Resubmissions
27/11/2024, 09:18 UTC
241127-k9zz4atpgm 1027/11/2024, 07:19 UTC
241127-h5x9laznhp 1026/11/2024, 11:44 UTC
241126-nwbl5awlcj 1026/11/2024, 11:26 UTC
241126-nj43xavqgk 1026/11/2024, 11:06 UTC
241126-m7p38aykas 1026/11/2024, 11:05 UTC
241126-m64j8avlem 1026/11/2024, 10:59 UTC
241126-m3e3fsvkcm 1026/11/2024, 06:07 UTC
241126-gvaj4svlhl 1026/11/2024, 06:03 UTC
241126-gsj1rsvlbr 10General
-
Target
a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118
-
Size
388KB
-
Sample
241127-k9zz4atpgm
-
MD5
a0340430d4b1c1f6dd4048ab98f2e4b2
-
SHA1
a43ff275972b4ed9b7f3ece61d7d49375db635e9
-
SHA256
9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217
-
SHA512
54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d
-
SSDEEP
12288:XhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:p4DRw7325gPh
Static task
static1
Behavioral task
behavioral1
Sample
a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Resource
win11-20241007-en
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+jbwtx.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/89A734646B474759
http://kkd47eh4hdjshb5t.angortra.at/89A734646B474759
http://ytrest84y5i456hghadefdsd.pontogrot.com/89A734646B474759
http://xlowfznrg4wf7dli.ONION/89A734646B474759
Targets
-
-
Target
a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118
-
Size
388KB
-
MD5
a0340430d4b1c1f6dd4048ab98f2e4b2
-
SHA1
a43ff275972b4ed9b7f3ece61d7d49375db635e9
-
SHA256
9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217
-
SHA512
54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d
-
SSDEEP
12288:XhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:p4DRw7325gPh
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (795) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1