General

  • Target

    42bdbc212cd27f1358e9f8f18c13dd45_JaffaCakes118

  • Size

    706KB

  • Sample

    240514-yclyvscg8x

  • MD5

    42bdbc212cd27f1358e9f8f18c13dd45

  • SHA1

    ba67a2960d9abba5857c15c3fd3660dc44527f64

  • SHA256

    0f834480790b7c90994d3ddf328a8bd4aa5f2145ad0f0702a6e6bdf6766667ff

  • SHA512

    3d12e49be68c7e44fe5fd9120a4b777ed166026b152be1166fd4cf335fe5640524386698ca7d33be9a503443d502cb6cf0c758fd7933f3ef1de0ca32473c6405

  • SSDEEP

    12288:ZMMpXKb0hNGh1kG0HWnAMU866/MMpXKb0hNGh1kG0HWnAQU866w0B2uJ2s4otqFk:ZMMpXS0hN0V0HoSMMMpXS0hN0V0H0SGx

Malware Config

Targets

    • Target

      42bdbc212cd27f1358e9f8f18c13dd45_JaffaCakes118

    • Size

      706KB

    • MD5

      42bdbc212cd27f1358e9f8f18c13dd45

    • SHA1

      ba67a2960d9abba5857c15c3fd3660dc44527f64

    • SHA256

      0f834480790b7c90994d3ddf328a8bd4aa5f2145ad0f0702a6e6bdf6766667ff

    • SHA512

      3d12e49be68c7e44fe5fd9120a4b777ed166026b152be1166fd4cf335fe5640524386698ca7d33be9a503443d502cb6cf0c758fd7933f3ef1de0ca32473c6405

    • SSDEEP

      12288:ZMMpXKb0hNGh1kG0HWnAMU866/MMpXKb0hNGh1kG0HWnAQU866w0B2uJ2s4otqFk:ZMMpXS0hN0V0HoSMMMpXS0hN0V0H0SGx

    • Modifies WinLogon for persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks