General
-
Target
fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118
-
Size
1.7MB
-
Sample
240420-wcnrcaed3z
-
MD5
fd49374b6bf5ddfcf665a110da75f127
-
SHA1
b45353452bc2d9e1a93fd35a4438f97a068af1bf
-
SHA256
c2f96661a63e6a894a46ae5bf83f85c3f9fa74cf20cc7b6d34b4888289ea7ae4
-
SHA512
a43d9e63b4d1dff27e03fda00f347dabbf640c1a5e51397a15662a48050decbd8f908b8e63f16de75bafbe1ab0fece3fb689ced3d503e0a406a30b12997d2d50
-
SSDEEP
49152:k6MLyu3iyTEk+EPmk4O+jJWuuiA2TxyNwycImYYNZ:ktGwiq+EP+ZnuiA21yNw3Imd/
Malware Config
Targets
-
-
Target
fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118
-
Size
1.7MB
-
MD5
fd49374b6bf5ddfcf665a110da75f127
-
SHA1
b45353452bc2d9e1a93fd35a4438f97a068af1bf
-
SHA256
c2f96661a63e6a894a46ae5bf83f85c3f9fa74cf20cc7b6d34b4888289ea7ae4
-
SHA512
a43d9e63b4d1dff27e03fda00f347dabbf640c1a5e51397a15662a48050decbd8f908b8e63f16de75bafbe1ab0fece3fb689ced3d503e0a406a30b12997d2d50
-
SSDEEP
49152:k6MLyu3iyTEk+EPmk4O+jJWuuiA2TxyNwycImYYNZ:ktGwiq+EP+ZnuiA21yNw3Imd/
Score10/10-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Renames multiple (204) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-