Overview
overview
10Static
static
3692d49625c...18.exe
windows7-x64
10692d49625c...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3CDRom.dll
windows7-x64
1CDRom.dll
windows10-2004-x64
3getOpenDocumentIDs.js
windows7-x64
3getOpenDocumentIDs.js
windows10-2004-x64
3General
-
Target
692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118
-
Size
193KB
-
Sample
240523-a148cafb2t
-
MD5
692d49625c7262324ab1aa9d720c3d3b
-
SHA1
75de252079b1f2d09fa93b5055334d8ca7f09627
-
SHA256
7cb371a5b42b54e45cb52e7b45092b5f129e3e77a045bebe01b72f1a82d08af6
-
SHA512
e4e8919b1373abcd3e4ac826a09a9135adfe63a489cb71db7f55dd20759cfd1356f467dbac896036bf0f1a3d18a39030e10b067a081637ec1e5a0e3b78ba86f3
-
SSDEEP
6144:Ig1KQjo9U8fM37zn2vvwwb2epWa2JlILAkrddCPu0:m9U8Q/SyepWaqlILFr30
Static task
static1
Behavioral task
behavioral1
Sample
692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
CDRom.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
CDRom.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
getOpenDocumentIDs.js
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
getOpenDocumentIDs.js
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26
http://cerberhhyed5frqa.onion.cab/CEDD-76F3-C1C8-006D-AE26
http://cerberhhyed5frqa.onion.nu/CEDD-76F3-C1C8-006D-AE26
http://cerberhhyed5frqa.onion.link/CEDD-76F3-C1C8-006D-AE26
http://cerberhhyed5frqa.tor2web.org/CEDD-76F3-C1C8-006D-AE26
http://cerberhhyed5frqa.onion/CEDD-76F3-C1C8-006D-AE26
Extracted
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.onion.to/56B5-7373-DCCF-006D-AB0F
http://cerberhhyed5frqa.onion.cab/56B5-7373-DCCF-006D-AB0F
http://cerberhhyed5frqa.onion.nu/56B5-7373-DCCF-006D-AB0F
http://cerberhhyed5frqa.onion.link/56B5-7373-DCCF-006D-AB0F
http://cerberhhyed5frqa.tor2web.org/56B5-7373-DCCF-006D-AB0F
http://cerberhhyed5frqa.onion/56B5-7373-DCCF-006D-AB0F
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html
Targets
-
-
Target
692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118
-
Size
193KB
-
MD5
692d49625c7262324ab1aa9d720c3d3b
-
SHA1
75de252079b1f2d09fa93b5055334d8ca7f09627
-
SHA256
7cb371a5b42b54e45cb52e7b45092b5f129e3e77a045bebe01b72f1a82d08af6
-
SHA512
e4e8919b1373abcd3e4ac826a09a9135adfe63a489cb71db7f55dd20759cfd1356f467dbac896036bf0f1a3d18a39030e10b067a081637ec1e5a0e3b78ba86f3
-
SSDEEP
6144:Ig1KQjo9U8fM37zn2vvwwb2epWa2JlILAkrddCPu0:m9U8Q/SyepWaqlILFr30
-
Contacts a large (16388) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b
-
SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785
-
SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
-
SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
SSDEEP
96:zPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+y:zPtkuWJX7zB3kGwfy0nyUVsxCjOM61u
Score3/10 -
-
-
Target
CDRom.dll
-
Size
56KB
-
MD5
92a13582da4813aec5794923570e317d
-
SHA1
8a95e3b7b1183791bfbbfe180503628781772a23
-
SHA256
d8ffe6a076b98e5fbe727629a1e0e8fb700bfb17d42fd97be93073a85758ff36
-
SHA512
71fa245f672f0851cabcec6f6703201fdd1c305d2c2ef85efc61cea1f39ac06934190dc0c8d6b7bdb7544e9f66e57314b2e73d1f4c51525cdffcd3d5998b6217
-
SSDEEP
1536:khTHdqGJd0haHibUFFkdlgQ5C1V8QMG8Gm:ktHdqRbUFFgQ+
Score3/10 -
-
-
Target
getOpenDocumentIDs.jsx
-
Size
175B
-
MD5
a6b21e84cfffda8936b29e7c9a99be33
-
SHA1
52c8d102768228cf95165ce94482efe077250693
-
SHA256
16aebcb843ceb74d45a814c633c1f2fc2577bc8ab485da16d20700efca8b80b7
-
SHA512
f049f65179fd715123f193f18c201ee23b05589dc16f9c08d4d04b4deabde2b01fb63cb905e09ed3bae6ce17ef290b26d19b66fb3a724399f450b0ba8d2ca4af
Score3/10 -
MITRE ATT&CK Matrix ATT&CK v13
Execution
Windows Management Instrumentation
1Command and Scripting Interpreter
1JavaScript
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
4File and Directory Permissions Modification
1