8539991f73b64de58635102b1b5fb2c0b740e867d3d9d62ebb711ab610c296fe

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
Size

826KB
MD5

2a033f914ebbb0c8df9bb9effdf72f57
SHA1

2c488218f8cf04b73db42c854bc348c0a994de7a
SHA256

8539991f73b64de58635102b1b5fb2c0b740e867d3d9d62ebb711ab610c296fe
SHA512

9459e42417278f4ec66f18f880e20835d6f58a4655ef1d38c5b63746a3ae2333d14a7ba269f77fa608cfc597a711fb389e22943a2cbe3f92021f79c22e53d4d0
SSDEEP

24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvX:oEs1h5

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2000	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
2044	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\B:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\N:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\Q:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\T:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\U:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\W:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\Y:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\K:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\I:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\J:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\P:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\O:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\R:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\G:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\H:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\M:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\X:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\E:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\L:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\A:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\S:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\V:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\Z:	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2000	2044	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe	28
PID 2044 wrote to memory of 2000	2044	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe	28
PID 2044 wrote to memory of 2000	2044	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe	28
PID 2044 wrote to memory of 2000	2044	2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe

Filesize
826KB

MD5
0686a2ba10f9cf44b29e297f623de09e

SHA1
044d298c1c967209c13c2bd809afe529048aa3c9

SHA256
d9a2da4ac2d4f657134d98ea9ceb09e036ea35c127a9600bd8e96f196ef49ba6

SHA512
011a0c66a9699da534d4d20a1c2dbda652e56fad74613572a549da4061cdf14c8941c05201ecdbed20b2308c8a00cb12286467f4aa64180e2c31bd2839a3677b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b39b4f0e69c4be7944792e7d91a5c25e

SHA1
f18f7af7e2ca6325e3a71e51ba51d73442d5be95

SHA256
e5e2678f778a4507ab72c15468c24d1e2ffa0560a3736c6cb2bfee4c36d1d93c

SHA512
b75047d66bf6bed8856aaa6763eba3cfb04ed3241f4c3dca92c217ac656aabd4b0a19923f691567c1c65cd8311df813d9ad5e5bfcd09afe8d894a3dd9aef1b51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
3424ee4c72dd0c3ac57cc1e1a137b9e9

SHA1
690747d6d20fdae77720b034ba391c81ea37c798

SHA256
c9734f2b60d9a94294a2c9bcd3b1570e9f4b341ac08178de223646864833cb5b

SHA512
e89133931c85d7ffc1acb26e812867eaf365169663e5d4b7591f23c2bafa2c949abf186eb8db4a46b8b007c35ee999d2123e51e2f07cc83e0a1c446e437b0768

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
826KB

MD5
2a033f914ebbb0c8df9bb9effdf72f57

SHA1
2c488218f8cf04b73db42c854bc348c0a994de7a

SHA256
8539991f73b64de58635102b1b5fb2c0b740e867d3d9d62ebb711ab610c296fe

SHA512
9459e42417278f4ec66f18f880e20835d6f58a4655ef1d38c5b63746a3ae2333d14a7ba269f77fa608cfc597a711fb389e22943a2cbe3f92021f79c22e53d4d0

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
755KB

MD5
5b5f85db4882bc9b3a35fb423ff093b5

SHA1
985373c2fee7ed239ae558bc36a786b0c283a697

SHA256
2a89066f207c0618a441733b70cd6ec7ef572414e968952c17294f3afb15e901

SHA512
47efac657e39801f669c8558b3c89b188d2401de533c0aacac2aa008905c460b59fcbb9efcbbfe303cf5cb267df6510d83bc98db0955c4e2df623691bf7d1c45

Download Submit
memory/2000-318-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-278-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-11-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-368-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-232-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-358-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-348-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-336-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-328-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-244-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-13-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2000-308-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-246-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-298-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-256-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-288-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2000-268-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-243-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2044-287-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-263-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-297-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-255-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-307-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-245-0x0000000000350000-0x00000000003C7000-memory.dmp

Filesize
476KB

Download
memory/2044-317-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-277-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-327-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-238-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2044-335-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-347-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-233-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-357-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-231-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-367-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2044-4-0x0000000000350000-0x00000000003C7000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads