Extracted

Extracted

• • Target

    2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118

  • Size

    369KB

  • MD5

    2c6e8b55ec2beb6ed16874e3e809573b

  • SHA1

    221f4a333fffd85f544c71949661f73b62eed173

  • SHA256

    843c8d5bebe93aeaebeb940267b6b9fb4d8ddb392a316be0f6d58e0bcf940109

  • SHA512

    8c48aa13e678ef8988d16198aa0dd767e6255e75f56c405fee03f1ea99852243b83c8e99bca703b7046eed97cf1ee8ffdce55580375805266b536d4dae3f9bce

  • SSDEEP

    6144:2o07Ev9jgh+J0J+l/moekR1MlvlMa0FIe03ncsCMYZx/FqDN6TETpspvQrMX1r9:2tQVG+JIe/mGzMNlMVFC3Xi/YwOi

  Score

  10^/10

  teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (425) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2