General
-
Target
eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118
-
Size
491KB
-
Sample
240919-gz8mpsvblg
-
MD5
eabe36d7d77407d5b7b0d7059d794e39
-
SHA1
f8e4e0edb658380a813df054f477ab3d5af8ad4b
-
SHA256
05f77e6ec37b63156c00611265bceefd5479ecc3dff18496ea6a6e4de0e859bf
-
SHA512
fa615b05e895032b4c4d66f5458b76ac7f9bccbfab808b6e0c2df77fb5b58405a3c20bfce0571332e9ee72591cbeae295c0884f59e12941a77309bb4c4f737df
-
SSDEEP
12288:cutrzh9xOXkUWzsKltSXkbnDlcQmbVXvUF5:cutr5OUUe3LSXSUvUP
Malware Config
Targets
-
-
Target
eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118
-
Size
491KB
-
MD5
eabe36d7d77407d5b7b0d7059d794e39
-
SHA1
f8e4e0edb658380a813df054f477ab3d5af8ad4b
-
SHA256
05f77e6ec37b63156c00611265bceefd5479ecc3dff18496ea6a6e4de0e859bf
-
SHA512
fa615b05e895032b4c4d66f5458b76ac7f9bccbfab808b6e0c2df77fb5b58405a3c20bfce0571332e9ee72591cbeae295c0884f59e12941a77309bb4c4f737df
-
SSDEEP
12288:cutrzh9xOXkUWzsKltSXkbnDlcQmbVXvUF5:cutr5OUUe3LSXSUvUP
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Event Triggered Execution: Image File Execution Options Injection
-
Sets service image path in registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks for any installed AV software in registry
-
Drops desktop.ini file(s)
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
4Discovery
Process Discovery
1Query Registry
1Remote System Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1