Extracted

Extracted

• • Target

    4df3ffbb785795de68dec97206b6a696_JaffaCakes118

  • Size

    484KB

  • MD5

    4df3ffbb785795de68dec97206b6a696

  • SHA1

    e22f32f3e1371f6deeb39bbffb5fde6a08344c5f

  • SHA256

    1d58c2f7b8364b1d207e39f91138b5079e6368a78312557117fcdc9f38deb87a

  • SHA512

    310bda0a23f780b27937fe6065239326ca1576a3eba7fa7a1867a7d3b56da2dc29c5fcab1daa1e43a991e770a21d6cd208e21b5f551ebf219266315859c03122

  • SSDEEP

    6144:YutAHuAX1/7zv+Ul4s/KFxhNDPPHf2TNhOAL68v6RD/Nqr49Jr:YxHu4/H6xhtPPHf2JhTxvU/4rI

  Score

  10^/10

  teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (408) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence
  behavioral1behavioral2