General
-
Target
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118
-
Size
336KB
-
Sample
240428-qvdffagg87
-
MD5
054d68e1b21ca7d723170ab0a76ecade
-
SHA1
36495fdc5e9784e09e8c11838c3ad3653f987fa8
-
SHA256
85fbae8101c1214be4247bba710cbda6d4af6889cdce838a0ace154f1487f581
-
SHA512
1f517a80a5eb9c77b1c5a56421c27b6653b75e35728d121576340a9f99dbfb10a59a0e5459b2df592851cd122dfaffb970feb9423a13ca09c2bfba95df3b7555
-
SSDEEP
6144:vaq1F7UiBDVWXP+t/tCPS0U1R+6OxuQ6jEUxrSrdqD2Ig7Uf++z3EJ29iV:b7rPW/6tCPSxN8IoUfvUJ2g
Static task
static1
Behavioral task
behavioral1
Sample
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qrhsh.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/C226E7F456D5DFD2
http://b4youfred5485jgsa3453f.italazudda.com/C226E7F456D5DFD2
http://5rport45vcdef345adfkksawe.bematvocal.at/C226E7F456D5DFD2
http://fwgrhsao3aoml7ej.onion/C226E7F456D5DFD2
http://fwgrhsao3aoml7ej.ONION/C226E7F456D5DFD2
Extracted
C:\Program Files\7-Zip\Lang\Recovery+ooguo.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/A594BCEE993CD31
http://b4youfred5485jgsa3453f.italazudda.com/A594BCEE993CD31
http://5rport45vcdef345adfkksawe.bematvocal.at/A594BCEE993CD31
http://fwgrhsao3aoml7ej.onion/A594BCEE993CD31
http://fwgrhsao3aoml7ej.ONION/A594BCEE993CD31
Targets
-
-
Target
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118
-
Size
336KB
-
MD5
054d68e1b21ca7d723170ab0a76ecade
-
SHA1
36495fdc5e9784e09e8c11838c3ad3653f987fa8
-
SHA256
85fbae8101c1214be4247bba710cbda6d4af6889cdce838a0ace154f1487f581
-
SHA512
1f517a80a5eb9c77b1c5a56421c27b6653b75e35728d121576340a9f99dbfb10a59a0e5459b2df592851cd122dfaffb970feb9423a13ca09c2bfba95df3b7555
-
SSDEEP
6144:vaq1F7UiBDVWXP+t/tCPS0U1R+6OxuQ6jEUxrSrdqD2Ig7Uf++z3EJ29iV:b7rPW/6tCPSxN8IoUfvUJ2g
Score10/10-
Renames multiple (406) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-