General
-
Target
93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118
-
Size
186KB
-
Sample
240603-3pa5cadd5s
-
MD5
93016c8fa91b493eeb7d00c9d7b6d458
-
SHA1
1c8ebee381abee1e8b71f7d84e143fc88dc40d2b
-
SHA256
bb13e13ced7ed27d32eb517c9bbf5cd7bdf0bb42d0cd4e463dc4cb2852db5ee2
-
SHA512
ec6ce20e697be6b384ca507898cd4f8e2ebc237ffc36bec4f88032c525b47d10fe5123e8d322052d90c68d61f89b8519e23aa2d50e6a0415638390da336f0922
-
SSDEEP
3072:MQJyL8fddwRnRgC5fR+oMDC+P5BQTVasjwydtEAlEx/CEekDG8UsNVLt:z0L8fd+lRXnMDC+BEdsItE/xLDG8UsL
Behavioral task
behavioral1
Sample
93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
F:\$RECYCLE.BIN\CUSGJTM-DECRYPT.txt
http://gandcrabmfe6mnef.onion/2ac2ef8aa92b5953
Extracted
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\XBQBOKEN-DECRYPT.txt
http://gandcrabmfe6mnef.onion/eab440c191499469
Targets
-
-
Target
93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118
-
Size
186KB
-
MD5
93016c8fa91b493eeb7d00c9d7b6d458
-
SHA1
1c8ebee381abee1e8b71f7d84e143fc88dc40d2b
-
SHA256
bb13e13ced7ed27d32eb517c9bbf5cd7bdf0bb42d0cd4e463dc4cb2852db5ee2
-
SHA512
ec6ce20e697be6b384ca507898cd4f8e2ebc237ffc36bec4f88032c525b47d10fe5123e8d322052d90c68d61f89b8519e23aa2d50e6a0415638390da336f0922
-
SSDEEP
3072:MQJyL8fddwRnRgC5fR+oMDC+P5BQTVasjwydtEAlEx/CEekDG8UsNVLt:z0L8fd+lRXnMDC+BEdsItE/xLDG8UsL
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-