General
-
Target
7179a0c240977305f04de6c449e1a202_JaffaCakes118
-
Size
191KB
-
Sample
240525-k1kttacc3y
-
MD5
7179a0c240977305f04de6c449e1a202
-
SHA1
4fecdefd8dfd0da3a22026a806c650fee79cd6aa
-
SHA256
c3ec9dda48e2b566fd8e8d2d87303cbeabd3fb7bc64e37e165bf820647aab1cb
-
SHA512
a5d7c61776d5166ee98e5a2c054c5b63a77002cf1f4988cc4e58eb4c587589652fe2a32260101fc7821068ec5a7f31dc0237d40791cfb0e4de0e1858d386a7e5
-
SSDEEP
3072:xgckLPbVStLLh9UrSrsv58D7iqNmmRtI8S4D7IEF0aW+2w:47ktLLh2egS7i5mw8S4D7FQ+2
Static task
static1
Behavioral task
behavioral1
Sample
7179a0c240977305f04de6c449e1a202_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7179a0c240977305f04de6c449e1a202_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\WTSDILWTH-DECRYPT.txt
http://gandcrabmfe6mnef.onion/bce7ac709a9a8922
Extracted
C:\Users\JHTUBQHVDB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/4faddaebd151dfc6
Targets
-
-
Target
7179a0c240977305f04de6c449e1a202_JaffaCakes118
-
Size
191KB
-
MD5
7179a0c240977305f04de6c449e1a202
-
SHA1
4fecdefd8dfd0da3a22026a806c650fee79cd6aa
-
SHA256
c3ec9dda48e2b566fd8e8d2d87303cbeabd3fb7bc64e37e165bf820647aab1cb
-
SHA512
a5d7c61776d5166ee98e5a2c054c5b63a77002cf1f4988cc4e58eb4c587589652fe2a32260101fc7821068ec5a7f31dc0237d40791cfb0e4de0e1858d386a7e5
-
SSDEEP
3072:xgckLPbVStLLh9UrSrsv58D7iqNmmRtI8S4D7IEF0aW+2w:47ktLLh2egS7i5mw8S4D7FQ+2
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-