General
-
Target
8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118
-
Size
225KB
-
Sample
240602-rw6daafe85
-
MD5
8e66e35fd856d36c49cfc7265f6cedac
-
SHA1
cbdfc8e2338f2cfd1b97a46fc852fd44027100c3
-
SHA256
c901cd480f7bab152f11367b855bfe03bacce1760fa133acb7b9512a64c1f2b8
-
SHA512
f60e39c8cf7142ce5fcfe36c64024d2c4ba4dd492c7763923a72a345421bbaa4266898c294dd4d6e8fb58ebe5a84ccba9329e665f8a1194e18317b827db24af8
-
SSDEEP
3072:AfLnfk1mn7UVGhRXR9cEF3KGx/CgO9PcsibcbQLOEpTR5w1BNH50Idt:AfL8c4VQcEwGxagiPSbIyPKQIb
Static task
static1
Behavioral task
behavioral1
Sample
8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\NNRKZGVIH-DECRYPT.txt
http://gandcrabmfe6mnef.onion/ee43ee34fc74f6f1
Extracted
C:\PerfLogs\OHSNOBW-DECRYPT.txt
http://gandcrabmfe6mnef.onion/8917c761f6c086d1
Targets
-
-
Target
8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118
-
Size
225KB
-
MD5
8e66e35fd856d36c49cfc7265f6cedac
-
SHA1
cbdfc8e2338f2cfd1b97a46fc852fd44027100c3
-
SHA256
c901cd480f7bab152f11367b855bfe03bacce1760fa133acb7b9512a64c1f2b8
-
SHA512
f60e39c8cf7142ce5fcfe36c64024d2c4ba4dd492c7763923a72a345421bbaa4266898c294dd4d6e8fb58ebe5a84ccba9329e665f8a1194e18317b827db24af8
-
SSDEEP
3072:AfLnfk1mn7UVGhRXR9cEF3KGx/CgO9PcsibcbQLOEpTR5w1BNH50Idt:AfL8c4VQcEwGxagiPSbIyPKQIb
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (272) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-