General

  • Target

    e75822cae67b3973226563c1f6d65f33_JaffaCakes118

  • Size

    484KB

  • Sample

    240408-ng8nbabc4z

  • MD5

    e75822cae67b3973226563c1f6d65f33

  • SHA1

    604d0e79e057bf303be67bbc236a95cf45bf98c5

  • SHA256

    25c4f9cac7fe5a3aea07844978c850c504a6f42e4fa47314f0f5dd7955dd8c35

  • SHA512

    a4172696602d86df75a1603dfe476ba0539780dfdfd99ad40ba91fbf32a10534721122f265040d23de0637a26ea46aa61050ac00cc94109cb80bc15be3632633

  • SSDEEP

    12288:pri4iyCOexIOGQOzCCVeBP8NbroFTAKmfZJ8AzQ:pr8yLCIYC8Bobr+afZJ8AzQ

Malware Config

Targets

    • Target

      e75822cae67b3973226563c1f6d65f33_JaffaCakes118

    • Size

      484KB

    • MD5

      e75822cae67b3973226563c1f6d65f33

    • SHA1

      604d0e79e057bf303be67bbc236a95cf45bf98c5

    • SHA256

      25c4f9cac7fe5a3aea07844978c850c504a6f42e4fa47314f0f5dd7955dd8c35

    • SHA512

      a4172696602d86df75a1603dfe476ba0539780dfdfd99ad40ba91fbf32a10534721122f265040d23de0637a26ea46aa61050ac00cc94109cb80bc15be3632633

    • SSDEEP

      12288:pri4iyCOexIOGQOzCCVeBP8NbroFTAKmfZJ8AzQ:pr8yLCIYC8Bobr+afZJ8AzQ

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (54) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks