General
-
Target
7f86a752b3f4b7ffab51d607d34caca8_JaffaCakes118
-
Size
225KB
-
Sample
240529-fc6n6abg53
-
MD5
7f86a752b3f4b7ffab51d607d34caca8
-
SHA1
f53bc86eb978ac7ba79d5dd8750f450723ae8fb7
-
SHA256
961b6ebce95134ed4bfb72937db55d4b9b1eecc76c1c5aab6e15c839e3ddd819
-
SHA512
21070ea9888af80b4ebb8034c44c98db3f04980db5a87c63c3d8c25a249f412fd567d82e10d736641ea605fdce4df3ce77a888f486d7e05e449ea9b3e8f215b8
-
SSDEEP
3072:XfLnfk1mn7UVGhRXR9cEF3KGx/CgO9PcsibcbQLOEpTR5w1BNH50Idt:XfL8c4VQcEwGxagiPSbIyPKQIb
Static task
static1
Behavioral task
behavioral1
Sample
7f86a752b3f4b7ffab51d607d34caca8_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7f86a752b3f4b7ffab51d607d34caca8_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
F:\$RECYCLE.BIN\UMGXBJBPA-DECRYPT.txt
http://gandcrabmfe6mnef.onion/cc1d106e38b0b9d3
Extracted
C:\PerfLogs\FHRGZUTBF-DECRYPT.txt
http://gandcrabmfe6mnef.onion/1a5a8832fcba38f
Targets
-
-
Target
7f86a752b3f4b7ffab51d607d34caca8_JaffaCakes118
-
Size
225KB
-
MD5
7f86a752b3f4b7ffab51d607d34caca8
-
SHA1
f53bc86eb978ac7ba79d5dd8750f450723ae8fb7
-
SHA256
961b6ebce95134ed4bfb72937db55d4b9b1eecc76c1c5aab6e15c839e3ddd819
-
SHA512
21070ea9888af80b4ebb8034c44c98db3f04980db5a87c63c3d8c25a249f412fd567d82e10d736641ea605fdce4df3ce77a888f486d7e05e449ea9b3e8f215b8
-
SSDEEP
3072:XfLnfk1mn7UVGhRXR9cEF3KGx/CgO9PcsibcbQLOEpTR5w1BNH50Idt:XfL8c4VQcEwGxagiPSbIyPKQIb
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (279) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-