General
-
Target
66a29907be635eec743eb65225c63ec7_JaffaCakes118
-
Size
238KB
-
Sample
240522-kcww6she37
-
MD5
66a29907be635eec743eb65225c63ec7
-
SHA1
5dc5270d6c45185efdc149291fea0ac4b3cbe212
-
SHA256
949f8d17e9e2e632e8d0f1e7f47327300a5c2e8d937eccf15f5b78a4fc882e35
-
SHA512
553e568e6c2420fb8b396606789d2739260fe986c5186fb1efdcde5e6ac6d4d7ecc66ba6644c0ceb902e17b72e110d9454fa0ad8f3857e7da1cad0be093e2f0f
-
SSDEEP
3072:KNdm6/Xbi5XJC/O45Riu9ShhIuiGKSLtNO9axj/LT5yFP26Mt3fZNXTWy813W:Kn/L+GOmF8hFKSZ/1yFujJPW3W
Static task
static1
Behavioral task
behavioral1
Sample
66a29907be635eec743eb65225c63ec7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
66a29907be635eec743eb65225c63ec7_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
CabDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
CabDLL.dll
Resource
win10v2004-20240426-en
Malware Config
Extracted
C:\Users\Admin\Music\README.hta
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\README.hta
Targets
-
-
Target
66a29907be635eec743eb65225c63ec7_JaffaCakes118
-
Size
238KB
-
MD5
66a29907be635eec743eb65225c63ec7
-
SHA1
5dc5270d6c45185efdc149291fea0ac4b3cbe212
-
SHA256
949f8d17e9e2e632e8d0f1e7f47327300a5c2e8d937eccf15f5b78a4fc882e35
-
SHA512
553e568e6c2420fb8b396606789d2739260fe986c5186fb1efdcde5e6ac6d4d7ecc66ba6644c0ceb902e17b72e110d9454fa0ad8f3857e7da1cad0be093e2f0f
-
SSDEEP
3072:KNdm6/Xbi5XJC/O45Riu9ShhIuiGKSLtNO9axj/LT5yFP26Mt3fZNXTWy813W:Kn/L+GOmF8hFKSZ/1yFujJPW3W
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (512) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
a436db0c473a087eb61ff5c53c34ba27
-
SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506
-
SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
-
SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
SSDEEP
192:aVL7iZJX76BisO7+UZEw+Rl59pV8ghsVJ39dx8T:d7NsOpZsfLMJ39e
Score3/10 -
-
-
Target
CabDLL.dll
-
Size
28KB
-
MD5
a4c07c7c2328612f32465ed4350fc6b1
-
SHA1
578e751f602ed19336406e85e59fdc807e8e5e47
-
SHA256
1fb5fd45067a68ca5cd7428ff2ac81cb5b090ee48383e3ab771d89d08eb10332
-
SHA512
24990ceb668f03410ee62fcf47cfae57a0c5cd1dc09308f8b839c9bcb3ae20c332fdd9ab4a1e63996035b2c835a2aba07b1a38d5a94a47f4432d2c781d711283
-
SSDEEP
192:hRpioDMVr1UNKPpQUnShF0bvJUu0xeKSSBJOt74msjmzO87yPNv77777xYYYYYYq:hRpwzKdhqbvSXI2mrX+PvYYYYYYGL
Score3/10 -