Extracted

Extracted

• • Target

    0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118

  • Size

    368KB

  • MD5

    0d3571a8ca8ef2fede9e3e11b8761582

  • SHA1

    f2b0416e2afe93050816f62646ecae6080a9e559

  • SHA256

    543144026b1a0c1bbfea07c5af4b9e5654c6eb3416f7ac70d676c6c8682bacbb

  • SHA512

    1474d517cf92cd4dcec62bb656ae918f383fd4e146dd951c9613e7cb300870e32606c3607872bb17d84e2de5c13d23bf51bc16e8f2f576acd4bae9fe3e2b661c

  • SSDEEP

    6144:lysifNvmGSKiUuyWvY1ZEYVG3I825tkB9GqlzXwOwNM5s8Fy:8BQUuy6kP5tU1lzXwBqbs

  Score

  10^/10

  teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (418) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Suspicious use of SetThreadContext

  behavioral1behavioral2