General
-
Target
dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118
-
Size
414KB
-
Sample
240912-dcmj6sxekn
-
MD5
dbae9888aa3dfd015e4e1b91961333b2
-
SHA1
4171e53023cc452393dd11f128fd971deae613a7
-
SHA256
6d7b3d5696d4c8199a46bdc6f9f6d8310cb8052c5cca92dd91da819c53622654
-
SHA512
91f11c53b9d8c5bd0085e993206344fa9a3b01426d32a8647703a1c4046ea6db89e38c1a6db6debf2e6cc9df4b2aa225e3b551eb51c1004581c01d4c72cd31cc
-
SSDEEP
6144:81gNhF7mMk80a3Lsls6r/qqkdb+FoetPeh6mJbYXGf5yh/oJyBFThmBcjUm:pNW8h3Los6ryG0FJcXlQJyvEcjUm
Behavioral task
behavioral1
Sample
dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_38139B9E
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_6CD32D8A
Targets
-
-
Target
dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118
-
Size
414KB
-
MD5
dbae9888aa3dfd015e4e1b91961333b2
-
SHA1
4171e53023cc452393dd11f128fd971deae613a7
-
SHA256
6d7b3d5696d4c8199a46bdc6f9f6d8310cb8052c5cca92dd91da819c53622654
-
SHA512
91f11c53b9d8c5bd0085e993206344fa9a3b01426d32a8647703a1c4046ea6db89e38c1a6db6debf2e6cc9df4b2aa225e3b551eb51c1004581c01d4c72cd31cc
-
SSDEEP
6144:81gNhF7mMk80a3Lsls6r/qqkdb+FoetPeh6mJbYXGf5yh/oJyBFThmBcjUm:pNW8h3Los6ryG0FJcXlQJyvEcjUm
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (315) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1