Overview

overview

10

Static

static

3

f6bc565aa5...18.exe

windows7-x64

10

f6bc565aa5...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...sh.dll

windows7-x64

3

$PLUGINSDI...sh.dll

windows10-2004-x64

3

theia-stic...418.js

windows7-x64

3

theia-stic...418.js

windows10-2004-x64

3

twitter.html

windows7-x64

3

twitter.html

windows10-2004-x64

3

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f6bc565aa5c1bd4191e4a43ec11b5b83_JaffaCakes118

  • Size

    219KB

  • Sample

    240925-ygg6gaxdlg

  • MD5

    f6bc565aa5c1bd4191e4a43ec11b5b83

  • SHA1

    c9b92fc8eac84e2e9919585289402eda34a8afef

  • SHA256

    c1095f01b2e5542745d1414e12974271627f68a67bae730a34fc03b18596cf68

  • SHA512

    9ac37464d666e834b790633d7876e8af0e830951b0a399986df5e8c64c042d581ac2c28fdb7014f21730931e5bb01edd703042994b1546b06f8c02f706150fb8

  • SSDEEP

    6144:Iy9v17kwzgGpl0BrTa0LO00bNcnJTfs4nca:597kNBrTjLH0NcV4a

Score
10/10
lockydefense_evasiondiscoveryexecutionransomware

Malware Config

Targets

    • Target

      f6bc565aa5c1bd4191e4a43ec11b5b83_JaffaCakes118

    • Size

      219KB

    • MD5

      f6bc565aa5c1bd4191e4a43ec11b5b83

    • SHA1

      c9b92fc8eac84e2e9919585289402eda34a8afef

    • SHA256

      c1095f01b2e5542745d1414e12974271627f68a67bae730a34fc03b18596cf68

    • SHA512

      9ac37464d666e834b790633d7876e8af0e830951b0a399986df5e8c64c042d581ac2c28fdb7014f21730931e5bb01edd703042994b1546b06f8c02f706150fb8

    • SSDEEP

      6144:Iy9v17kwzgGpl0BrTa0LO00bNcnJTfs4nca:597kNBrTjLH0NcV4a

    Score
    10/10
    lockydefense_evasiondiscoveryransomware

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

      ransomwarelocky

    • Deletes itself

    • Loads dropped DLL

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      ca332bb753b0775d5e806e236ddcec55

    • SHA1

      f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

    • SHA256

      df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

    • SHA512

      2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

    • SSDEEP

      192:eo24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol6Sl:k8QIl975eXqlWBrz7YLOl6

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      904d8313031ac05e2bac3dd329828833

    • SHA1

      6c8322f76e5c38bc24b0bcc057a510c92ec40b43

    • SHA256

      a7c5516478ab02b5d6c1684b3c2b31ee03331712bcd9f9a8ef8309d2b72c8ec4

    • SHA512

      9d524ebc965f224e1a16f537f71df0963c586fd548cb9a901f8afb1951416dd656d5493cc5e304157dfa6d70d69bcd4c5a5b140fceb3736548e71fe7086b6de8

    • SSDEEP

      192:oR8cxzvTyl4tgi8pPjQM0PuAg0YNyAUIFtSP:IBxzm+t18pZ0WAg0RzIFg

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/splash.dll

    • Size

      4KB

    • MD5

      926cf6c23cdf3b18f8514a55b5583f1f

    • SHA1

      597089d1fd99acc13484da5ffb93d955521a1228

    • SHA256

      1e7c0a9800d7d4f8baea52a9e81a9c40721c0c4f1c3dd5ca330e286b137fd701

    • SHA512

      d1d7e5c6d5d10c68c744f4742d4c8d9844568211f9e254bb38239c52edeaaa92fb5ad862b1f79c8e67fa7d1b5efced27ccaf1074c2c65cb91d1651cb9db853f6

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      theia-sticky-sidebar-page_20160119055418.js

    • Size

      996B

    • MD5

      ec9206c172af51de299ce0d2643990f5

    • SHA1

      1be00b304b53236228a048196b4ccb1d80789e24

    • SHA256

      179d611302d0d633804c857282e69ef032a577ce6b645cc3e1f8a972f1cae843

    • SHA512

      fd777a10b69eaa1c886219bb5e59aaf0db17427a4825a5c73783c82fbe7f79d04c95f5b5beb642ebf8ad93f6658970d6527d3f7891a73ed17bdac852f2818573

    Score
    3/10
    execution
    behavioral10behavioral9

    • Target

      twitter.html

    • Size

      609B

    • MD5

      c6c29ce82bdb3ffbc09df656238dca7c

    • SHA1

      b557da031c82e2de546b06fdf3c0a4b9998dee8a

    • SHA256

      ce2a0fd54a77c76b6b9f24b2c9d2be36aecf298e01de9aba483be5cc7c45a030

    • SHA512

      8aa7c934389f681695f56a4e6f74c2002649f27282866561b03c32cc12cd2348bbca172306fb055484c588fa310d2586595d8f9f4eeca679d3405e38af126498

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      uninst.exe

    • Size

      70KB

    • MD5

      67bb7c6d04ff581ac5edb862dda8cc76

    • SHA1

      7bd517bf036da67cd44254c91127cd00db0671d5

    • SHA256

      84db6c2c21a971700c8463df83f99740de7009d1862141b9672dc6fe574e2df0

    • SHA512

      88e72394a4bdfd485313e6a085b6512066e7ad57c2fb546a95498a9849380f04d98636da7aea647076bb0dfece45bfc766b83ee6f83a69f138a9cba004c9857c

    • SSDEEP

      1536:TrsKlcypDv17knJGq90D2YzIdg0ercMpP1D3pkHhorU:vsKWy9v17kwBD2YzIdpksBoI

    Score
    7/10
    discovery

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Tasks