General

  • Target

    55c09081a425bd225b98d949db884c94_JaffaCakes118

  • Size

    4.0MB

  • Sample

    241018-gcsyqstbll

  • MD5

    55c09081a425bd225b98d949db884c94

  • SHA1

    0367df4da4b464c75086dfa9c545bc0be133d3cc

  • SHA256

    2b254c6880973d403d4abaa38996537c1c93f1ef01e58b01596fed78ea904d19

  • SHA512

    6fd82799cca06b6b5ce581baeba1ebce8bebba876cda8e83d4448ebb831c71310c2e53ad64e1770d20548514b86fb320977c6d5dec6c23664de2b6d62334d584

  • SSDEEP

    24576:aEtl9mRda1VIUSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Nuk:xEs12pQ

Malware Config

Targets

    • Target

      55c09081a425bd225b98d949db884c94_JaffaCakes118

    • Size

      4.0MB

    • MD5

      55c09081a425bd225b98d949db884c94

    • SHA1

      0367df4da4b464c75086dfa9c545bc0be133d3cc

    • SHA256

      2b254c6880973d403d4abaa38996537c1c93f1ef01e58b01596fed78ea904d19

    • SHA512

      6fd82799cca06b6b5ce581baeba1ebce8bebba876cda8e83d4448ebb831c71310c2e53ad64e1770d20548514b86fb320977c6d5dec6c23664de2b6d62334d584

    • SSDEEP

      24576:aEtl9mRda1VIUSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Nuk:xEs12pQ

    • Modifies WinLogon for persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks