Analysis Overview
SHA256
7e862226f685439f0e33ebfd42a08e3f68298fd3ca4a29006be3401a09737124
Threat Level: Known bad
The file 28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Renames multiple (91) files with added filename extension
Loads dropped DLL
ASPack v2.12-2.42
Drops startup file
Executes dropped EXE
Enumerates connected drives
Drops autorun.inf file
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 06:43
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 06:43
Reported
2024-05-09 06:45
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
124s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4560 wrote to memory of 4204 | N/A | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 4560 wrote to memory of 4204 | N/A | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 4560 wrote to memory of 4204 | N/A | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4560-0-0x0000000002220000-0x0000000002221000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | 5db8318f4243e393c6766c868f25099a |
| SHA1 | 857fe7a985036964f7ec0a2eff98b214c0c8195e |
| SHA256 | 2f0f1efbfb69aa0da870c175aa7ca1aface944a7f02f8cd613b1256305dbaf18 |
| SHA512 | 2b0b55b88b5a591289fac86135ecc83fa3cdb48169d107316e4a3af51e8dc2177d1917704737b1411d5ca83e7ef304cbc52d16b66b8bb1b3d62143d7bde91e3a |
memory/4204-5-0x0000000000650000-0x0000000000651000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe
| MD5 | 506d97b9bd8df688c370816cbf2f467e |
| SHA1 | 52dea659c55fa06786a51352b77d80ea3fa90e2b |
| SHA256 | 94c53c60e507a04e5e90a166e9d1dfa5bc45090dee394f96e05f450b2480b98b |
| SHA512 | 6c36f1882f8ebc387621837a1a61ca9ef11127cdb4b282afe86a4a6c2e91c8c84f971eda97ea3dc46e390741d3a2dffdb76482941a8fdd464d9e1b987f2da53e |
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe
| MD5 | a1f3f66e624c583f0f704311f7c14bf2 |
| SHA1 | 6dc6eabfb04d553f8fd5820eae09d9106710edd8 |
| SHA256 | 9e696a5564a71635a162febb6fe283ffb0e73e80f4ec160769511dcb6e266ab8 |
| SHA512 | 45eb58fedef7bcf7c68910e2a9867f7e0e8e0231093c751983024de1a235534a62bf8a07d1ea5ca9766deb962829c6e802f50207dd2cd41801c62589261effae |
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
F:\AutoRun.exe
| MD5 | 28c423a0fa0a5094ff5f7054ef3b0ed2 |
| SHA1 | a9ad4e7f3da9004b98dcd264d444c07eb58a3067 |
| SHA256 | 7e862226f685439f0e33ebfd42a08e3f68298fd3ca4a29006be3401a09737124 |
| SHA512 | bacebef1231ffd1db387995935c9ef86894c61cea37e87743bcbab2553edb4f0b578941e2cc0a32bbfd9ff391212720b370b59e1438bfa04dd26c096c161af10 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 24c8161d8cee302b0975e90a5f95b972 |
| SHA1 | a1f07296e4737c6b6c4b1c916b47911d4cf1a9f2 |
| SHA256 | 656876177e9eb963e167e722312f4783b3c94069af8c918c94ca682988a87af7 |
| SHA512 | 8b68774ecb91b50d55435880ed57d3b1e684ed0f4002629f54fd51cd3576da0b4954188a39dd61cb7ec461974a4ea9ba7efe21e7fdf20997b75d1ec16d4c3dba |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e83406b3c7705f33200dc815c91dfa8e |
| SHA1 | 6801b2acb9962113fe8122b11b9ad294a205342d |
| SHA256 | fee4892e5504e5d4335849bb095bc69430f4088780abca9983eeba4654605209 |
| SHA512 | 90e17e2c985f49c99fbcc418d37228d4f71ea8da808cd8f33d794f31cbf1724409b2f801fb5848e0a9c1ffbc3a44d9316ede2b4e946c52fb39a4e849e04492e0 |
memory/4560-48-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-49-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0567b23b72494efa6822b8b53a070c95 |
| SHA1 | 5c61e06a17ec8d84e68ef049680b08c307f5b1a8 |
| SHA256 | c6fb1991c97e0fcef3204fa2338920d34a66ca604688cc9ffcf617f48bde6fea |
| SHA512 | 99298cbb563c6beed5ad6ef49af979f55c5b752a51f05e554a482bb543629bd33ef6f7c3772bb0e6c4c0bbf7770d430292a2e0bb4f52a898a2d276e5376ae36f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6564f13ae0eb9e30b1a206adcbc5da5a |
| SHA1 | 8397d2784e290565eb335ca0ef43db06fbe6a8fc |
| SHA256 | 43fc8e2c17f58511a9b5f3b66023effa47e0aa33235d7cd24ede663d1fe889fa |
| SHA512 | 23c89de0f49b4011dc4ab632a182d7db8e251e34250543d40fdb6317862b16411ee4a6c74cf259eee7cdfa7057db7c289ee3df4e088a0cbf7d642614fd4a72bc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2e9e7409de08ba0f288a63629c8b0485 |
| SHA1 | 9fb0f195e9d8311a918b58e0144bf319a9755687 |
| SHA256 | d06421b9924842b5723c3f1a95ced749e5d3cc72ca304bddcf7ab1a24d906c95 |
| SHA512 | be63d8c988cf7bc4b7e744519158213c0fb266c6b4c9edec545a7d7eacf13a3dab6e2a21a99260e9f5b1a5b1f213f5c22db12a5a68765b5ede2b8d58046b21a0 |
memory/4560-58-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4560-60-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4204-59-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-61-0x0000000000650000-0x0000000000651000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 8c708958b2f6039b5c62e6a9541cd359 |
| SHA1 | cb3c80e27157ae20a5bf8ae821158bd197cc1dbb |
| SHA256 | 87d35734f2fa8e39078d3f9a6978f134d342af782c99fd53c9771b4947fc1fc4 |
| SHA512 | 0f92f3445e6494a7451a124f6a3571e0353169ba363511d46bb77aa59d3b58e8773e8bc67acfbf96758d02334cc2984bca8415c8fc7e6c07b61e32623424b4ce |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e4c82e9c332143d1dde4080eb9bd18a3 |
| SHA1 | 912c74415483ad62abf96916eb05e31f331a77b8 |
| SHA256 | c685b5f1ad49854b6a84ebe27e918d41298fb1dc7397402a82425bccc48e73fd |
| SHA512 | 569faa56d22a84b014dec8f144db80473bc86caecb81cfca927cb122be8bbcae34c0d1c46fd36380285c81172b2dc922e89ab3558eeab1e0489565e789a47ade |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2790164abf25dc58c8efe0134b98b4a1 |
| SHA1 | ee75b19be17db8c41c7dd61e78be59951573f223 |
| SHA256 | 367c05983e0b4b144141eb5a8e36d94757c1d271eeeb368cb07e004eeef45c89 |
| SHA512 | e8db73d82fe4528d221ce751de8e81f4e55880339e44a5890b50ce5fd4f9779866d82e06766b5610b12bb14c09e21abe179e90d29ad7ffda1212b79bbba8ca69 |
memory/4560-70-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-71-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b753df19c41a940e601f1a62c8404c31 |
| SHA1 | 488676d4744b574004e094def3f762a7c496fdf9 |
| SHA256 | 0c68e68ea3d4fc335740956e408c641e10145f2f0455b12c4465bb60760f2ca9 |
| SHA512 | 1d19622c66ff01b896930e33bc53b538ef8bca3d1eb77bbc13212091ca19b0f634a78caa6535c8b8ed57324021f57db8a0d7c6072e6909f74eca0c8539876e1f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fca445e6cd6389bdebf984dba5ffcb90 |
| SHA1 | e548a6a7fc69f4bce1ffb6351e3ebd16f09734e7 |
| SHA256 | 03b2930c31e6460b4cffc6c649867dcd44d0f57c9579fa6efffa503d7b42dd62 |
| SHA512 | 5c44746a75edbe9e487ee40f452c42687bced2c482ee02172389ae981fb9ef61b2bf8b7486079e51d8773820da624a3d5274794ad8b8bb4498c6f5c686198918 |
memory/4560-76-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 760107a5939f36a01138a3a247410a4c |
| SHA1 | 607227507447046fc5901e5cb81a2e8b515b3a4d |
| SHA256 | a28ca697ee742fc674dcab1a6593c09942c4032571d0d941511966e06ef102e1 |
| SHA512 | afebde9bd0765f633cc88d4deedb6fd2267fab93943f30ec0300ca734e3a825237e8021fcfdf63eec3570597425e439e0752ba7c800d3acfb89dd87fbbe14328 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d260dd8ec6b40b73a06dcab84f3ba749 |
| SHA1 | 8b43ddc435da23f2ebacbe8e6ad0848b44d2e853 |
| SHA256 | 97f4f83919b6324e52659988ab22c4f1965343f5d993950c089855f242b57162 |
| SHA512 | 05652dbb6d2ef608b079f5c7f7fa6f2b08a38f162139e89029f56e10bf99098aea9abd4443444d9efd4d97c847460cea2386568ec675b3805951fceee917642e |
memory/4204-81-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 91c41b2d5332bff33f734cd3dfed290c |
| SHA1 | 9fd49063cd576601561508a7fded05b56faec498 |
| SHA256 | 9144ac9de87467ed8b1bc58ddc32b52447c695188489a3224a232cbc94b288f5 |
| SHA512 | 11043515146874178207c3b070aed459fd99363ac7fca4aea8ff94a6cd536fbfcc789c77113fa8753e2bbed93be143cef1466449c9d02ae5ec6da925be82ea3b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 94c4f8b2b1019f46f9c6c3e0c6c71b47 |
| SHA1 | 37a4297b9695957e2b9023929d3dedaf4480cf6d |
| SHA256 | 0c54c82d89c781cee2a5c7940246d065e1691c69d7f8ed1d7cce4c90f0096749 |
| SHA512 | 0db53de1ea068ca156373a4603da4131e9e46e8dbd571a8a4301c87f228a2d9d7850313f0bb7f2778114015132a27f1771bbb6c5b90bbaa19d80acea80af48e5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7b57ac16a36834cb62c0f64da22ed708 |
| SHA1 | ca76ba1b524653ca1336b804abea310d1587e3da |
| SHA256 | 9ce09aae5b37d10b9ff5914dc88e0ff500616bc02d7f317fba0753b7dcf5c8f1 |
| SHA512 | 10046430ef61f775ba88a4acf633aec6645f17ceb03a22e08a2119df0a2d5782b7d9cc6d42aa68f00d653085de59ae4b08e2300044dbc6ba1ec638e4d06967d2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c0d8496f6345b1516dc30c14ca33ea07 |
| SHA1 | 199a6a1049d2b09ba054ab516d37aed5d54b9b08 |
| SHA256 | 5dd246d5dd595329ecd8ca06395a3d229fae8d8dfd60b6cd3837bd033fc2c29d |
| SHA512 | eb3bdafea7da1383208586c18f7f73cacef8475cf707e1fc8006a51f2fa9baeb9d44620553fa208d788c8bfa2adc9c03a25516934504d6de4c3a0a8c4e8efa14 |
memory/4560-90-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-91-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ab5aaff6cb02c4f1be7af6ec6976d492 |
| SHA1 | f922f5a9c2eef633a45311d8b7dcf1b6df496845 |
| SHA256 | d3b40fbaf04b231e2267428fe62e399aa825737b6ce532685b55b9ab513f8ee6 |
| SHA512 | 3096dbf91ab69b00451b85b6e70ea10fb9ac6a6f9b83bdf1d4728f94e26923fb7c05dc48d39cf295e0e552c60f21b1c76a34703cd9956f11d2b307fd4dce6019 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b62026363b27467a2f949111cd1bb6ba |
| SHA1 | 23c8a42142443be9a2f12750a9b69b9b9e825145 |
| SHA256 | fb0606a49ad64fd53f8d3de5203e1904d5447af301c7320b3e66eec589ebb568 |
| SHA512 | f981a52c95ea4906673973a3c4365c605bfa83346add900a1a8d1282d972d229a0403da82dfb822f574f094cd5aace4770eac18b9a3551741183a94f5b8c396e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ef2d4b7317bd7559d44945aa3a340f28 |
| SHA1 | c70621bff79d4ae634f405f8810cf44c62e265cb |
| SHA256 | eb385150df78385135e8d269cdfec1df04efdc9b74f02d6a2db95a8abf8000ef |
| SHA512 | 726e25a19158caf04162e0480a0c46c6bd7d8a45da42dcce76ee61b6c35785bbb8eab45d04bb535e2c511cb8b00c05dfc9ebc77c7a901e028d01a5541302c376 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 779efd3f256fb13e0f20e30e711963f2 |
| SHA1 | 223e6f9556654697fc43749365d6c5ba6b64617e |
| SHA256 | 882eee50d67b643fdaf972c3cface11610da52b01d5ba994014dd5b9545d97c6 |
| SHA512 | 5597fbcb3c4fae07d43086a9b62245df061e4f3caeec75de3c013f55d083d6fc13bb126b239dbf156c1d1b7135f4769e37200a8c6ea9ac359ac4a87dc595cc49 |
memory/4560-102-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-103-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d33f362cb612fb6a1527e5f02fee5234 |
| SHA1 | ccd97312cead242a54b06bb9be96d4fab9e19f36 |
| SHA256 | 3ad9424b3bb10237adae57bd55dda6fd5dd0d80cc781dfadaecd0a8aa3388d4c |
| SHA512 | 748fdb22d095c6fc73a9aa65831ef4fc97779055adfbe088ab5b2651c26e755b3f342d2840a22ee5d0a584290186e9877b2d3b0c8c3a0895306b9545f716b202 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a8e01ffe7df642e23446171a90111c12 |
| SHA1 | 6623118e0869b82c33d11620bb5617bc29f2e4c4 |
| SHA256 | df30a038faff45e38f5bcb7f5b2b9788303702a3ca3f8170e06c8b1137b4ec44 |
| SHA512 | cd5559897a0133b81529a98705a75faab2e603c7f48436e395e76306d3788669268d6f6e8699ba1c36109838fb3f5374a316a9282ef46754687d479df51f7a52 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 051f842c493e0a574127c62d0896db47 |
| SHA1 | b5a4a9ff802f1e2ad888859db4fae12d9224ff72 |
| SHA256 | 94f52dd7e8dcfb781b1fd393cd2e56392b0c2058474849d0edb63a2a57c8d5c2 |
| SHA512 | 4e02ed1e1aa6b363ddac6929b8252e02b69e1209ef78e2d63594e848ee6decda6ac7d9f54f69f33d24bd1429c653725d35025e09a0afceaf6f8238d69f2c7078 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | aea035bd771787846ee5a8247322524d |
| SHA1 | 959ec4921c1720b97b9d8ec0f51c65bbe24b02c7 |
| SHA256 | a79c77d3825d8a89f519e9cac1a3726917f42ad63ca21af61fd8e29416cc737b |
| SHA512 | 7c731e734719974144b48ed09daa12893f6950a7a8997df314d77b18dcff37c0f754efaa4265ff5dbb2e340a1fdd13f33d03ab69049c5d25b7b541b2023da7e8 |
memory/4560-112-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-113-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0aea875ffdb4ee57dda90714f4745bde |
| SHA1 | fa67f08fd2f449d4820a02230c250937f5b76721 |
| SHA256 | 7ca378f026bf769a752e08cb9c742d0e25c4adad94cb33b9c0ce6e4dfe14954b |
| SHA512 | cb0a7ce341f233542e9048d2020f14422d5100fc7cbaec92dd3e459c5e96e96a22fecdf63dddbbb12f2c26a6c519506d79dba438340d749317f4e76530b37df3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 47bbe3d123b88586a50500c542add74b |
| SHA1 | 0f61e9fc178986e87fa4b38bf55b26ef11f45fbd |
| SHA256 | ffc23ae50bf58fd1b971402bcc54b9cd8bcc609a7ec48d8237d862ce7f7b1d4e |
| SHA512 | ed13fec6268b736395fe00f897fb567e11cc25d45967e4fc74d16473493a3b24acaf080d4728d2ba5b994463ed1605bae28bb89410ca1e1a50ccdf11bb832b52 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e03e4e0fcd0445d9710dc4acc4e3f1e8 |
| SHA1 | 463fbcaf0616b2a9fa3ae3f341f1d19c9bb65e08 |
| SHA256 | af7d8bf0f1a8c889530a845cd8f60bd9dc07bc0be2b8b1a7583ea66e97c25aaf |
| SHA512 | 1a72a6cd3576f41368b41c52add63dcf7da118b186970e3793ec89bf5e15c1a7d3b1f814a143187e9b5a691f18d84086026d7ee921f721312fca2039e6988fa5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4eec9972c46460ec3bbf871070666ca9 |
| SHA1 | 64fdb3fe0ca0180bf9094256a02225a3c2df6cb5 |
| SHA256 | c833a5293aa3b8bf20c6e937340fd87f27380b61c3c7de3061d7545d0d402b87 |
| SHA512 | 495d7be521dfa9c003505bef05091018ffdbca6454169d50163a5f6512a267cc0396ce13f24d3d36d03a9c19651e6f39319ed9112699e837fffd74e46d2d22c7 |
memory/4560-122-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-123-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2354bfa3f2fa4326f79395e071cdd236 |
| SHA1 | 690817c5eb193b1da5cf598cb919031d8b47957e |
| SHA256 | 271a0ca2baf9ba50b10b256b34f586e00f742ad21a537189be527eef3da62c2c |
| SHA512 | 6dacaab626d7f0b29ba00ccd2b02f3b371a416b7bdb6554d44a66a46edc685c753627f8053aa2246c9ea31ed3afa0ca72357cd62039b8dd52124d1728a9eea4e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 14f28b26a9ccd29e1a6d8e24e3a98a55 |
| SHA1 | c8ba3b082b2779028994a95f1cded8656a8a9b6c |
| SHA256 | 759e1187eb6ec3acf33f30cdde4c1ea00d7590a86e001ca26d99b89c8a1cd40f |
| SHA512 | 9984893da7037c8014f10e14b48e7c638add0998b671791c6af019c5ae3dcb2c18e3bd3ee9973eae42e730165d27e06b7f62100a718c52557c3e5ec2a6683aa7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ccb53fc44032db12ba76ee1788526e1a |
| SHA1 | c32810dc5c45f41947ba1e528ed1305c12e78de8 |
| SHA256 | b086f53fbe03667bc804e05e3d89ecdd795fafa4a13acc7c9f6ed6a63705799f |
| SHA512 | b2a8c19a9a9479bfbfe90f352a1ebad26b05e83402d95fba0b29c2041542aa2549c8d645eef266991721fd3ca0630e4e54cb3e82c10df0e4e4da42c672092966 |
memory/4560-132-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-133-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b6af1aa3cc81439d94f518b6cef52fdc |
| SHA1 | 5ccbe323bd15e11ed6f665c1bf88094064014f53 |
| SHA256 | 1ed81c8d42e6945e94cae7e0c1a00cecb59938c5091fbac1e31e800050a93ed2 |
| SHA512 | b3ce463108e0780152a73feb9d60a954cdef541654a389d845af6d3280949312b96e7c2a41e7d4d669ffecaaf03292899d71d5b3e26dd0fb90a89ad7980822c8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 70503c3c2a68a22a16c06c3c44a0db5e |
| SHA1 | 18db5c67b9ad02ca632517b0c43ae698638e8f7d |
| SHA256 | 81efcc7ac72f66acf842ea809d9423f617236285906bff2005bc4c29601d10fc |
| SHA512 | e8eb2fb9cdf2bfa6d606b4e2c36f2edd94d9c0f120eaba17a0bc3d3cc9852f91c4db9085e80467251a6fae107faedb086647cd0334ec841157278b3093b8b0d8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 594d6455a6b22b6ab9b9d66dbe3b73bd |
| SHA1 | 03e66da0d6ecfd04f3bd87daf6f0d33950166087 |
| SHA256 | 6c01ebf912a2eb54b968e4dabaee4931c5ce7993565ad980fe79f50db061eb7b |
| SHA512 | 2a3d34402e9a4c0052d696de060b716de546c171197cf4ce7a66790c87a487fdb15e01f7461c416d95c6b812eec838dc8e212aef7d9b682a71ccf648b943ee87 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 762c4a554f23ef020b2fa87fba05f760 |
| SHA1 | 0fa9d7de182a8574bad823107569186abef2d93b |
| SHA256 | 2c87315bcf8650630e8361e7c5dc95d15448f6fb9db8ec3bc994f408741ecccd |
| SHA512 | e57c61d64b8dc31477ab48bd901687358d554c7be79fb64c5be096739dfac8d78f860aef5012138ef1eae3660ac0ea3ecc01568415704446b906fb80b0888109 |
memory/4560-142-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-143-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7884c29d44d7a3d85b1200718099fec9 |
| SHA1 | 75d1fd791d6cf5e2067695632903ff98e7ba26dd |
| SHA256 | 7dccd7d37c69ccc3bbc0e85d676c045e5f26231215cf7c54bf97190750c35a7b |
| SHA512 | dc5ba28f6853f59959f8d91871e2bb8c285f32871f6b5043b8f034b9e6fc5275d3e241841a889f02c46dedc61988fe83770d59306f6df1dab19374df54f4484e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0aa44079ed84214fedacdff3bc88f64a |
| SHA1 | 473650a6abd5a7890b529205c96ada81d5176e27 |
| SHA256 | 3107855ed311f56e61d0a38e630f9002718dbfd1dd0d48d42efddd1347d1b475 |
| SHA512 | 4c52813fd78a5e67a9cb8f2493303ccf31a459ed47174ecc4db72cdc722ee18a1a3d3dbab1ad0a1ded6a9f1f4491e45380408605b76b029b080235cb0731c150 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 907f9119a907279764ccc552f015dc7f |
| SHA1 | c327d244c8f53537da044b270039097a719df0e4 |
| SHA256 | ce459e4beeb0e90feb27fa1037a11c381fed6bd1a544d54cb29e31c2378cbe72 |
| SHA512 | 93285975955cc32d4f97bc2c97f5fd8e72c61b4c3e9286a053e6d4248245eff3d57cfa298f1b3c30d3a474ef72a6dd12e08b665ffd6b5e529dc7857432578254 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2a4832511c838fe39ea96fd47aff1819 |
| SHA1 | 77244ad7aed03cd2a8dd681bf08823343373bba4 |
| SHA256 | 2eb2c982fc6087ac5cf65577d8863475e9a302b47e2d2c5b4bc4316b7620fdb0 |
| SHA512 | 2f40feb7a268b90f985ae92863e057487f47bda750f51dc4214817968000df94d3f17146ce21810e74f081ff5bb76c2843553fc82833b6ff47157da28307eefd |
memory/4560-152-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-153-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 14b99498b7162d040e38554720a69328 |
| SHA1 | 7343f7e2f75715b7f63bbf516952d7211bf92266 |
| SHA256 | 48b8ce50aed1d1cfb3d0702e618e54c62506411b3a18032d2af06750f494605c |
| SHA512 | ff2912e64c9acae4fe4b1b7147b7e359b8da7c32769dacf945526813dad2cad93deed31164450419c1046f7b83ca192f9f76a7eb27211fd588154207f9ad39cc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 9774a09080bb725c40557be4aba78eea |
| SHA1 | 8624323964f66765155bffb6333f9821a0a2da8a |
| SHA256 | 7d243d25aa1492b9ab2d5fccc3adf6a21217f386e1cb845aa30e48532bd98d49 |
| SHA512 | 824179992cf2b133b0e4ee955d515ed10af0d028317815c16957c8ccb9e717e7d60b6a20ddbd9f8146a67afa3ab01a8125d04de6fc8450de95606aab0eb680a3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a054b638a038191deb1fa1eb8170ef97 |
| SHA1 | e522e53b6207d15913150f0ad0525738841a9572 |
| SHA256 | 957b99ba6e40ba365551d28741f178d9c53d362c85ef397aff66ddfa7545e16a |
| SHA512 | b7686d310bb940fd3835bd2fe7efd374f2ddc162a648cd9ef24d2959aa2aeb3526d095584b3ee6c16e669c036f81f79a79e7dd0a2e4ccb5bc2f8d92f9ddbdb54 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 689d5511b620ff0c47042990add9864e |
| SHA1 | 9f08cdabfced40a31424f5f410ec0d065823a78e |
| SHA256 | 3066fc6a28f0de1b044f49a9231ba780b6faaf72ea4fd8c9d906dbb5df82f6e3 |
| SHA512 | 0b0e88ac9b2cdea72664624de7f42123f33d2433f0a9a9eb888de36f0806e2d95820c35846040c80af735efef66337baf89e419bb6f43ed6d62fdb910c788487 |
memory/4560-162-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-163-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6c3094c83b714eaff9f9fd7b493cd6a4 |
| SHA1 | d6d2ab5a4e9524e736f15be5334cdc859c86304f |
| SHA256 | ef763384d2befde470a5a28238c61bde60be7f4936aa3b79489ac8a906e5df50 |
| SHA512 | 3a149508ff5fe9c313e0e4b30ff3801ef58c039c69a4377a13ac840d8879d782593423548ea4b90007a66ea535fecab75ae85d83d10492c966c27d0318bb5e20 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6020cf12ee7d0f20be19c28eb26b297a |
| SHA1 | 78d67ceb708238a81ce906e0e0775cf38efad603 |
| SHA256 | e4cb7dcc486168b7cdcc4f6784515e1873859444993f86ddad3706443dc42b8f |
| SHA512 | 135f6693fa5af96d42c15e034392b329ab8abc0d9e0d7c1b864c720964cc9528b8b63a2742114d2c4c273a48d8b3d359efcb6f82f806b9e4e2c2750150884137 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 849b3167edcc5c060d24c0cd90481793 |
| SHA1 | 2ea76c376cfe01883758b5a85993b5fb85db12c2 |
| SHA256 | a00275b302eb57857f2225ef7f815a5d1bfed1e8673c0b7516596e25bf752c64 |
| SHA512 | 585140d3a7ae9e8ac9054d4bd070513cdb5abfe3d5d98d51a303015079da549a99294f999c7a49c6788e7d6fa6470fb97326612ad37e4a4e8ace56469160e6a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 95c541de1d778c7248472abbde4eabc4 |
| SHA1 | a0a83cd7539300c7b35b0b7f5a54278306994893 |
| SHA256 | b9a09ab2e73418382ff1c5b0f8cead5de8e2bbf364feb3a4f4a6d205c929580b |
| SHA512 | b0b539df3fd7003e0b5eb5ed16079401d891e8e531118dedd979a03b2c9d2495ff4ed958956204ba6b1ebe8439209e89a7af7c85c55e2cb6a7e9016ed2260ccd |
memory/4560-172-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-173-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4e92dffc9e257697fe36fa3bf6101417 |
| SHA1 | 1b2c2d348b8cfc63c4a00da9c37bdb0758624292 |
| SHA256 | 2a985a928e282f8e2aea7fc5f9141232086e1f02bbc57257b09d5d5e1da15003 |
| SHA512 | b4cff09f088b7fcafe6de04b51997251047f04563cdeabe25e431dd4d3f6d946c02e4df7c41cc78cfe30d7079c445608f27e479c7360dbc36891b503d4a35bc4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a1b1a27328ab156a78eeefee831fb0fe |
| SHA1 | a956a35eb94689ecb8f9dc05a3c41a4336be7d9c |
| SHA256 | b06ba3d32552937cab03f50cadbd301496e9b421134ef3544f3f336ecb5f00a2 |
| SHA512 | 2b5573391b435e48b8673e3dfee3c23892297b758839123816ebe87697b01aadaf6fd7f416a707d3535ef98be80695d6bca600fc2956eaea671efc01820834c6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 53e02aebd8e4535c897a976c28698429 |
| SHA1 | d6c319cab13772fa9c96ab40c02edbebe0c3bc3f |
| SHA256 | dd38e23562a43cac1124ff79f613bccf61e506ac842f000c831809f7d154662a |
| SHA512 | f73b3cd982119f4ae2c849852698bd67ff635055aa69625946a1a91f007c5deb7db5a67cbe7c2a9d5c431652e49d81f0cbf4798e12f80eecb58f0c663206c599 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 51f05c8959e98435dd99b0b885857232 |
| SHA1 | 2eefc996ca50d3fa0535a57fd6c5fcffdeba00bb |
| SHA256 | 45585d01fcffd8b01bebdbf35454d9aaefb8190c833fe864a2e1d48f276b10df |
| SHA512 | 80efa657e723834a4a0cf18afa39b37e5829af1f95d629e0d620b98e6f54a234b520b4f3147c637ef010eb940a53333a43ad2df1d4bd3ded781268a6bf73b523 |
memory/4560-182-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4204-183-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 41af321d0a9c322abe8d5953d246dab8 |
| SHA1 | fa55fb2eea6e5a959167d31e537dc67ab6c3ed45 |
| SHA256 | 9db5ed05ac3bcfa8b39306c0c0e84c77fee3b620d419802c921cd851ccee67da |
| SHA512 | de68abf76196115b284e13d51cefcc50808a05446587c8cdec776f0735562a103cdc52354b9cc19a516bd959952d1e0c8f20593ffcb7a0d60654b470547fcecd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 13445550166a066677e93b50144fe4d0 |
| SHA1 | bfc9dbb47a3590c32c6b3c386e6766a6646665d0 |
| SHA256 | ff125c59a471387aab34bb6b410e3ed20e5597573fed93a18d8df02e90c2bce8 |
| SHA512 | 0531b94d4eb41978c418d0043b10ed302038e7857fd534a69393ae4b839b6eee1f079c296d834ce70c29db68fadde68a588b1c59bec7fd38d4eafa4db23abf61 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 06:43
Reported
2024-05-09 06:45
Platform
win7-20240419-en
Max time kernel
145s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Renames multiple (91) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 1740 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 1740 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 1740 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/1740-0-0x0000000000260000-0x0000000000261000-memory.dmp
\Windows\SysWOW64\HelpMe.exe
| MD5 | 5db8318f4243e393c6766c868f25099a |
| SHA1 | 857fe7a985036964f7ec0a2eff98b214c0c8195e |
| SHA256 | 2f0f1efbfb69aa0da870c175aa7ca1aface944a7f02f8cd613b1256305dbaf18 |
| SHA512 | 2b0b55b88b5a591289fac86135ecc83fa3cdb48169d107316e4a3af51e8dc2177d1917704737b1411d5ca83e7ef304cbc52d16b66b8bb1b3d62143d7bde91e3a |
memory/2448-10-0x0000000000230000-0x0000000000231000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe
| MD5 | b2fb07b9b3534172487ed8786eb36c83 |
| SHA1 | b0a67976d70ed81b05732c4300b525dd32293589 |
| SHA256 | 69f237d60f0be8e5e3cd20b8a19beee79e34c48b39e4e10311f2d720d6885609 |
| SHA512 | 999dc99e4d204d5a1f8e060259efe8db00e0b26109b915ba17ed45fa9dfed2c1c4ba0fe9cf50f5e791720df5d40ba60fee79bd86126da545079351793cc4f2c0 |
F:\AutoRun.exe
| MD5 | 28c423a0fa0a5094ff5f7054ef3b0ed2 |
| SHA1 | a9ad4e7f3da9004b98dcd264d444c07eb58a3067 |
| SHA256 | 7e862226f685439f0e33ebfd42a08e3f68298fd3ca4a29006be3401a09737124 |
| SHA512 | bacebef1231ffd1db387995935c9ef86894c61cea37e87743bcbab2553edb4f0b578941e2cc0a32bbfd9ff391212720b370b59e1438bfa04dd26c096c161af10 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bcd2938f4928ab325ddbbe0f060c6f51 |
| SHA1 | 5e0b0442ef8566ea592707d61a9e14a658d6ccda |
| SHA256 | ca6b6419a4c431dee09377ad928bba069b76638b18857dc089d921f076b3f0c0 |
| SHA512 | 2541df4f89a1bafacff2f4a5699741c7d6c6bbd10e4a6cf2cbde8521851cb143a590df67b9decc57733e7b5587298e02380ee57572a7b5cdc929debbfa7cc278 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0b22d652bcc2f65181c902dba814a98b |
| SHA1 | 0550413a7855f6232b1a7524964b220af660d8fd |
| SHA256 | 046a07c24e5605e63d1f67049962fe5f41b43180e523228b9e93d87bbec6a74c |
| SHA512 | 9b22861155e379429b0ad57c0b244b4e737a3924dc1ed2aebc39e22292a9d09c34596f543c656cf4298c52437a6cd81a11c47ebd91185ef6807b722e0deee5cc |
memory/1740-228-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-229-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-238-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-239-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-248-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-249-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-260-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-261-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-270-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-271-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-280-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-281-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-290-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-291-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-300-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-301-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-310-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-311-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-320-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-321-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-326-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-327-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-340-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-341-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-350-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-351-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1740-360-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-361-0x0000000000400000-0x0000000000478000-memory.dmp