General

  • Target

    JaffaCakes118_0bf948a05116ea7c96990aad936e5b3a

  • Size

    1.0MB

  • Sample

    250529-2tvtwazkz7

  • MD5

    0bf948a05116ea7c96990aad936e5b3a

  • SHA1

    37405987519bf3b3cb7e9097559c401b84d349fb

  • SHA256

    58fe3e319b116b4fd80121eab6f01e3c81855501aad562c5ccafc324d85c5c27

  • SHA512

    62bd3e963aaa484f97de59780e0a82906f34b37a05c2dfb43440972b8cc63cdb50cbc6638d749e27e6284d0549b7194ae6944023000a9ad302a765bb1cb5714f

  • SSDEEP

    24576:eRohq+QEOoh6EFE4MdXyMQQd6uzfCycIOag8:05+9DF/0Thd6u7WI

Malware Config

Targets

    • Target

      JaffaCakes118_0bf948a05116ea7c96990aad936e5b3a

    • Size

      1.0MB

    • MD5

      0bf948a05116ea7c96990aad936e5b3a

    • SHA1

      37405987519bf3b3cb7e9097559c401b84d349fb

    • SHA256

      58fe3e319b116b4fd80121eab6f01e3c81855501aad562c5ccafc324d85c5c27

    • SHA512

      62bd3e963aaa484f97de59780e0a82906f34b37a05c2dfb43440972b8cc63cdb50cbc6638d749e27e6284d0549b7194ae6944023000a9ad302a765bb1cb5714f

    • SSDEEP

      24576:eRohq+QEOoh6EFE4MdXyMQQd6uzfCycIOag8:05+9DF/0Thd6u7WI

    • Renames multiple (152) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks