Extracted

Extracted

• • Target

    91f480971a54e41cf899c9bd0d7bb009_JaffaCakes118

  • Size

    276KB

  • MD5

    91f480971a54e41cf899c9bd0d7bb009

  • SHA1

    150d74e9ba69d69dac4064c8966b3f192131d872

  • SHA256

    a4754955412700a50ec0778aee21e500c6a0b64a5e82c472f87af87cfc7c9de6

  • SHA512

    14f50fb4445f2c5409e434f8ab3166e610485c2d2d87bfb65782b5d81860176529d6aa914ed89f30c5d70ad88e0085d78a0c9aa719507e0960349eda0b115a5f

  • SSDEEP

    6144:ML+ROMHXZ99JX2WngMNSYZh1r0CLf2dWsLf2EUOH9:MQ7J9PgMN7LsqEUO

  Score

  10^/10

  teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (408) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2