General
-
Target
1fd4eb7719bc5d76ca8615cd58f6c29f_JaffaCakes118
-
Size
225KB
-
Sample
240507-hyjsmaeb3y
-
MD5
1fd4eb7719bc5d76ca8615cd58f6c29f
-
SHA1
d41b20e63d2685ea9a70dd3a99947af5096500a2
-
SHA256
c90ed0ed4c0ff848f0876239b5bb4f680611caa7dd279791ded7f074f148f9fe
-
SHA512
97ae00f8f61ac2b4a681f390e8c423ac38d120e74f67b660a86613379ea4210179eaf10a4693a56d1da065775f2c5ecfd1e77adb8f1419111a517498a598a0b7
-
SSDEEP
3072:0fLnfk1mn7UVGhRXR9cEF3KGx/CgO9PcsibcbQLOEpTR5w1BNH50Idt:0fL8c4VQcEwGxagiPSbIyPKQIb
Static task
static1
Behavioral task
behavioral1
Sample
1fd4eb7719bc5d76ca8615cd58f6c29f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1fd4eb7719bc5d76ca8615cd58f6c29f_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\MJGDEFY-DECRYPT.txt
http://gandcrabmfe6mnef.onion/c54542c2fcd6e588
Extracted
C:\PerfLogs\GDJPBHQIBH-DECRYPT.txt
http://gandcrabmfe6mnef.onion/1beac30789e2eb4
Targets
-
-
Target
1fd4eb7719bc5d76ca8615cd58f6c29f_JaffaCakes118
-
Size
225KB
-
MD5
1fd4eb7719bc5d76ca8615cd58f6c29f
-
SHA1
d41b20e63d2685ea9a70dd3a99947af5096500a2
-
SHA256
c90ed0ed4c0ff848f0876239b5bb4f680611caa7dd279791ded7f074f148f9fe
-
SHA512
97ae00f8f61ac2b4a681f390e8c423ac38d120e74f67b660a86613379ea4210179eaf10a4693a56d1da065775f2c5ecfd1e77adb8f1419111a517498a598a0b7
-
SSDEEP
3072:0fLnfk1mn7UVGhRXR9cEF3KGx/CgO9PcsibcbQLOEpTR5w1BNH50Idt:0fL8c4VQcEwGxagiPSbIyPKQIb
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (280) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-