General
-
Target
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118
-
Size
604KB
-
Sample
241023-r6v1asxfqp
-
MD5
6f7abbc706baecf6e86cde729475dc7d
-
SHA1
00a55e2ae828f928770fdd1c59da361198fba382
-
SHA256
85e3772d5502b9f5251843b3884788ab6c4d44af761900c787d36e1d5586244c
-
SHA512
70b80ff7efeac45dc3cbaeb5b5a3b4f774dd3f61c08801fe43c5a086e8372ba199ea9f676ab3ceb9dd4d5332ebd5db79616460496632da831a51b21753f61092
-
SSDEEP
12288:PsEXei41jA1WnzVSxq5p1qHVXACWOEogk3pmIc5A1WnzVSxq5p1qH:PsEX341jA1wBSggHlpp3r0A1wBSggH
Static task
static1
Behavioral task
behavioral1
Sample
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+hvdte.txt
http://ert54nfh6hdshbw4f.nursespelk.com/847E38AFD194A5AC
http://kk4dshfjn45tsnkdf34fg.tatiejava.at/847E38AFD194A5AC
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/847E38AFD194A5AC
http://fwgrhsao3aoml7ej.onion/847E38AFD194A5AC
Extracted
C:\Program Files\7-Zip\Lang\Recovery+ydevf.txt
http://ert54nfh6hdshbw4f.nursespelk.com/995C55E8C6558A9B
http://kk4dshfjn45tsnkdf34fg.tatiejava.at/995C55E8C6558A9B
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/995C55E8C6558A9B
http://fwgrhsao3aoml7ej.onion/995C55E8C6558A9B
Targets
-
-
Target
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118
-
Size
604KB
-
MD5
6f7abbc706baecf6e86cde729475dc7d
-
SHA1
00a55e2ae828f928770fdd1c59da361198fba382
-
SHA256
85e3772d5502b9f5251843b3884788ab6c4d44af761900c787d36e1d5586244c
-
SHA512
70b80ff7efeac45dc3cbaeb5b5a3b4f774dd3f61c08801fe43c5a086e8372ba199ea9f676ab3ceb9dd4d5332ebd5db79616460496632da831a51b21753f61092
-
SSDEEP
12288:PsEXei41jA1WnzVSxq5p1qHVXACWOEogk3pmIc5A1WnzVSxq5p1qH:PsEX341jA1wBSggHlpp3r0A1wBSggH
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (409) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1