46b6cf3f8fdd8b3b32380411837cb43077ec564129b628c621bbe7c9c0fec454

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
Size

488KB
MD5

fff5749a07ac1fea91e0e51a34c16189
SHA1

405c93c35057e275de8f1d852b5c2fd013ac451f
SHA256

46b6cf3f8fdd8b3b32380411837cb43077ec564129b628c621bbe7c9c0fec454
SHA512

9ca4245858d8211ef6c54648edca774efc81710717bc68bd60cce3d17f289255582759bd3a08d72bb95b7dd3b0ec55906b29b253369798f360cafe02a98b04d4
SSDEEP

6144:ZiMmXRH6pXfSb0ceR/VFAHh1kgcs0HWHkyApOhP/SgljwRwdX/1H9fYavJiP/:zMMpXKb0hNGh1kG0HWNAuCsltHlYz/

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c00000001233c-2.dat	aspack_v212_v242
behavioral1/files/0x0032000000015c4c-38.dat	aspack_v212_v242
behavioral1/files/0x0001000000000026-55.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	HelpMe.exe

Loads dropped DLL 31 IoCs

pid	Process
2980	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
2980	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe
3036	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\V:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\W:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\A:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\B:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\I:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\E:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\J:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\H:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\N:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\R:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\Z:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\U:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\Y:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\M:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\Q:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\K:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\S:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\P:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\T:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\X:	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3036	2980	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe	28
PID 2980 wrote to memory of 3036	2980	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe	28
PID 2980 wrote to memory of 3036	2980	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe	28
PID 2980 wrote to memory of 3036	2980	fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fff5749a07ac1fea91e0e51a34c16189_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe

Filesize
489KB

MD5
717cc7fc76629ca1b83d1139d8d6d7f1

SHA1
837b71b7568409d6da22967d3ace707c578801f4

SHA256
f7370fc888f379a44a737ab9c9ac6f4f3166363932db4f54b1ac8c44fd6dce71

SHA512
dc81917afd58b9f6bea4d179e8b991c3d6c58269be32a8784367165a53600d871629fcda0418eb4f332202b6882b25bba841bf210b9890ada65750584f2aafa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
09484a38eb75e6da3bf132655ac0d739

SHA1
14f3bd66855397954d4bc39c69041c8abc510f33

SHA256
775fe8b6d67f09a767d43aca93e865d404b07bd3f7bf779ec41721b52b2950cd

SHA512
c2b9898c8ce9ef4618b382ca59a28bbbd7473557e0a74f697511c3114450c86eb325b5c617626e55a50fbc9d8d397d73afa3090409d97b888597b0f29262b7b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
9ecf256bfd7f099353a1ba9421a1619b

SHA1
c231cc1864fbf6ce80ca7afb43666f0bc08e61ca

SHA256
ceac2d74a6ea6a439803b46511e62d2da5266bb40f775871007a26fb70c604fe

SHA512
4bb1fd3666e421dd1a5527dd0a064208d7b7c7f3cbfa76539692e6ef2cf636a759373b4cc8811bff816b0efd3914ce3d747558af134049255e96067a9271d194

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
488KB

MD5
fff5749a07ac1fea91e0e51a34c16189

SHA1
405c93c35057e275de8f1d852b5c2fd013ac451f

SHA256
46b6cf3f8fdd8b3b32380411837cb43077ec564129b628c621bbe7c9c0fec454

SHA512
9ca4245858d8211ef6c54648edca774efc81710717bc68bd60cce3d17f289255582759bd3a08d72bb95b7dd3b0ec55906b29b253369798f360cafe02a98b04d4

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
487KB

MD5
9bc8bebbcbb3b2ee1a023a27ccedb967

SHA1
4805c4764ca0d6e4338bed6ab48263e2de9a8343

SHA256
b25810138552f7e38040573ca4d82254784ea7d87c961be191deed8ae84b0549

SHA512
5f80896824b940d50c9627e27575241c28831f5bfd872eb0ca8fd3a914b617ef5d81c1b768347e8d25c590af18d923f2945d5287e9ee0b645520b7b085d17c9d

Download Submit
memory/2980-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2980-244-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3036-9-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads