General
-
Target
9213073f63c1542315acdad27c0b8b78_JaffaCakes118
-
Size
360KB
-
Sample
241124-c3j2aswlbr
-
MD5
9213073f63c1542315acdad27c0b8b78
-
SHA1
77b5765cd37ccfb7608611291d66e68b7d68e2dc
-
SHA256
1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad
-
SHA512
9ae5d76345825b0cd012d4ce8189a1b6864b3d76be93ae7fad22eb28387097346213d7763a989098ae2dd5a921afd3ab8ef72cc308d4d9bfc8e7e7efa3a92735
-
SSDEEP
6144:YaaRWvS8RStjunQ/ocbbOeEQZlPX6kKhWbyFqoMU2sEEbsOI/4Yi:YFWvNS8EE4+WOeU22bnI/4Yi
Static task
static1
Behavioral task
behavioral1
Sample
9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+anife.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7C29CA99EA48E69
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7C29CA99EA48E69
http://yyre45dbvn2nhbefbmh.begumvelic.at/7C29CA99EA48E69
http://xlowfznrg4wf7dli.ONION/7C29CA99EA48E69
Targets
-
-
Target
9213073f63c1542315acdad27c0b8b78_JaffaCakes118
-
Size
360KB
-
MD5
9213073f63c1542315acdad27c0b8b78
-
SHA1
77b5765cd37ccfb7608611291d66e68b7d68e2dc
-
SHA256
1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad
-
SHA512
9ae5d76345825b0cd012d4ce8189a1b6864b3d76be93ae7fad22eb28387097346213d7763a989098ae2dd5a921afd3ab8ef72cc308d4d9bfc8e7e7efa3a92735
-
SSDEEP
6144:YaaRWvS8RStjunQ/ocbbOeEQZlPX6kKhWbyFqoMU2sEEbsOI/4Yi:YFWvNS8EE4+WOeU22bnI/4Yi
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (422) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1