General
-
Target
54a911b913d2e942a8cfc990e2ca86d4_JaffaCakes118
-
Size
273KB
-
Sample
241018-bkxzrszgnp
-
MD5
54a911b913d2e942a8cfc990e2ca86d4
-
SHA1
e3e5b63862013638dbaee42393b91dac9df9d206
-
SHA256
a6cefdb97f43f2744fa82d873c466cd748a365ddb736a10ff4af874283c3ec6d
-
SHA512
4a9515ab47f8e7ec6d96452f6aaaf64fd5de2dccf602cc1f489877ea14e21f699e5d1164a367113f0327deda3646f99ac3e8e7d28676eb8e7fd9bb98868ea00a
-
SSDEEP
6144:VQ5wkJtBQK9l26GdEG5bFpNjFvwvCrx5uDubVamqKX6PoV:QdBQq26GjdjzoDyVamBqi
Static task
static1
Behavioral task
behavioral1
Sample
54a911b913d2e942a8cfc990e2ca86d4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
54a911b913d2e942a8cfc990e2ca86d4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+hhlsa.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/85014A3C24B5E7C
http://b4youfred5485jgsa3453f.italazudda.com/85014A3C24B5E7C
http://5rport45vcdef345adfkksawe.bematvocal.at/85014A3C24B5E7C
http://fwgrhsao3aoml7ej.onion/85014A3C24B5E7C
http://fwgrhsao3aoml7ej.ONION/85014A3C24B5E7C
Targets
-
-
Target
54a911b913d2e942a8cfc990e2ca86d4_JaffaCakes118
-
Size
273KB
-
MD5
54a911b913d2e942a8cfc990e2ca86d4
-
SHA1
e3e5b63862013638dbaee42393b91dac9df9d206
-
SHA256
a6cefdb97f43f2744fa82d873c466cd748a365ddb736a10ff4af874283c3ec6d
-
SHA512
4a9515ab47f8e7ec6d96452f6aaaf64fd5de2dccf602cc1f489877ea14e21f699e5d1164a367113f0327deda3646f99ac3e8e7d28676eb8e7fd9bb98868ea00a
-
SSDEEP
6144:VQ5wkJtBQK9l26GdEG5bFpNjFvwvCrx5uDubVamqKX6PoV:QdBQq26GjdjzoDyVamBqi
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (414) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1