Overview

overview

10

Static

static

10

87731031fc...18.exe

windows7-x64

10

87731031fc...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    87731031fc89b5e3505a47298d2cc968_JaffaCakes118

  • Size

    25KB

  • Sample

    240531-sntj7ach87

  • MD5

    87731031fc89b5e3505a47298d2cc968

  • SHA1

    3de11783a9e0f2836a00a0e8085fb63133ff388f

  • SHA256

    29c99eba250489aa489a52aaafa30f567bfe5ae304e68dd045e96d084775333b

  • SHA512

    29decb91ee2c4187de6a25acd8c69d7cc8d3d38e2c1a831b05479f1f34c4664f845ed4415b5729cd73d6854c7fa3b5089503f7997b9f548f7c45c15f08556900

  • SSDEEP

    768:S0FmBkpKjPYpfJ88l7HOo47SaUzykFT2Rv:SOhFJ84Oo0yh8v

Score
10/10
xoristpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note
All your important files were BLOCKED on this computer. Encrtyption was produced using unique KEY generated for this computer. To decrypted files, you need to otbtain private key. The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet; The server will destroy the key within 24 hours after encryption completed. REMEMBER YOU HAVE ONLY 24 HOURS TO PAY EVERITHING IS AUTOMATICALLY! To retrieve the private key, you need to pay 700-EURO PLEASE BE REZONABLE PAYMENT IS LITTLE ONLY 700 EURO WE ACCEPT ONLY PAYMENT TO BITCOIN! Bitcoins have to be sent to this address: 3J1MD7EAzdaYeWBDA71t7NShkC64W4a41T After you've sent the payment send us an email to : [email protected] with subject : ERROR-ID-6310700 If you are not familiar with bitcoin you can buy it from here : SITE : www.localbitcoin.com After we confirm the payment , we send the private key so you can decrypt your system.
Wallets

3J1MD7EAzdaYeWBDA71t7NShkC64W4a41T

Targets

    • Target

      87731031fc89b5e3505a47298d2cc968_JaffaCakes118

    • Size

      25KB

    • MD5

      87731031fc89b5e3505a47298d2cc968

    • SHA1

      3de11783a9e0f2836a00a0e8085fb63133ff388f

    • SHA256

      29c99eba250489aa489a52aaafa30f567bfe5ae304e68dd045e96d084775333b

    • SHA512

      29decb91ee2c4187de6a25acd8c69d7cc8d3d38e2c1a831b05479f1f34c4664f845ed4415b5729cd73d6854c7fa3b5089503f7997b9f548f7c45c15f08556900

    • SSDEEP

      768:S0FmBkpKjPYpfJ88l7HOo47SaUzykFT2Rv:SOhFJ84Oo0yh8v

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (9072) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Modifies Installed Components in the registry

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks