Overview

overview

10

Static

static

3

JaffaCakes...fa.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    JaffaCakes118_01ae6cf6829a1eed952cf33a093f11fa

  • Size

    108KB

  • Sample

    250511-g6fkhagk7z

  • MD5

    01ae6cf6829a1eed952cf33a093f11fa

  • SHA1

    5fbf3b284ab5b38d981f9de6adb6987d30d5019f

  • SHA256

    84f32905916d51dd011e0df8f98cc934b523a03b087cdf6b809659ec03adaf39

  • SHA512

    c9bfbfb4f00045177398646cf33081c839a366bc10bc52025d45c8e1724729f651452bd981e826696f0456deb3f31803a12ef7a21aa132b09d18360fa601a5f7

  • SSDEEP

    1536:S2Inyi09OZGR2cFgd2w9UlAWethqqjb4zHZfBpa9nNAMDr6tSQZx1:pInyiMOaFg1Gq4W9nNAGqSI

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
Don't worry, you can return all your files!! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our contact: Helperwork500 You will need to register with the TOR sonar service (http://sonarmsniko2lvfu.onion) You need a tor browser. And write to our contact: Helperwork500 Reserve e-mail address to contact us: [email protected] For more confidence, it is better to write to both contacts (sonar and email). In the message, immediately indicate the name of your company that you represent. Key Identifier: eV2nzt67MmFIsXJYas6nhL/8MMoA9CVV2gJiFP1jlt9VGWHuBrGeOSv2C2JWUo2XRPk1RTwp1F9LCEL22zvnCvOBWa8k5w+CyopkZg/VKJQ0wc6UOHcnpm3GXR92T/akqzL932DR1vAlqr7SKOuUiHFzpTs5Ent7fOdwkKilnKmOdpLA8HGoo74gLSxVCdCsk0Qp4oEVuIKvAxCxvXX1G0Sq53Z8UVRJ+ziBJN3+/mUVTe+3srv9eQ/rBL8L01ExhK5gXNyOm5FWh6hNuU0nrGdUCmKBkggbX803Z0jdFVhqZ6yJtyvZj4yikBUS8Nfa4WAmlNeMatkhjTV9Zhxz/oobXBLhjSUR/q3cUse6IZORlikj7bOK9VjCaESi6ndphS9KZCxU0zrMAeaC6uoyJmmULICJPSB16SQBNn5/VQ4ZN/Vx9lis5lAiWXPlXvBdDAes4GM65XxLR/4BOVv+JSg8Hzwt5ZlKPTNWzjb3+FgDgXD+3FSAO+VyP5kzADGq+/gy/3c6cxn2Re+rvE97OpOoFkz92claeGXDhYwmpbjWxWdr6bg4JjYPyLW+3vnW4IKtLVljYYmzyp0IwGYFBAt+oxH3nF4mLYuAhvp8c4OhTSoUTApBzu/LSkdXpt9wGU1KM2D7F3yfcbdWcVQDxzhJJuhD3WvWNc7lWbHzrNk= Number of files that were processed is: 152
URLs

http://sonarmsniko2lvfu.onion

Targets

    • Target

      JaffaCakes118_01ae6cf6829a1eed952cf33a093f11fa

    • Size

      108KB

    • MD5

      01ae6cf6829a1eed952cf33a093f11fa

    • SHA1

      5fbf3b284ab5b38d981f9de6adb6987d30d5019f

    • SHA256

      84f32905916d51dd011e0df8f98cc934b523a03b087cdf6b809659ec03adaf39

    • SHA512

      c9bfbfb4f00045177398646cf33081c839a366bc10bc52025d45c8e1724729f651452bd981e826696f0456deb3f31803a12ef7a21aa132b09d18360fa601a5f7

    • SSDEEP

      1536:S2Inyi09OZGR2cFgd2w9UlAWethqqjb4zHZfBpa9nNAMDr6tSQZx1:pInyiMOaFg1Gq4W9nNAGqSI

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationransomwaretrojan

    • Disables service(s)

      defense_evasionexecution

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • Renames multiple (52) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Windows security modification

      defense_evasiontrojan

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

5
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

4
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Network Service Discovery

1
T1046

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

Remote System Discovery

2
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks

OSZAR »