General
-
Target
dd7fc1aa306ebacbd7f4359a2947678a_JaffaCakes118
-
Size
289KB
-
Sample
241210-hkrw3sslhm
-
MD5
dd7fc1aa306ebacbd7f4359a2947678a
-
SHA1
f1f2c8416efc7d421e3314199ade159b3f7b0af6
-
SHA256
c52b627ac93e5553eeb3d1e15c66b69ab8e17f14663f9c77258261bcc50c9a73
-
SHA512
e689d4b0d5867faef1afbec25437d28739139731ea58dda57079eeba0869f7064108c312b2fc0d034d103318613b2bb3e2ed4e350c52963b269d1b66a5956cdd
-
SSDEEP
3072:OwsDllYBrJ5mbtEqaAQcyWbPUo8TvAxGzPhUosTV62fN3WrLY:5slYBObKRiPx8TBCoYV62fN3W
Static task
static1
Behavioral task
behavioral1
Sample
dd7fc1aa306ebacbd7f4359a2947678a_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
dd7fc1aa306ebacbd7f4359a2947678a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
F:\$RECYCLE.BIN\PMECSWHIGA-DECRYPT.txt
http://gandcrabmfe6mnef.onion/dd1a76466e384619
Extracted
C:\$Recycle.Bin\MJUTWJGC-DECRYPT.txt
http://gandcrabmfe6mnef.onion/6942d216f05dac25
Targets
-
-
Target
dd7fc1aa306ebacbd7f4359a2947678a_JaffaCakes118
-
Size
289KB
-
MD5
dd7fc1aa306ebacbd7f4359a2947678a
-
SHA1
f1f2c8416efc7d421e3314199ade159b3f7b0af6
-
SHA256
c52b627ac93e5553eeb3d1e15c66b69ab8e17f14663f9c77258261bcc50c9a73
-
SHA512
e689d4b0d5867faef1afbec25437d28739139731ea58dda57079eeba0869f7064108c312b2fc0d034d103318613b2bb3e2ed4e350c52963b269d1b66a5956cdd
-
SSDEEP
3072:OwsDllYBrJ5mbtEqaAQcyWbPUo8TvAxGzPhUosTV62fN3WrLY:5slYBObKRiPx8TBCoYV62fN3W
-
Gandcrab family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (279) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1