General
-
Target
81db20ec76b716e895a3c4ce9246a9e9_JaffaCakes118
-
Size
370KB
-
Sample
240529-zhr8haaa76
-
MD5
81db20ec76b716e895a3c4ce9246a9e9
-
SHA1
491feee5a93e30c0d5a3c6ebb8a5a653984a61b6
-
SHA256
e3833efe7668f90371d3ab7e65fabfe226d3c90d863ae42bed4bcc6833309fc3
-
SHA512
ff1385b7e942e86c0c9e4d48d7ab5a326d1f02d64606263326ec84d104bb6a362cbfdcc2000312dd43c6dfa0961f5f4720710282b085ac3afe23c1ae2395bac6
-
SSDEEP
6144:5BHwlQA0/oV1UPP7fHZAYpGoJpkxkPq0JkVH5Sd/sTtDhn8PKM8oSQsVt6OiafpF:/W0gQ7fRJBkzSdWhCJCtvpF
Behavioral task
behavioral1
Sample
81db20ec76b716e895a3c4ce9246a9e9_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
81db20ec76b716e895a3c4ce9246a9e9_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
C:\Users\Admin\Desktop\_READ_THI$_FILE_WPCTMCW_.txt
http://p27dokhpz2n7nvgr.onion/562D-7E58-5653-0091-BDF2
http://p27dokhpz2n7nvgr.1a7wnt.top/562D-7E58-5653-0091-BDF2
http://p27dokhpz2n7nvgr.1czh7o.top/562D-7E58-5653-0091-BDF2
http://p27dokhpz2n7nvgr.1hpvzl.top/562D-7E58-5653-0091-BDF2
http://p27dokhpz2n7nvgr.1pglcs.top/562D-7E58-5653-0091-BDF2
http://p27dokhpz2n7nvgr.1cewld.top/562D-7E58-5653-0091-BDF2
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THI$_FILE_ISCJP_.txt
http://p27dokhpz2n7nvgr.onion/EB18-B509-6939-0091-B157
http://p27dokhpz2n7nvgr.1a7wnt.top/EB18-B509-6939-0091-B157
http://p27dokhpz2n7nvgr.1czh7o.top/EB18-B509-6939-0091-B157
http://p27dokhpz2n7nvgr.1hpvzl.top/EB18-B509-6939-0091-B157
http://p27dokhpz2n7nvgr.1pglcs.top/EB18-B509-6939-0091-B157
http://p27dokhpz2n7nvgr.1cewld.top/EB18-B509-6939-0091-B157
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THI$_FILE_5BDK_.hta
cerber
Targets
-
-
Target
81db20ec76b716e895a3c4ce9246a9e9_JaffaCakes118
-
Size
370KB
-
MD5
81db20ec76b716e895a3c4ce9246a9e9
-
SHA1
491feee5a93e30c0d5a3c6ebb8a5a653984a61b6
-
SHA256
e3833efe7668f90371d3ab7e65fabfe226d3c90d863ae42bed4bcc6833309fc3
-
SHA512
ff1385b7e942e86c0c9e4d48d7ab5a326d1f02d64606263326ec84d104bb6a362cbfdcc2000312dd43c6dfa0961f5f4720710282b085ac3afe23c1ae2395bac6
-
SSDEEP
6144:5BHwlQA0/oV1UPP7fHZAYpGoJpkxkPq0JkVH5Sd/sTtDhn8PKM8oSQsVt6OiafpF:/W0gQ7fRJBkzSdWhCJCtvpF
Score10/10-
Blocklisted process makes network request
-
Contacts a large (1095) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-