Overview

overview

10

Static

static

3

012c0953d1...18.exe

windows7-x64

10

012c0953d1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    012c0953d1803e4e3f6a0c2183d22dd2_JaffaCakes118.exe

  • Size

    3.8MB

  • MD5

    012c0953d1803e4e3f6a0c2183d22dd2

  • SHA1

    f37b8d2be55a81475cb90288d8f3b0b7e7f322c3

  • SHA256

    81aa4fa2f5b0c027e5939a1615929cf4d58db3ccf38744ad06d6e7f85a2a85f9

  • SHA512

    121d6d049e5c0d25e7d49c83d2b04c7ee6809371c40e9f26d0bec9167b95af6268c597d76e421f98e08ee3217422b5f6df911ac885a16dacd08f096b129f4b4d

  • SSDEEP

    49152:hEs1UfPOgo7kMcbnKc/7PW9kwUidyZNSLx4qtamNzM1nEAadHi04:hE2UfzMc0MNSL14

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\012c0953d1803e4e3f6a0c2183d22dd2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\012c0953d1803e4e3f6a0c2183d22dd2_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe
    Filesize

    3.8MB

    MD5

    7f7096c0968814c1aef45e89387c06e3

    SHA1

    f109d803920667fefb8e1ae93101e18f8fe9c9f0

    SHA256

    847609b3e8bbb2d75f01cc4cfff44487ede21b0d926f772f72b8935232180b7f

    SHA512

    8dca6a2866c55db021a5428ee93cdca204f33150f025c738886aa310d83af299cc1ff9c9314a5d114a3d098ac81d50ae621f094056695f973b655ccd6ecf2072

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    22b624a6792289c96ec5e7d64b33a5e9

    SHA1

    d053fed93d04285816c4ff02a8e5023a92426a10

    SHA256

    f1fbde16f580696eb19e868fb870b861bb010be4fc3d22ae01ccd79b23efb8b5

    SHA512

    bf9373cc1b6cf939f2f7631a1910c279b83c854247bbb94872c5c1627c14ae8a2ecadd64dc387f5a3a4217f5d4c1bdbf313bb6cdf8ba957358898660e18df313

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    533fe43da1a1567cdcbeacddd33f3a31

    SHA1

    53c295918b4cee0ed7672bbea348c29299112e4a

    SHA256

    4ba13b5005b3354da5741bd547fbc8481f9a9971c77da1fea3a8e82e23d2ba1f

    SHA512

    bd4ac1edb6438c6d4f9f76561d1224375a8da4b01028d542851c8a899a786d04550cbb84f7f53e5427171d533d087ebe0611e14bb90bfbdfd01612091a4fc288

    Download Submit
  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit
  • F:\AutoRun.exe
    Filesize

    3.8MB

    MD5

    012c0953d1803e4e3f6a0c2183d22dd2

    SHA1

    f37b8d2be55a81475cb90288d8f3b0b7e7f322c3

    SHA256

    81aa4fa2f5b0c027e5939a1615929cf4d58db3ccf38744ad06d6e7f85a2a85f9

    SHA512

    121d6d049e5c0d25e7d49c83d2b04c7ee6809371c40e9f26d0bec9167b95af6268c597d76e421f98e08ee3217422b5f6df911ac885a16dacd08f096b129f4b4d

    Download Submit
  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    824KB

    MD5

    a062adf2c5653be6edd524c00fa609a1

    SHA1

    0ecdaf9e4af5694bcbe80e8dfb00ff1572b5b6a5

    SHA256

    63cc92096330f357c82dd835a123f76cecdccc1182b7fa1e7cc6f5678f0802bf

    SHA512

    3c1d68d1518e587a96fe1bc9088d83aaaa8e0c63c1e2b2b55c742ca75f5629dbb5d58449e4c13329f04bbb0ab0a581d5f189131e8b91bf5e2333de0987ac92f3

    Download Submit
  • memory/2184-0-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

    Download
  • memory/2184-4-0x00000000002C0000-0x0000000000339000-memory.dmp
    Filesize

    484KB

    Download
  • memory/2184-231-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

    Download
  • memory/2184-1-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2184-236-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2184-241-0x00000000002C0000-0x0000000000339000-memory.dmp
    Filesize

    484KB

    Download
  • memory/2188-13-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2188-11-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

    Download
  • memory/2188-242-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

    Download