General

  • Target

    dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118

  • Size

    414KB

  • Sample

    240912-dcmj6sxekn

  • MD5

    dbae9888aa3dfd015e4e1b91961333b2

  • SHA1

    4171e53023cc452393dd11f128fd971deae613a7

  • SHA256

    6d7b3d5696d4c8199a46bdc6f9f6d8310cb8052c5cca92dd91da819c53622654

  • SHA512

    91f11c53b9d8c5bd0085e993206344fa9a3b01426d32a8647703a1c4046ea6db89e38c1a6db6debf2e6cc9df4b2aa225e3b551eb51c1004581c01d4c72cd31cc

  • SSDEEP

    6144:81gNhF7mMk80a3Lsls6r/qqkdb+FoetPeh6mJbYXGf5yh/oJyBFThmBcjUm:pNW8h3Los6ryG0FJcXlQJyvEcjUm

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_38139B9E Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_38139B9E

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_6CD32D8A Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_6CD32D8A

Targets

    • Target

      dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118

    • Size

      414KB

    • MD5

      dbae9888aa3dfd015e4e1b91961333b2

    • SHA1

      4171e53023cc452393dd11f128fd971deae613a7

    • SHA256

      6d7b3d5696d4c8199a46bdc6f9f6d8310cb8052c5cca92dd91da819c53622654

    • SHA512

      91f11c53b9d8c5bd0085e993206344fa9a3b01426d32a8647703a1c4046ea6db89e38c1a6db6debf2e6cc9df4b2aa225e3b551eb51c1004581c01d4c72cd31cc

    • SSDEEP

      6144:81gNhF7mMk80a3Lsls6r/qqkdb+FoetPeh6mJbYXGf5yh/oJyBFThmBcjUm:pNW8h3Los6ryG0FJcXlQJyvEcjUm

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (315) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks