General
-
Target
55fe9408918b65047b8b719ea1409513_JaffaCakes118
-
Size
372KB
-
Sample
241018-hgg8gavhrl
-
MD5
55fe9408918b65047b8b719ea1409513
-
SHA1
4866b34b276d14c6af16b609e28bfa061e258ebe
-
SHA256
05632fe6095c3e27d69bcd00dccf62fdd83ebb76abac1d87f13db9c0e4bf4b5e
-
SHA512
212f11e8b56b0cf168e890cff8ff82de3bb8bc296b96fcf7db99ffcd1689fc01fbe040d34cd15abb3ad4245ecb7ee2c4eac170b11cfd7f377a715213928d0ed0
-
SSDEEP
6144:NXafWK7kERZSnlIV7N0Sz2yQkD3uO5C6wh09cEyPctlt8c4etlFpj/opl3acD28n:NXuRZgIzi9sv5CrhUc8xN5CD2jR
Static task
static1
Behavioral task
behavioral1
Sample
55fe9408918b65047b8b719ea1409513_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
55fe9408918b65047b8b719ea1409513_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+undoj.txt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/56E8DB3E75B845FF
http://kkd47eh4hdjshb5t.angortra.at/56E8DB3E75B845FF
http://ytrest84y5i456hghadefdsd.pontogrot.com/56E8DB3E75B845FF
http://xlowfznrg4wf7dli.onion/56E8DB3E75B845FF
http://xlowfznrg4wf7dli.ONION/56E8DB3E75B845FF
Extracted
C:\Program Files\7-Zip\Lang\Recovery+dksrc.txt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/37471A4371422B25
http://kkd47eh4hdjshb5t.angortra.at/37471A4371422B25
http://ytrest84y5i456hghadefdsd.pontogrot.com/37471A4371422B25
http://xlowfznrg4wf7dli.onion/37471A4371422B25
http://xlowfznrg4wf7dli.ONION/37471A4371422B25
Targets
-
-
Target
55fe9408918b65047b8b719ea1409513_JaffaCakes118
-
Size
372KB
-
MD5
55fe9408918b65047b8b719ea1409513
-
SHA1
4866b34b276d14c6af16b609e28bfa061e258ebe
-
SHA256
05632fe6095c3e27d69bcd00dccf62fdd83ebb76abac1d87f13db9c0e4bf4b5e
-
SHA512
212f11e8b56b0cf168e890cff8ff82de3bb8bc296b96fcf7db99ffcd1689fc01fbe040d34cd15abb3ad4245ecb7ee2c4eac170b11cfd7f377a715213928d0ed0
-
SSDEEP
6144:NXafWK7kERZSnlIV7N0Sz2yQkD3uO5C6wh09cEyPctlt8c4etlFpj/opl3acD28n:NXuRZgIzi9sv5CrhUc8xN5CD2jR
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (409) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1