General
-
Target
e6ec699b6839f02fec298d786d95244e_JaffaCakes118
-
Size
2.5MB
-
Sample
240408-h4t6jsbf73
-
MD5
e6ec699b6839f02fec298d786d95244e
-
SHA1
f1c26f1a8729f075f2f49c849be1d8b817bf1b6c
-
SHA256
d86c9114ecca7a31539278705d7e50f9674a562e1382a6053e735d9d2b30942a
-
SHA512
e579bbaa11529b8bdcb33771ef39e1b1461aa927bf7ce7f24c633aff2b14fe5367e0bdb259354942a7d95f82f34960f110a1bfad1db55b819de486f1a6d4971c
-
SSDEEP
1536:Hn/Ay6PcOtb0LO6kWkVc/HfvfNdmNzyrhe:Hn/A7
Static task
static1
Behavioral task
behavioral1
Sample
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\readme-warning.txt
makop
Targets
-
-
Target
e6ec699b6839f02fec298d786d95244e_JaffaCakes118
-
Size
2.5MB
-
MD5
e6ec699b6839f02fec298d786d95244e
-
SHA1
f1c26f1a8729f075f2f49c849be1d8b817bf1b6c
-
SHA256
d86c9114ecca7a31539278705d7e50f9674a562e1382a6053e735d9d2b30942a
-
SHA512
e579bbaa11529b8bdcb33771ef39e1b1461aa927bf7ce7f24c633aff2b14fe5367e0bdb259354942a7d95f82f34960f110a1bfad1db55b819de486f1a6d4971c
-
SSDEEP
1536:Hn/Ay6PcOtb0LO6kWkVc/HfvfNdmNzyrhe:Hn/A7
Score10/10-
Turns off Windows Defender SpyNet reporting
-
Nirsoft
-
Renames multiple (206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-