General
-
Target
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118
-
Size
168KB
-
Sample
240622-nd7a3swbje
-
MD5
01def9f56c9af2d97800d7366551a2f1
-
SHA1
3845b36222249023360100a1b3a6f40dfd165321
-
SHA256
4a9dad6192998bba2047afd0edcde14f7d81a3171e639cac7d30615ae6b9d8a3
-
SHA512
aa2bcddc092d1d556d04b6aaaeb5dce91cb9536cc3cf420fcf2169dc603a132c72f870df13cb02e2dd8f788900995146ac1944100ed50d2803412728cbe32697
-
SSDEEP
3072:tgk9+8F/zGO4O9AFracIaDa2HtvudUYJDjnxk0RVikMbqT:Ce2eIG7aDa21e3tVi3C
Behavioral task
behavioral1
Sample
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\PIEDYQ-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/cef86405e4c71c7c
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\YLTFWX-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/a6f2fc4580742886
Targets
-
-
Target
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118
-
Size
168KB
-
MD5
01def9f56c9af2d97800d7366551a2f1
-
SHA1
3845b36222249023360100a1b3a6f40dfd165321
-
SHA256
4a9dad6192998bba2047afd0edcde14f7d81a3171e639cac7d30615ae6b9d8a3
-
SHA512
aa2bcddc092d1d556d04b6aaaeb5dce91cb9536cc3cf420fcf2169dc603a132c72f870df13cb02e2dd8f788900995146ac1944100ed50d2803412728cbe32697
-
SSDEEP
3072:tgk9+8F/zGO4O9AFracIaDa2HtvudUYJDjnxk0RVikMbqT:Ce2eIG7aDa21e3tVi3C
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (248) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-