General

  • Target

    56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118

  • Size

    217KB

  • Sample

    241018-mkad9asbkd

  • MD5

    56f16414e71c5263c57a4ce7733c70b5

  • SHA1

    d74ea238db6e0870422f6dcc4fef83964a380d1a

  • SHA256

    821945dd5882aad4181fcb2670a26cc322224f9f677e5df26f7e708ced0ab6a3

  • SHA512

    a492452c26f6c6d36853edcd13db03645442ea82c761940a1c0f96bc0fab7269fbb99c2e83350ecc06143cb142ddcadc6fce2ea32312440fc985b163b60d46ca

  • SSDEEP

    6144:dC61i972KJmciP8yGw44DQFu/U3buRKlemZ9DnGAe6MTgGkT/+:dK972P/kyGv4DQFu/U3buRKlemZ9DnGm

Malware Config

Targets

    • Target

      56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118

    • Size

      217KB

    • MD5

      56f16414e71c5263c57a4ce7733c70b5

    • SHA1

      d74ea238db6e0870422f6dcc4fef83964a380d1a

    • SHA256

      821945dd5882aad4181fcb2670a26cc322224f9f677e5df26f7e708ced0ab6a3

    • SHA512

      a492452c26f6c6d36853edcd13db03645442ea82c761940a1c0f96bc0fab7269fbb99c2e83350ecc06143cb142ddcadc6fce2ea32312440fc985b163b60d46ca

    • SSDEEP

      6144:dC61i972KJmciP8yGw44DQFu/U3buRKlemZ9DnGAe6MTgGkT/+:dK972P/kyGv4DQFu/U3buRKlemZ9DnGm

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (7361) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks