General
-
Target
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118
-
Size
956KB
-
Sample
240618-gwwtqs1anh
-
MD5
bb0ec4dcd82c36030e90c35f2befc98b
-
SHA1
2301873031d36f4c43b829a89d11d330748e8d08
-
SHA256
2862a518501814114385ad07ab0b982c4da1ea665afc4a229649dd76f2881205
-
SHA512
cb2f35405047e55cbcf6294eb181eef41aba523c5f250f41e513b131db753cda89a410742ea24b703b110b0124006b25fb4aa2a082351e8e5d30a416e2751d10
-
SSDEEP
12288:YfrJu/17ACSq+4I6md1AxLisPgNysw8q8eku9e93888888888888W8888888888n:u8/1Mlt1CJiyiSV9f
Static task
static1
Behavioral task
behavioral1
Sample
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\MSOCache\EPJVL-DECRYPT.txt
http://gandcrabmfe6mnef.onion/1e3e439e90777746
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\UKPEKOLFEL-DECRYPT.txt
http://gandcrabmfe6mnef.onion/fa9a721eb3b3c11f
Targets
-
-
Target
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118
-
Size
956KB
-
MD5
bb0ec4dcd82c36030e90c35f2befc98b
-
SHA1
2301873031d36f4c43b829a89d11d330748e8d08
-
SHA256
2862a518501814114385ad07ab0b982c4da1ea665afc4a229649dd76f2881205
-
SHA512
cb2f35405047e55cbcf6294eb181eef41aba523c5f250f41e513b131db753cda89a410742ea24b703b110b0124006b25fb4aa2a082351e8e5d30a416e2751d10
-
SSDEEP
12288:YfrJu/17ACSq+4I6md1AxLisPgNysw8q8eku9e93888888888888W8888888888n:u8/1Mlt1CJiyiSV9f
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (321) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-