Extracted

Extracted

• • Target

    8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118

  • Size

    384KB

  • MD5

    8736b31e13bcd6e154dd6ad39b839f8c

  • SHA1

    9135b9746cb37636cd26cbcc73ffd0451a34b426

  • SHA256

    5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f

  • SHA512

    1f8a4ca3b1d33e6208e45c8f42fa1650dd1b97162b499053cc45c034dc87f4d03448a4289d9efbc64bd0e135b7cb597036311dd0f5c763dd6ced6f36ac6a01bf

  • SSDEEP

    6144:SeVGON09XRWtlggcMOEqmgWqvANwxcLSgL8J4bAvtqjPtW6wU25vB8ynNd98UW:gON09XotWgOfmgLA8cNYQAojtwU2xnv9

  Score

  10^/10

  teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt

  • Teslacrypt family

    teslacrypt

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (422) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Suspicious use of SetThreadContext

  behavioral1behavioral2