General
-
Target
e14c0622af40260fec213c4100605bfb_JaffaCakes118
-
Size
3.7MB
-
Sample
240914-31hnkavbmc
-
MD5
e14c0622af40260fec213c4100605bfb
-
SHA1
2cc388e5e5ccb150604e3e5c0a715a8974a274c7
-
SHA256
38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6
-
SHA512
e0ae9b2f70b6460672079b907cd30fc228b2245b60315561651a09de1516424aeb770383b5cd7468926c5cfb221f130787d536d87b0941fe09cdb47af40a2d05
-
SSDEEP
98304:YjNRO2u6p4S2tdxCrSs4bd2DOuYeWCLgq+cIMXam1zECP9Qz6:sNRPLD2bo4G6e8qRXaop
Static task
static1
Behavioral task
behavioral1
Sample
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/86d60966e1ec37a8
https://mazedecrypt.top/86d60966e1ec37a8
Extracted
F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/87e2098f22c2da4b
https://mazedecrypt.top/87e2098f22c2da4b
Targets
-
-
Target
e14c0622af40260fec213c4100605bfb_JaffaCakes118
-
Size
3.7MB
-
MD5
e14c0622af40260fec213c4100605bfb
-
SHA1
2cc388e5e5ccb150604e3e5c0a715a8974a274c7
-
SHA256
38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6
-
SHA512
e0ae9b2f70b6460672079b907cd30fc228b2245b60315561651a09de1516424aeb770383b5cd7468926c5cfb221f130787d536d87b0941fe09cdb47af40a2d05
-
SSDEEP
98304:YjNRO2u6p4S2tdxCrSs4bd2DOuYeWCLgq+cIMXam1zECP9Qz6:sNRPLD2bo4G6e8qRXaop
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1