General

  • Target

    JaffaCakes118_0c14e67645ad62c15dae91cd644fa7c0

  • Size

    543KB

  • Sample

    250530-askhzadk81

  • MD5

    0c14e67645ad62c15dae91cd644fa7c0

  • SHA1

    081caa04a4daf07f325962b76eaec95567e859a2

  • SHA256

    e02fb9ef57b62def35581f785d90c910a8f8692ed1837ae7742ee4d47f41720a

  • SHA512

    9b2643530e3a1ba835f6093b69ce23eb217e8e254d6d6561f797c791b288a1b5787068aa0857314c1bbe464c6d3b12c3a51835501fd3b7849714ae44297f5d92

  • SSDEEP

    12288:lqMbhqZabMrcayfbzBmyLXUprGyRx5fBfUwrY4UGY/IT:qZy+clhmyIpCyRxbzOGYgT

Malware Config

Targets

    • Target

      JaffaCakes118_0c14e67645ad62c15dae91cd644fa7c0

    • Size

      543KB

    • MD5

      0c14e67645ad62c15dae91cd644fa7c0

    • SHA1

      081caa04a4daf07f325962b76eaec95567e859a2

    • SHA256

      e02fb9ef57b62def35581f785d90c910a8f8692ed1837ae7742ee4d47f41720a

    • SHA512

      9b2643530e3a1ba835f6093b69ce23eb217e8e254d6d6561f797c791b288a1b5787068aa0857314c1bbe464c6d3b12c3a51835501fd3b7849714ae44297f5d92

    • SSDEEP

      12288:lqMbhqZabMrcayfbzBmyLXUprGyRx5fBfUwrY4UGY/IT:qZy+clhmyIpCyRxbzOGYgT

    • Modifies WinLogon for persistence

    • Modifies visibility of file extensions in Explorer

    • Renames multiple (55) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks