Overview

overview

10

Static

static

3

4119ebfa48...18.exe

windows7-x64

10

4119ebfa48...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    4119ebfa48c9fdec769f4d99a2cbfaf0_JaffaCakes118

  • Size

    260KB

  • Sample

    241013-vs9s3sxhqc

  • MD5

    4119ebfa48c9fdec769f4d99a2cbfaf0

  • SHA1

    584604eaabcc88a98983271eb6ed76320888880c

  • SHA256

    807cb77f5d1f188538b6c28028982b8cdb712d00a477ac40bc64fa1be60a0f4c

  • SHA512

    d30803863614b559ee069d3489bfea407e095c9bffab78349a5d1a873537a0a52294d8f348e87fadaf38e13353eaa23333f050ea1a9cadaee6ea69741fa1b3a7

  • SSDEEP

    3072:WABrB8wvDvBKBQFBrB2BbLteM1ida3LmQ7CNtxu6LQucMnWdhqVln4xKpkfoPeq7:7da8uOhcMWhqVln4xKpkfTqb2Yq

Score
10/10
defense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://tkj3higtqlvohs7z.aw49f4j3n26.com or http://tkj3higtqlvohs7z.dfj3d8w3n27.com , https://tkj3higtqlvohs7z.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 194sTuo9usnL2vUPYopacCAA87Sqr9R8ET Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tkj3higtqlvohs7z.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 194sTuo9usnL2vUPYopacCAA87Sqr9R8ET Follow the instructions on the server.
Wallets

194sTuo9usnL2vUPYopacCAA87Sqr9R8ET

URLs

http://tkj3higtqlvohs7z.aw49f4j3n26.com

http://tkj3higtqlvohs7z.dfj3d8w3n27.com

https://tkj3higtqlvohs7z.s5.tor-gateways.de/

http://tkj3higtqlvohs7z.onion/

Extracted

Path

C:\Program Files\7-Zip\Lang\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://tkj3higtqlvohs7z.aw49f4j3n26.com or http://tkj3higtqlvohs7z.dfj3d8w3n27.com , https://tkj3higtqlvohs7z.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1NvHCxbSw9vn1QkqrsdyHxsCiK5HgBkJwR Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tkj3higtqlvohs7z.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1NvHCxbSw9vn1QkqrsdyHxsCiK5HgBkJwR Follow the instructions on the server.
Wallets

1NvHCxbSw9vn1QkqrsdyHxsCiK5HgBkJwR

URLs

http://tkj3higtqlvohs7z.aw49f4j3n26.com

http://tkj3higtqlvohs7z.dfj3d8w3n27.com

https://tkj3higtqlvohs7z.s5.tor-gateways.de/

http://tkj3higtqlvohs7z.onion/

Targets

    • Target

      4119ebfa48c9fdec769f4d99a2cbfaf0_JaffaCakes118

    • Size

      260KB

    • MD5

      4119ebfa48c9fdec769f4d99a2cbfaf0

    • SHA1

      584604eaabcc88a98983271eb6ed76320888880c

    • SHA256

      807cb77f5d1f188538b6c28028982b8cdb712d00a477ac40bc64fa1be60a0f4c

    • SHA512

      d30803863614b559ee069d3489bfea407e095c9bffab78349a5d1a873537a0a52294d8f348e87fadaf38e13353eaa23333f050ea1a9cadaee6ea69741fa1b3a7

    • SSDEEP

      3072:WABrB8wvDvBKBQFBrB2BbLteM1ida3LmQ7CNtxu6LQucMnWdhqVln4xKpkfoPeq7:7da8uOhcMWhqVln4xKpkfTqb2Yq

    Score
    10/10
    defense_evasiondiscoveryexecutionimpactpersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (366) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks