General
-
Target
6c02819d4c8f9dd920e0368588e65ccb_JaffaCakes118
-
Size
128KB
-
Sample
240523-x2fbyadb71
-
MD5
6c02819d4c8f9dd920e0368588e65ccb
-
SHA1
59b2862e85e0f030f18a7d0c07fb2dca2d5b2432
-
SHA256
b0fbcec8c22a53492e24e3cd38e32af4f2d3399b1ef71f6cef6d58bc692957f1
-
SHA512
574224d3e29b8b1649666cec8fc91cf7f7b84ab4b1c4e1af9c82da4bad553189a94de5f7e41221401f1434dc191c4d052194ecf3ada0b22d2078e410a0660dfe
-
SSDEEP
1536:52YN1nS9cCY6Vbs8P+TLtXBcGVyThYhqi0sWjcdhIS3FZBq2dks4QTg12A58AQpE:xNQDVQ8ujb1hhhIS3FZBaCgrQp0Mq
Static task
static1
Behavioral task
behavioral1
Sample
6c02819d4c8f9dd920e0368588e65ccb_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6c02819d4c8f9dd920e0368588e65ccb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\MSOCache\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/64259031ebb0cc77
Extracted
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/887961781cc0db56
Targets
-
-
Target
6c02819d4c8f9dd920e0368588e65ccb_JaffaCakes118
-
Size
128KB
-
MD5
6c02819d4c8f9dd920e0368588e65ccb
-
SHA1
59b2862e85e0f030f18a7d0c07fb2dca2d5b2432
-
SHA256
b0fbcec8c22a53492e24e3cd38e32af4f2d3399b1ef71f6cef6d58bc692957f1
-
SHA512
574224d3e29b8b1649666cec8fc91cf7f7b84ab4b1c4e1af9c82da4bad553189a94de5f7e41221401f1434dc191c4d052194ecf3ada0b22d2078e410a0660dfe
-
SSDEEP
1536:52YN1nS9cCY6Vbs8P+TLtXBcGVyThYhqi0sWjcdhIS3FZBq2dks4QTg12A58AQpE:xNQDVQ8ujb1hhhIS3FZBaCgrQp0Mq
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (321) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-