341435c117881a0bf2a791134c4708c1b21ad208b1bdd1fc86db0c6e0f7575c3 | Triage

Sharing

General

Target

9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118
Size

315KB
Sample

241125-2x4wys1kft
MD5

9e66aa1e09ea99b1b50a6b1e1e0d8460
SHA1

2a96fcdaffff4d100750ef82b4398ab0039cece8
SHA256

341435c117881a0bf2a791134c4708c1b21ad208b1bdd1fc86db0c6e0f7575c3
SHA512

76101c106048a5a7fa8b5768863160a7d849ae5233f47d0f5d061739a82b783b5a5fc1eebd382b88f983d5167f745bc8e4d5891648d93c3312fb8990e96f5bc8
SSDEEP

6144:WmK7MifvmpPYBdJEm3OaPHXLJRfyA+hrmHIIzAEK:V3iKQd3OW3LHKAumHbAEK

Score

9^/10

collection defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Targets

- Target
  
  9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118
- Size
  
  315KB
- MD5
  
  9e66aa1e09ea99b1b50a6b1e1e0d8460
- SHA1
  
  2a96fcdaffff4d100750ef82b4398ab0039cece8
- SHA256
  
  341435c117881a0bf2a791134c4708c1b21ad208b1bdd1fc86db0c6e0f7575c3
- SHA512
  
  76101c106048a5a7fa8b5768863160a7d849ae5233f47d0f5d061739a82b783b5a5fc1eebd382b88f983d5167f745bc8e4d5891648d93c3312fb8990e96f5bc8
- SSDEEP
  
  6144:WmK7MifvmpPYBdJEm3OaPHXLJRfyA+hrmHIIzAEK:V3iKQd3OW3LHKAumHbAEK
Score

9^/10

collection defense_evasion discovery evasion execution impact persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Direct Volume Access

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

behavioral2

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan