General
-
Target
54bcf41f53085b004a070847e623fcd3_JaffaCakes118
-
Size
329KB
-
Sample
241018-bxjyns1erl
-
MD5
54bcf41f53085b004a070847e623fcd3
-
SHA1
d646c97f676ead19d6722eb5bfc73ea0098ec11d
-
SHA256
059911b76bb575a79ccdef1940869c6360c65a710d47257a3901cea805cef3be
-
SHA512
da690447462f9bbc10484ff36f30784f6103fe42be6f1235bdb31212d07ae8b34ddbd2730ce4f44cb2f9a8d2f138704ac4c9d7b0e299dffb5bd9fa287c634908
-
SSDEEP
6144:cMJTbuEB33TmIoqWWiNO8cTjGtxBOgl5FvR6rnDzldxMZty9ljV5HEMy:c0T3jmVjW4O5TYrfFva1dxMZozjV5U
Static task
static1
Behavioral task
behavioral1
Sample
54bcf41f53085b004a070847e623fcd3_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
54bcf41f53085b004a070847e623fcd3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\howto_recover_files_gnvtp.txt
http://rtldkdh6.kghw88gh3eu.net/1375D4BFE9314385
http://jsdf2wevw2.wrt23wqw34.net/1375D4BFE9314385
https://7vhbukzxypxh3xfy.onion.to/1375D4BFE9314385
http://7vhbukzxypxh3xfy.onion/1375D4BFE9314385
Extracted
C:\Program Files\7-Zip\Lang\howto_recover_files_sktpf.txt
http://rtldkdh6.kghw88gh3eu.net/D36082E0AFD8A2F6
http://jsdf2wevw2.wrt23wqw34.net/D36082E0AFD8A2F6
https://7vhbukzxypxh3xfy.onion.to/D36082E0AFD8A2F6
http://7vhbukzxypxh3xfy.onion/D36082E0AFD8A2F6
Targets
-
-
Target
54bcf41f53085b004a070847e623fcd3_JaffaCakes118
-
Size
329KB
-
MD5
54bcf41f53085b004a070847e623fcd3
-
SHA1
d646c97f676ead19d6722eb5bfc73ea0098ec11d
-
SHA256
059911b76bb575a79ccdef1940869c6360c65a710d47257a3901cea805cef3be
-
SHA512
da690447462f9bbc10484ff36f30784f6103fe42be6f1235bdb31212d07ae8b34ddbd2730ce4f44cb2f9a8d2f138704ac4c9d7b0e299dffb5bd9fa287c634908
-
SSDEEP
6144:cMJTbuEB33TmIoqWWiNO8cTjGtxBOgl5FvR6rnDzldxMZty9ljV5HEMy:c0T3jmVjW4O5TYrfFva1dxMZozjV5U
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1