General
-
Target
97020660b63757de9c0e8ad51eed9acf_JaffaCakes118
-
Size
376KB
-
Sample
241124-y5gjvatmhl
-
MD5
97020660b63757de9c0e8ad51eed9acf
-
SHA1
bc75b2b04ec8591829a69a7634698c2d7ff406b5
-
SHA256
9c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489
-
SHA512
a6cc6b7c7c8d16419b826affc813ea5cff9501133c5bc386217fa686c35906404a937630bdbcdee193273e5c22872f891e1a40d332393480c8d684ea8bec0f67
-
SSDEEP
6144:ie3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:iY5hMfqwTsTKcmTV5kINEx+d
Static task
static1
Behavioral task
behavioral1
Sample
97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lkufq.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8AE376AEAF8819AF
http://kkd47eh4hdjshb5t.angortra.at/8AE376AEAF8819AF
http://ytrest84y5i456hghadefdsd.pontogrot.com/8AE376AEAF8819AF
http://xlowfznrg4wf7dli.ONION/8AE376AEAF8819AF
Extracted
C:\Program Files\7-Zip\Lang\Recovery+ollwb.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/682EAFD4985674FD
http://kkd47eh4hdjshb5t.angortra.at/682EAFD4985674FD
http://ytrest84y5i456hghadefdsd.pontogrot.com/682EAFD4985674FD
http://xlowfznrg4wf7dli.ONION/682EAFD4985674FD
Targets
-
-
Target
97020660b63757de9c0e8ad51eed9acf_JaffaCakes118
-
Size
376KB
-
MD5
97020660b63757de9c0e8ad51eed9acf
-
SHA1
bc75b2b04ec8591829a69a7634698c2d7ff406b5
-
SHA256
9c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489
-
SHA512
a6cc6b7c7c8d16419b826affc813ea5cff9501133c5bc386217fa686c35906404a937630bdbcdee193273e5c22872f891e1a40d332393480c8d684ea8bec0f67
-
SSDEEP
6144:ie3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:iY5hMfqwTsTKcmTV5kINEx+d
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (376) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1