General
-
Target
8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118
-
Size
1.1MB
-
Sample
240601-ygcwrada6x
-
MD5
8b8eeeeaff8cd8d23b43e77e80653e57
-
SHA1
5103d0848b3a9c17e61d8409b61a341037ba81e9
-
SHA256
f64400c70d4467a3c1b9e681cff5d4df8a5e4088f6224d32c1635d1fc861615e
-
SHA512
6b9714206744ee60c20c6ec29b33b14e2760fec92ef46751330c9a8a485cb7119c6835c820d54d682159c152171788d437b662d9a1d0f38dd4069182dd4fd49c
-
SSDEEP
24576:+9b0txiB4SCM89JsDKyo9nkQohwZAK/cRgOnmq9g6oB36rKX6I1:vtUBS0k3Z7cOU7m6MlR1
Static task
static1
Behavioral task
behavioral1
Sample
8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\MSOCache\SMAXDVTKP-DECRYPT.txt
http://gandcrabmfe6mnef.onion/2204324cf9eba5d9
Extracted
F:\$RECYCLE.BIN\DGHAIJUM-DECRYPT.txt
http://gandcrabmfe6mnef.onion/e541e65e7e3bf57
Targets
-
-
Target
8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118
-
Size
1.1MB
-
MD5
8b8eeeeaff8cd8d23b43e77e80653e57
-
SHA1
5103d0848b3a9c17e61d8409b61a341037ba81e9
-
SHA256
f64400c70d4467a3c1b9e681cff5d4df8a5e4088f6224d32c1635d1fc861615e
-
SHA512
6b9714206744ee60c20c6ec29b33b14e2760fec92ef46751330c9a8a485cb7119c6835c820d54d682159c152171788d437b662d9a1d0f38dd4069182dd4fd49c
-
SSDEEP
24576:+9b0txiB4SCM89JsDKyo9nkQohwZAK/cRgOnmq9g6oB36rKX6I1:vtUBS0k3Z7cOU7m6MlR1
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-