General
-
Target
e149f0097d9815526a006e3a9ebe894f_JaffaCakes118
-
Size
573KB
-
Sample
241211-np8y2svqcj
-
MD5
e149f0097d9815526a006e3a9ebe894f
-
SHA1
331bacac501c93a0cd1efa1f280c08640e5fbd9b
-
SHA256
0c4fb3ee51d15a55c3679ec2d90a7445e8a36514281eebc16739d383d46028ca
-
SHA512
1bd697ee1bc5b613e54de35aca2fa17fd630f42de1fa4d2ed4da07d0890fd8f99595139093f943e83a7563988701c7696ddfeaa75d9a4a600c01b8c17e5eb00a
-
SSDEEP
12288:EhmNTlga3Clkj+uS1KJQw3w0T65bHd93HzkCMu:Ya3C0SEx3wCw993Hzktu
Static task
static1
Behavioral task
behavioral1
Sample
e149f0097d9815526a006e3a9ebe894f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e149f0097d9815526a006e3a9ebe894f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\NDRDJSOQW-DECRYPT.txt
http://gandcrabmfe6mnef.onion/bcec7a4a2c9c86cf
Extracted
C:\PerfLogs\DJDLLVNH-DECRYPT.txt
http://gandcrabmfe6mnef.onion/5b72cb55d4bea4c
Targets
-
-
Target
e149f0097d9815526a006e3a9ebe894f_JaffaCakes118
-
Size
573KB
-
MD5
e149f0097d9815526a006e3a9ebe894f
-
SHA1
331bacac501c93a0cd1efa1f280c08640e5fbd9b
-
SHA256
0c4fb3ee51d15a55c3679ec2d90a7445e8a36514281eebc16739d383d46028ca
-
SHA512
1bd697ee1bc5b613e54de35aca2fa17fd630f42de1fa4d2ed4da07d0890fd8f99595139093f943e83a7563988701c7696ddfeaa75d9a4a600c01b8c17e5eb00a
-
SSDEEP
12288:EhmNTlga3Clkj+uS1KJQw3w0T65bHd93HzkCMu:Ya3C0SEx3wCw993Hzktu
-
Gandcrab family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (283) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1