General
-
Target
6a7072df1cee31eefc15368fbb805f9d_JaffaCakes118
-
Size
645KB
-
Sample
240523-k4fdhabf43
-
MD5
6a7072df1cee31eefc15368fbb805f9d
-
SHA1
fa2499d515b2395814014ef6c6ed2c4149fa8a9d
-
SHA256
7bb4305a647d0126fe5f984549c3b92bcb6af11719b78112f6d795eaaecf2e6d
-
SHA512
3a57f9b48bee561f6f3645195f73bea1d9c676f6607ddc8101227d929525b8844ac94694ce1f29b2dc8cba84708c3de8f6ee6b3e6234b80382f96201e17fbdaa
-
SSDEEP
6144:oog5I9axysg5OPpO7zwGtqhyRBIZi4zVh2RiUX9o:Hgu9my/5OPp+zwMSlHXs
Static task
static1
Behavioral task
behavioral1
Sample
6a7072df1cee31eefc15368fbb805f9d_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
6a7072df1cee31eefc15368fbb805f9d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\RWJMLYTSJ-DECRYPT.txt
http://gandcrabmfe6mnef.onion/1244a3b28013bd8c
Extracted
C:\$Recycle.Bin\ORGKVDWCY-DECRYPT.txt
http://gandcrabmfe6mnef.onion/c4d264356f307954
Targets
-
-
Target
6a7072df1cee31eefc15368fbb805f9d_JaffaCakes118
-
Size
645KB
-
MD5
6a7072df1cee31eefc15368fbb805f9d
-
SHA1
fa2499d515b2395814014ef6c6ed2c4149fa8a9d
-
SHA256
7bb4305a647d0126fe5f984549c3b92bcb6af11719b78112f6d795eaaecf2e6d
-
SHA512
3a57f9b48bee561f6f3645195f73bea1d9c676f6607ddc8101227d929525b8844ac94694ce1f29b2dc8cba84708c3de8f6ee6b3e6234b80382f96201e17fbdaa
-
SSDEEP
6144:oog5I9axysg5OPpO7zwGtqhyRBIZi4zVh2RiUX9o:Hgu9my/5OPp+zwMSlHXs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (288) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-