588fc95593657472cd6f82ea5514e30f268f70cb11fdcefe26453a49e3228ba3

General

Target

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
Size

791KB
MD5

01db687f901bf71ab085868bcd4e8153
SHA1

96a7892ae24f6b8548d2dfcd503cfb4748eadf21
SHA256

588fc95593657472cd6f82ea5514e30f268f70cb11fdcefe26453a49e3228ba3
SHA512

d97ed9b671589a450dae84f61bcb86862784eb90229c442463d96f23f89bbe5b7e6b0964f8f034e71f55908019b48b3d7cae9ab49c98679dffe6fdd483e2c633
SSDEEP

24576:8Etl9mRda1FSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvE:PEs1Y6

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2372 HelpMe.exe
Loads dropped DLL 2 IoCs

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe

pid process

1736 01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
1736 01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe

pid	process
2372	HelpMe.exe

pid	process
1736	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
1736	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\H:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\K:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\P:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\T:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\Y:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Q:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\Z:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\R:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\S:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\I:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\J:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\V:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\N:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\U:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\W:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\X:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\M:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\O:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\A:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\E:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\L:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe

description	pid	process	target process
PID 1736 wrote to memory of 2372	1736	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe	HelpMe.exe
PID 1736 wrote to memory of 2372	1736	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe	HelpMe.exe
PID 1736 wrote to memory of 2372	1736	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe	HelpMe.exe
PID 1736 wrote to memory of 2372	1736	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe

Filesize
792KB

MD5
714ca0d3cacd56ac628fb6a4067e52f8

SHA1
8d7b911d7a9955f2d89438b79e194e6abe69df08

SHA256
03f972d31a272719465b3fcf22ea2b53be411e3ad6cf9e2fc193b7defe0c3da7

SHA512
5f7924e1c55377f68f9ea36a555ca1571baf137926f3eb16d382b3286ad0779343d54b10774d15ca4def2ba0befa3ce219dc6ea7c4a6b9fcf41dc193587c531c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8c180dfb879ebb8a1060b519292e6a50

SHA1
12afaa53c66142f81b913e87ed6a23267e011e88

SHA256
0b08e2836a1eaa9ebf937d3ec86ecd6d61627d3e9484bd6cabe3fabe4a2cb2e9

SHA512
532fe5300301e9cfaf37024ad5e84cbd35ac96d41b4c3ef98a27c7aade6938cfa86ba5058ba10a05168d698b8c10c44ef3ffc3b01bdbaf725db89600d589eaa2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
496b332c50341841025a6e3f4c3888ae

SHA1
69cfa6ddebfc8523e825104d16c25b00aedaf97b

SHA256
924d84c30d377f9e71b02ba6ae0a05f204aec5ec96c21dccd0ee4da238f2109c

SHA512
0416f71f9f13bcb68e297c63110b768ccf2c2549ffc87952be946095fd99ac5470d0356dd1fe3e0e4d3a6f14ed04276d2432b097d114365c940aa96042efc2d6

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
791KB

MD5
01db687f901bf71ab085868bcd4e8153

SHA1
96a7892ae24f6b8548d2dfcd503cfb4748eadf21

SHA256
588fc95593657472cd6f82ea5514e30f268f70cb11fdcefe26453a49e3228ba3

SHA512
d97ed9b671589a450dae84f61bcb86862784eb90229c442463d96f23f89bbe5b7e6b0964f8f034e71f55908019b48b3d7cae9ab49c98679dffe6fdd483e2c633

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
790KB

MD5
3880dbdc14fcfbd6c988ccea31577d9e

SHA1
05dbfbad5367090253e72d61c1694d4175e06e2d

SHA256
5ac84cd59d51d6c80500ad7a81460de04c92961cf92cf41163af7e43e91a3cdb

SHA512
32eb2d86f0458e2dc11a97e89cc96c4c7ff8375a3f50bff3ec3689580117f8cecadc4519bda381f37c80679d8198ba0409c3eb54b4d98abe872f03427c1b1fd3

Download Submit
memory/1736-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2372-9-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2372-236-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads