d7fbb74b3f0f29bbca645f9d00798d0d07bbde76269f5929f71603d4292bc31f

General

Target

fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
Size

10.1MB
MD5

fbf178d163bc05e3f3822746bb298de4
SHA1

289744ae7129e13d46ecca541b0215e170329846
SHA256

d7fbb74b3f0f29bbca645f9d00798d0d07bbde76269f5929f71603d4292bc31f
SHA512

c41976b23dc132a48c550feffd5f7cefd658879dc1f2449939280f9f683079f3471eb0f6620c9c65606ce8945277e942d1c79119cce20e244b8795b2dd42b298
SSDEEP

98304:ri09IMzKpXOMGQQIMzKpXOMGQsIMzKpXOMGQr:W09I2lyQI2lysI2lyr

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe	aspack_v212_v242
F:\AutoRun.exe	aspack_v212_v242

Drops startup file 3 IoCs

Processes:

fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2848 HelpMe.exe
Loads dropped DLL 2 IoCs

Processes:

fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe

pid process

2320 fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
2320 fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe

pid	process
2848	HelpMe.exe

pid	process
2320	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
2320	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\S:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\W:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\T:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\N:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\L:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\U:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\K:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\H:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\X:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\Y:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\Z:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\E:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\O:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\R:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\M:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\Q:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\P:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\G:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\I:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\V:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\A:	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened (read-only)	\??\T:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe

description	pid	process	target process
PID 2320 wrote to memory of 2848	2320	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe	HelpMe.exe
PID 2320 wrote to memory of 2848	2320	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe	HelpMe.exe
PID 2320 wrote to memory of 2848	2320	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe	HelpMe.exe
PID 2320 wrote to memory of 2848	2320	fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbf178d163bc05e3f3822746bb298de4_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2848

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe
Filesize
10.1MB

MD5
8f38daac499d1fcd4da3abc4d23ffb7a

SHA1
43bf0d16cc8babde850d908f9fe5d15144d792e2

SHA256
8d281ee2eec21adb5095b76b1b233c269329da2fa62b1cb26024ff5dbe703175

SHA512
cbc61346f09a05a908165deba5ef52a751f22b19282bd880f6b94422029dbe1441f4835202200eecb1f970d7c425c27a01815f11dae0e4595a79d02d5d8a4904

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
983f7ff90172f5a86ac5ede7494ed596

SHA1
a034150b1061f23ff80f4f7e30752cfbae9e8b99

SHA256
f8b9d761cc9392265fb32566ca50389b5510797215b78c1d652d8ccd9ed7cc1d

SHA512
4553f1adac266fa3a6b0e3dc5e05673771de7d641ec86d5bb58f1bcae463c92311d16609738ccd5701be398c0b91a63bbef572b4390612212c2d74595680f9e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
950B

MD5
8ccd0a2adf949e3492ccaeec097ab976

SHA1
559d2c78337011c5c1f4258df9b72eca4147f289

SHA256
7344f8095467f35c70006dcbb324e5a19275c67004e67895b555e418c6a413ac

SHA512
d1f4c0032316ef5e8aa5c50d75328957116ef64ba9ac53e0b245c2ccc17660f6ad688d0735096a47b8c57481bfd24e04392da51b31d6c1fd3be687ebc706bc2f

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe
Filesize
10.1MB

MD5
fbf178d163bc05e3f3822746bb298de4

SHA1
289744ae7129e13d46ecca541b0215e170329846

SHA256
d7fbb74b3f0f29bbca645f9d00798d0d07bbde76269f5929f71603d4292bc31f

SHA512
c41976b23dc132a48c550feffd5f7cefd658879dc1f2449939280f9f683079f3471eb0f6620c9c65606ce8945277e942d1c79119cce20e244b8795b2dd42b298

Download Submit
\Windows\SysWOW64\HelpMe.exe
Filesize
7.2MB

MD5
ef483a119fb304e5c462ec61b69ea275

SHA1
289933e4137501860bd3b9cde4de24827389bacf

SHA256
c8783bac98e95e4d00adfea656a8b82db754e2ea6cddd2ae62198b1fea18064c

SHA512
9824190415b0054df33fd2c5f2073959cce051c2fa912b1b76ad91c850cf3fbb8b505e0af4b7846e6032a7934c9556bfd61d322dd88f47ce5eadd7fbedad43ae

Download Submit
memory/2320-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2320-240-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2848-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads