Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
12cf0e214c7667138f5368af7ab57b39_JaffaCakes118
-
Size
3.0MB
-
Sample
240626-v4knbsxenp
-
MD5
12cf0e214c7667138f5368af7ab57b39
-
SHA1
c5ee012ce627b12ed0c70371f7a6a97bee32dcaa
-
SHA256
305046b15c369436269b20d3440895473af31983538473cf3a41c6e42b216634
-
SHA512
4b4b39eaafe23c5f48dbec17991b5dd447b925f8ca9a11fda6c8b06cc5b4955f9ba5a774a0b93261340ddeb407cce798ba14fd00529025542288b6a5bed4416a
-
SSDEEP
49152:inxRFUy5HFUyBHFspS487/TSwUOdAf6kuSbPMMfT3Mk1h8B8tx817R+w6RlEo2Qa:qjPZPIpS57/TSwUOdAf6kuSbPMMfT3Md
Static task
static1
Behavioral task
behavioral1
Sample
12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+nrbqn.TXT
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/EF627433B75FD05
http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/EF627433B75FD05
http://nn54djhfnrnm4dnjnerfsd.replylaten.at/EF627433B75FD05
http://fwgrhsao3aoml7ej.onion/EF627433B75FD05
Extracted
C:\Program Files\7-Zip\Lang\RECOVER+ynveg.TXT
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/24397EE2196D3D22
http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/24397EE2196D3D22
http://nn54djhfnrnm4dnjnerfsd.replylaten.at/24397EE2196D3D22
http://fwgrhsao3aoml7ej.onion/24397EE2196D3D22
Targets
-
-
Target
12cf0e214c7667138f5368af7ab57b39_JaffaCakes118
-
Size
3.0MB
-
MD5
12cf0e214c7667138f5368af7ab57b39
-
SHA1
c5ee012ce627b12ed0c70371f7a6a97bee32dcaa
-
SHA256
305046b15c369436269b20d3440895473af31983538473cf3a41c6e42b216634
-
SHA512
4b4b39eaafe23c5f48dbec17991b5dd447b925f8ca9a11fda6c8b06cc5b4955f9ba5a774a0b93261340ddeb407cce798ba14fd00529025542288b6a5bed4416a
-
SSDEEP
49152:inxRFUy5HFUyBHFspS487/TSwUOdAf6kuSbPMMfT3Mk1h8B8tx817R+w6RlEo2Qa:qjPZPIpS57/TSwUOdAf6kuSbPMMfT3Md
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (403) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-