7df4b81f94e23dac8d6bf5dab2871c23af2b9d24a073f3ec6abf03bcf061bd38

General

Target

01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
Size

1.1MB
MD5

01dacb4881715814e99dd9333b5616b6
SHA1

e542473ed025c2f2ecab8f9bcc09f4fdb1702a4c
SHA256

7df4b81f94e23dac8d6bf5dab2871c23af2b9d24a073f3ec6abf03bcf061bd38
SHA512

c74b2760b4242da68c3e548dc227d31195829a2794713ca686ac065a25139e8ab47c3802da2e14830532be8de78064daef524f81b323bb3f01990d4fbf95a3a5
SSDEEP

24576:ZMMpXS0hN0V0HoSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Nc:Kwi0L0qlR

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe	aspack_v212_v242
F:\AutoRun.exe	aspack_v212_v242

Drops startup file 3 IoCs

Processes:

01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

3024 HelpMe.exe

pid	process
3024	HelpMe.exe

Loads dropped DLL 31 IoCs

Processes:

01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exeHelpMe.exe

pid	process
2240	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
2240	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe
3024	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\Z:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\G:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\V:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\T:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\W:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\M:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\N:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\O:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\P:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\K:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\L:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\R:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\X:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\Q:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\J:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\S:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\H:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\E:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\Y:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\I:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened (read-only)	\??\U:	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe

description	pid	process	target process
PID 2240 wrote to memory of 3024	2240	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe	HelpMe.exe
PID 2240 wrote to memory of 3024	2240	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe	HelpMe.exe
PID 2240 wrote to memory of 3024	2240	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe	HelpMe.exe
PID 2240 wrote to memory of 3024	2240	01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01dacb4881715814e99dd9333b5616b6_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe

Filesize
1.1MB

MD5
a2e9fcccc5e04d56c8269968db92dd06

SHA1
cb9464d24ac2565ebf8b50db0b239357c9687a17

SHA256
6be6a0c1d3043dc0e2736b8166610c9e66f5adbf2d0e228737dfc155ac38715d

SHA512
69dc721e1a42de87fdb92a97c36c1b562364e1a3504991bdd78cef869c957da4beb6cb5e7b77932e1334389fa7585d2a02bc209b5d73a85c28788df8ead963e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ec4ae70bffa4afbaa4018acd6d986ee8

SHA1
e998279fd91de0074a567d3d3eb6ac9b23bf2c3a

SHA256
13390d4349cef09159f447bae0f9f3ff0c246ff970faf1f404bf8f504c7a1178

SHA512
d8cbc31e180f6541cd80beab4920a11939dffc8a38b0c43af729e19418f4356f4353e1892f5887c87e87e4bff1a78864c45d731f422733784dbfd937082d8418

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
178e59e5b48ef1024360a3144f11e275

SHA1
b1979a757c1d69c14d7e767742af7623b794a535

SHA256
58e34fc57be6ae1e8d92fcd731765817bf4b68c8e826a20652f358190f9882bf

SHA512
a3efea7ff5188eddb0895c8ce88ba8cee0a07c8ea7f285919d4c7e7b6d1780e861238959c59cc62c5318a97c8fa9c6cd5325db1ae6856682fec50dc805880c88

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.1MB

MD5
01dacb4881715814e99dd9333b5616b6

SHA1
e542473ed025c2f2ecab8f9bcc09f4fdb1702a4c

SHA256
7df4b81f94e23dac8d6bf5dab2871c23af2b9d24a073f3ec6abf03bcf061bd38

SHA512
c74b2760b4242da68c3e548dc227d31195829a2794713ca686ac065a25139e8ab47c3802da2e14830532be8de78064daef524f81b323bb3f01990d4fbf95a3a5

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
463KB

MD5
140a2eb3c4b566de65be175ae34e65fc

SHA1
0f9adeafa1bbd2a16ec50c607ae6b48bbe00a986

SHA256
bfb35fd73bf7b0a0582da46a1b6fa4398535a3ec42717cb1c751ec7ce6da400e

SHA512
f7c136e722cc1213ee32672227e7063ddd64b8ecfa720e46bf160284dd76a7ec24d801acb96439b984767bf7ecafb1d2af26e732f32516c59498e6143fdea76e

Download Submit
memory/2240-351-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-268-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2240-363-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-242-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-357-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-230-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-316-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-254-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-343-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-280-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-339-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-292-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-328-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-304-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-231-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-305-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-317-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-293-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-329-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-281-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-340-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-269-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-344-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-255-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-352-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-243-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-358-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3024-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3024-364-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads