General
-
Target
676734b55087daccd1b51407c9954cec_JaffaCakes118
-
Size
241KB
-
Sample
240522-qmy26sch65
-
MD5
676734b55087daccd1b51407c9954cec
-
SHA1
a80e54f2e0c319babf82bf681d555757c2dfd5f5
-
SHA256
a2277ccbce73460705a3365a8152c2308b663a2877b5710d2a4a150dea9f7f45
-
SHA512
7f66a2e69e652f16f50add5311865042afab6786e6070d3ca9022eea4a6c2c30fd795a9e75657c01a076eb685c7f90bc35097a20885f547deb11587443568081
-
SSDEEP
3072:BOqBEFWcUU1nvPpFuoBtjO/ULu/UIUUq8bRObuSq2rlJ77lDcK4+2NvvZv8Y:B3EFMa5xq/UC/Ugsr3lJ77FPmZ
Static task
static1
Behavioral task
behavioral1
Sample
676734b55087daccd1b51407c9954cec_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
676734b55087daccd1b51407c9954cec_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/222d58f1a8a3c705
Extracted
C:\PerfLogs\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/8be2d3f87839adb3
Targets
-
-
Target
676734b55087daccd1b51407c9954cec_JaffaCakes118
-
Size
241KB
-
MD5
676734b55087daccd1b51407c9954cec
-
SHA1
a80e54f2e0c319babf82bf681d555757c2dfd5f5
-
SHA256
a2277ccbce73460705a3365a8152c2308b663a2877b5710d2a4a150dea9f7f45
-
SHA512
7f66a2e69e652f16f50add5311865042afab6786e6070d3ca9022eea4a6c2c30fd795a9e75657c01a076eb685c7f90bc35097a20885f547deb11587443568081
-
SSDEEP
3072:BOqBEFWcUU1nvPpFuoBtjO/ULu/UIUUq8bRObuSq2rlJ77lDcK4+2NvvZv8Y:B3EFMa5xq/UC/Ugsr3lJ77FPmZ
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (296) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-