General

  • Target

    67ba173a7bdf01c3016cdd70f40f45b5_JaffaCakes118

  • Size

    265KB

  • Sample

    240522-swnnxafg91

  • MD5

    67ba173a7bdf01c3016cdd70f40f45b5

  • SHA1

    23f7cb130a178507fd0437db28cfd2425c4caa2e

  • SHA256

    db0e80189ecad474b3bb4539a9d0e3dd9e14057871ca9b8ece51400a72ebb84f

  • SHA512

    fd9a2449febf26d44e3b3149ec1ca41d3c2a53e20a1d805e185f0461caf1349000ed88c7d2a800de372b54cc7692d2e695b90659a6fdf04dc6c97a0249af8cdf

  • SSDEEP

    6144:BaHY0DNpINAEQksZu+JKrzvAPXrt8QmodL:BaHY0DNpINABZ9JKrTkOox

Malware Config

Extracted

Path

C:\Users\Public\Videos\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������07 A1 E4 F2 9D D5 1C 2D 71 55 57 01 5C ED D3 72 D3 EC 64 C2 12 89 7A 38 95 70 3F C9 E6 0F A2 03 B2 F1 D5 31 44 3A 3C AA 5A BF B7 FB 7B 13 0F 5C 1D D1 86 0F 60 B2 68 0E FF 3C BC E9 FB F1 23 18 1E 70 3B FB 1A 1C B8 D3 C2 CA 33 EE 8F 84 47 DB 12 5E 5D 71 87 68 DC A0 3B 46 4F 36 FF 6D 1B B4 9B 69 10 11 32 48 75 54 68 D7 61 1D BA 34 86 EF 45 BD C5 3C 7C 11 F8 01 94 04 5B 9C 55 1A 66 F6 70 73 CF FB 26 8C B6 E3 81 21 7F C3 C8 07 22 C3 F2 26 68 E6 42 7F 26 12 56 65 40 20 CC DB B4 C8 73 FF 74 0F 0D 40 58 87 92 A1 4F 1F CE 4C 16 68 BF AA 0B 9A D7 68 AC 7A E9 AD 1A 71 46 AE 45 27 37 E2 5F 70 2D 50 02 B1 F0 66 BC 78 F5 3E 6A 59 AE 69 C3 DE AA CD 77 2B B0 30 F4 38 6C 8F 5E 1D 59 66 3E D8 7C FB C4 4C F1 8F 43 FA E0 FB CF C1 0D 85 2B 9F 05 6E 43 C0 7A 2A 7C D4 19 8A 77 1A ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      67ba173a7bdf01c3016cdd70f40f45b5_JaffaCakes118

    • Size

      265KB

    • MD5

      67ba173a7bdf01c3016cdd70f40f45b5

    • SHA1

      23f7cb130a178507fd0437db28cfd2425c4caa2e

    • SHA256

      db0e80189ecad474b3bb4539a9d0e3dd9e14057871ca9b8ece51400a72ebb84f

    • SHA512

      fd9a2449febf26d44e3b3149ec1ca41d3c2a53e20a1d805e185f0461caf1349000ed88c7d2a800de372b54cc7692d2e695b90659a6fdf04dc6c97a0249af8cdf

    • SSDEEP

      6144:BaHY0DNpINAEQksZu+JKrzvAPXrt8QmodL:BaHY0DNpINABZ9JKrTkOox

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Renames multiple (6905) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks