Extracted

Extracted

• • Target

    546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118

  • Size

    384KB

  • MD5

    546fe4e8d28a6c67a1047286eb57d773

  • SHA1

    19a807a5fe6f1974ea4ba5f2bafb5cf4edb56f23

  • SHA256

    828cd60f0928c571477a4e351b0d98d0d03abe48f0b67a9ed605a2eb8dab5c4c

  • SHA512

    702ac5cd5e84d6157ab79fc6e41fa4fc1075e72318459345e7e75db200c07d09bf20d7f5b759c53e1207f80d0bbc2f5ab2c464b3cd8c8b8d4ffbc1b32707e5f2

  • SSDEEP

    6144:7tguKU1XD9oEmWMF6L2IzjAqXuxoaqHwdfOUavNJ3en9THb3IA/OYILI:+uRBoOc4js11GUfVsNJ3entMAWp

  Score

  10^/10

  teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (414) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2