General
-
Target
754d6f6160a4a202df99e73dcd749cfb_JaffaCakes118
-
Size
129KB
-
Sample
240526-ndyc6sgd2x
-
MD5
754d6f6160a4a202df99e73dcd749cfb
-
SHA1
a282405738c44292b24c5849aabd0a72e2bd8087
-
SHA256
bfbb113f610393d6b70b963db5e8ade14e7f78c73f45b61fd98b235129421e6e
-
SHA512
2d82afac315780cc78a326df94a6db02fb901755710194cb79efe1890209c15d2fcb6653807c5f9c2b7fdd5c8a71e7ea69c404efac2652f2ee2c5ccb43d36bca
-
SSDEEP
3072:Ik0a9QdBJz4c2usOfv66/rWSTx0QDgxO1l1aAKaeVCUxu:IY9Qdjz4Dusr6jWSTx0pO1rXUw
Static task
static1
Behavioral task
behavioral1
Sample
default_2019-01-02_21-26.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
default_2019-01-02_21-26.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
C:\Users\PDFLBIMNRR-DECRYPT.txt
http://gandcrabmfe6mnef.onion/feed2f6da9d0f154
Extracted
F:\$RECYCLE.BIN\RJSMDEI-DECRYPT.txt
http://gandcrabmfe6mnef.onion/13d0f5e516f4b62e
Targets
-
-
Target
default_2019-01-02_21-26.exe
-
Size
209KB
-
MD5
6df20fe392717c9fb3409b79cd21af00
-
SHA1
cc0ad51b5cbe31d291f52886d86137845619815e
-
SHA256
92f3b5ca5f796cbaa5ddb3d74341b43d19afd485f20a9f9707a450da9087158d
-
SHA512
b99af8dce3a4228894a12dff801eebe81633b4e8aed9bebae1e0009f5ccca3d306cc7e8f39f10148ae36bdbce5ab94a4e83d40a06b1298e5b40a66329ebdbffc
-
SSDEEP
6144:GwEWrQ6yRxL+vt/ffFIM2b3sglqgv5/tNb:GwEa9e9ihF1+3saXtN
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-