General
-
Target
6b36ffcd7638afbd0e04f1c1864dcf05_JaffaCakes118
-
Size
3.2MB
-
Sample
240523-rmf22aeb62
-
MD5
6b36ffcd7638afbd0e04f1c1864dcf05
-
SHA1
ede6b076f830b96d25ec2a70b890fd4e03f2f75a
-
SHA256
0c76be59948ce55eab5f10eedf6c765240d481e882b96aac3eac5e7ea7591e6c
-
SHA512
ade8015b914b1a4b9747f6690f68dd96ea27459bcddaefaf7606f2c8758130b7e6a6874faa6e28d2dbb8b89c4590c4e5231697902eaa2ed8e9b6337d5e7d5880
-
SSDEEP
49152:AAnjm0wVHwA1zKXr/TGS82RjqHszN+DvS7Cqelhk4n9vD9zY+VLG/KRxmTZ1Wgb:vavr0XrrVNeS7Chlh77Y+xTqTZ1WK
Static task
static1
Behavioral task
behavioral1
Sample
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/c2313a9fae460b3a
Extracted
C:\$Recycle.Bin\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/45babff225fdaea1
Targets
-
-
Target
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344
-
Size
128KB
-
MD5
6b552e8f29852fc7406d07e98ecaf3df
-
SHA1
baedb5362cf9208b48c6eeb1d81a5839d4f6ee4e
-
SHA256
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344
-
SHA512
8ccf1c0e63319d6bd895d2f78ef9ac57be8f6f1992c9537d0c9687e27fc01e50f90b4aa39f6a5e81cc1d38638e84d5c0cf68abd6bb472a502ed8ab932c7c5c47
-
SSDEEP
1536:52YN1nS9cCY6Vbs8P+TLtXBcGVyThYhqi0sWjcd2IS3FZBq2dks4QTg12A58AQpE:xNQDVQ8ujb1hh2IS3FZBaCgrQp0Mq
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (297) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-