is designed by the same team – it could also be a commercial\r\nsolution available on the black market. However, it is not the only level of defense – the core DLL is also\r\nobfuscated and for sure prepared by someone with experience in writing malware.\r\nMalwarebytes Anti-Malware detects this threat as: Ransom.Maktub.\r\nAppendix\r\nhttp://www.bleepingcomputer.com/news/security/the-art-of-the-maktub-locker-ransomware/ – “The Art of the\r\nMaktub Locker Ransomware” (detailed description of the graphical design)\r\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/"
	],
	"report_names": [
		"maktub-locker-beautiful-and-dangerous"
	],
	"threat_actors": [],
	"ts_created_at": 1775434745,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f17413a2dd6b68b4489cbfb7f038e7b43527341b.pdf",
		"text": "https://archive.orkl.eu/f17413a2dd6b68b4489cbfb7f038e7b43527341b.txt",
		"img": "https://archive.orkl.eu/f17413a2dd6b68b4489cbfb7f038e7b43527341b.jpg"
	}
}