General
-
Target
60e1f05e13430883a21411c913f26f60_JaffaCakes118
-
Size
397KB
-
Sample
241020-hjzkjawglr
-
MD5
60e1f05e13430883a21411c913f26f60
-
SHA1
058d45a4b81078b9b6745800d480f0438d68dfd7
-
SHA256
aee56fd1e95c8928897dd382ed846d47bbbc38ac2c3006fcc52ee9d44691a4b7
-
SHA512
59a899a3c411dd1b13ed1ad1bc79ce5114d6b983e19622014916b8ad258170ff0b147871edfb3a96d3e0b8e2801c81dbba79921dd2592258b39db394da9b0378
-
SSDEEP
6144:ZD1l50JVkn1iqrswNvO5L+i79BnurVi7V9DwHfc8FdRYZITVL4f+cg:F1l50HW1i9L77X4M9sHLNYZYVL4ftg
Static task
static1
Behavioral task
behavioral1
Sample
60e1f05e13430883a21411c913f26f60_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
60e1f05e13430883a21411c913f26f60_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\help_restore_files_puwsb.txt
http://zijugartu9eri.k948fsoahvnzyxe.com/6864827D93A6AFDB
https://djdkduep62kz4nzx.tor2web.blutmagie.de/6864827D93A6AFDB
http://djdkduep62kz4nzx.onion/6864827D93A6AFDB
http://kkriemfd94j3f.djeismda4lfp8.com/6864827D93A6AFDB
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\help_restore_files_puwsb.html
Targets
-
-
Target
60e1f05e13430883a21411c913f26f60_JaffaCakes118
-
Size
397KB
-
MD5
60e1f05e13430883a21411c913f26f60
-
SHA1
058d45a4b81078b9b6745800d480f0438d68dfd7
-
SHA256
aee56fd1e95c8928897dd382ed846d47bbbc38ac2c3006fcc52ee9d44691a4b7
-
SHA512
59a899a3c411dd1b13ed1ad1bc79ce5114d6b983e19622014916b8ad258170ff0b147871edfb3a96d3e0b8e2801c81dbba79921dd2592258b39db394da9b0378
-
SSDEEP
6144:ZD1l50JVkn1iqrswNvO5L+i79BnurVi7V9DwHfc8FdRYZITVL4f+cg:F1l50HW1i9L77X4M9sHLNYZYVL4ftg
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (369) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3