General
-
Target
676a80221c30288c2bb8a26bfc549b9a_JaffaCakes118
-
Size
252KB
-
Sample
240522-qqrghadb23
-
MD5
676a80221c30288c2bb8a26bfc549b9a
-
SHA1
1a03cadea471f4a5412628b2995c6e988b0c5073
-
SHA256
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e
-
SHA512
d5a0b68bf7702cce1992f7050e4af82ca2be64b0cb5525102fcccbbd14b1aae7ae59a762f368aeb500efc7d193f5507937f1a01f13bed5d3f76664adabf9ab4e
-
SSDEEP
6144:UcOLL7sV0pSjG5S4y1htkAspaHIdGBGnwfV:UTX7sV0poGuk8o6f
Static task
static1
Behavioral task
behavioral1
Sample
676a80221c30288c2bb8a26bfc549b9a_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
676a80221c30288c2bb8a26bfc549b9a_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?96B283EF5B7ACD4CBCD857851E726CAF
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4CBCD857851E726CAF
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?96B283EF5B7ACD4CBCD857851E726CAF
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4CBCD857851E726CAF
Extracted
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?96B283EF5B7ACD4C8FCF959849B4230F
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4C8FCF959849B4230F
Targets
-
-
Target
676a80221c30288c2bb8a26bfc549b9a_JaffaCakes118
-
Size
252KB
-
MD5
676a80221c30288c2bb8a26bfc549b9a
-
SHA1
1a03cadea471f4a5412628b2995c6e988b0c5073
-
SHA256
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e
-
SHA512
d5a0b68bf7702cce1992f7050e4af82ca2be64b0cb5525102fcccbbd14b1aae7ae59a762f368aeb500efc7d193f5507937f1a01f13bed5d3f76664adabf9ab4e
-
SSDEEP
6144:UcOLL7sV0pSjG5S4y1htkAspaHIdGBGnwfV:UTX7sV0poGuk8o6f
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (9322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-