Malware Analysis Report

2025-03-15 05:45

Sample ID 240510-mfq67sce93
Target 2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118
SHA256 b9b17212daed8c69f09c9933c9215824c23065e2e7593b3c3d8954610977d7b2
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9b17212daed8c69f09c9933c9215824c23065e2e7593b3c3d8954610977d7b2

Threat Level: Known bad

The file 2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Drops startup file

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 10:24

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 10:24

Reported

2024-05-10 10:27

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/3948-0-0x00000000020E0000-0x00000000020E1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 6627dea74583c30016d687d35f9af46f
SHA1 c3b9fd9bf76b0ca875e7b9efe21fb68d9ced550d
SHA256 3f9f2a871895900e0b517584885ec518107fd3ec4a00269b706cb2041e2cd9e3
SHA512 d654985720840fe6abb56b23c2fc687ffe2a0cee768413b87bbf2618d979cdec581f0c93abd54198fefffa759f206d71d913e70ed110ccbf7c9a8364bdaeab72

memory/1096-5-0x0000000000730000-0x0000000000731000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.exe

MD5 c644c521a96b9320dc52eb935f92f62b
SHA1 a5c2a443c1ef55f228ffc24e0338a147f90e1570
SHA256 a2cd828666d040ff725234303b33fd88990cd419cac7c6c35fd399874e4652b7
SHA512 1602f63c4e55bd7b930c23ba0b4c08c97a1f0d91e75e92e1179b27940fdc48de5832e40ab99ebc85bd08da2794af6df4d8b336aad21281123441bfbb56649344

C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.exe

MD5 856effeb006c4145f9dbe83917bec97f
SHA1 b0df43728d42627d5eefb97a8a2c011f905bea96
SHA256 d1073e854577da9f7e2cfda8ff8753bd588d2037ae171abf2efcbf1d7c1a1893
SHA512 005cb1c3ce6554cd12d851db71faa0d4824cf335f9cf1cd66aa7bb03538c8abb1d549a511744c5d6cfcc28ab36097d90bf9994bdb6e8fa60f06731c9fa89e5ca

F:\AutoRun.exe

MD5 2ea947ef32c34098f5db9a0fb419fde7
SHA1 7b31dfff7e9f932fa3e4d47128b0603f94096ebd
SHA256 b9b17212daed8c69f09c9933c9215824c23065e2e7593b3c3d8954610977d7b2
SHA512 9a58e7ba65eb4b3f2c15b96cf7a1bfe56d0645661d8f21c6f3b1bceedd617f4b333b65e6545e986ae4c171e84a1948ac6e92d8d11ad06496cb9b441dd44fe9d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1726700623033cb3d6be178e7db6a7be
SHA1 c795a5d55e73ab4571e191748f73140d7ab81b17
SHA256 908960bd95a407e53575e077dddf13eb8e24b46d0038a9548affecfa0a573b2a
SHA512 b04b19491d7106bfb6e88af4317dd02ca9d5b6691c48895c5ed96f78af97d97bb8b9bfccc1e7f4d5490cf535792c08bc92aeb1e3ae6aff4625f187cf4e760b8b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 676f3e9c59cbf3667223fecd9a245f17
SHA1 082e83afcb6573dbbf2f51720f7885e5bfd4aed8
SHA256 53a8e34a32cce7563f3f6f90ea875d4cb5739542395e7bf9ae2ffe0ff5b8517d
SHA512 2d43259e77cb221ced31087b28c6085b09837c2ff5e7860adad7c02b2bf70af5f5077d4cd26b776e696232edbf4be59624425162db867cd7b6d7fb6479435211

memory/3948-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-49-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 90cd24667441b7d99adb6fcb2db2583a
SHA1 05190fd80879037282b4ad74d335597d04ef6d18
SHA256 7d22c28cce46c932fef7b588df923d30bb8a2bf143d9578d7d464841cb832396
SHA512 9cfb5cc58ed19916ba4dc9739772e136dc04ecb529b7d03c59cd6d437d38a51abd612f7a81293925795caa2e8d318312046c2cf0b155dd1e90dbfd3a34d81968

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 96f786f245bd9ce626248461b544b722
SHA1 2b6044d36f1d86ab6911e77864b8fa2be400970a
SHA256 470e7a68d9f28f067bb8c660997c83a02f8e335b43ae0c0661c8a4bfbe31bed3
SHA512 7c29223c728164c77131bfcb44583929eb465d66991ffb5f223453fd88ad02a6747e73a8e1016f5e1e898a95edab487b5834d7291fb7bf770d808834c3f200f5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dab2d116961b4253c06982790a402460
SHA1 795bfeb752f025cfa94742cda200846be870ae3d
SHA256 52ae9fec4376e626f236cf1a2d805e9b84a694f9976645ae873245bfd60234be
SHA512 21ae9728a1d5b3e939105e3cf8a55f6ad6db779b0f9f3a9545dac5796bcf71879ec907a66211702ee209a7bd844887af6c73c4e1c605af76f6ed6a5efec4cf02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 05b1e98f6d9bb67501f27a3de4d91504
SHA1 9e5fdc232e5268bf8cd34cade91766f17f9cfc36
SHA256 8210624e5df94126ebd9c58dfacbc55977521110c0e5ee5566ae96b512eb61ed
SHA512 64c3c2cf91c8badb430e839ddbc721c364dfc809f25e88529fdf8f97cef314307e3aeb533c3f9ab6f5d1b365c8f50361b55e4be0a955b3e9ef9ad859502a6012

memory/3948-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-60-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f99e7de3d183c2178ad69b84fae88452
SHA1 8fee6973b579274b383fc45f70d78005065b823a
SHA256 22877c61d3515724ad0a6de3cf4b01d3653b0d2ff2a76d3aa5fd59bcb8683fb2
SHA512 2d8e1016748deb4edd2dd3afcbeaea391156383c73827a7380ecd96ec8b32fdaddab28e2b124607b43bee0f2712659e54973ab53c5c5586694f549f719e052ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 23220112b43f866506e071a0882277b1
SHA1 1a279a9f73811372e0be3781470a89d5c38b7680
SHA256 ce5b71226e6d25361828a6b30f388e49f327da38d7c770e6eae752d0ced9cb4d
SHA512 6d15b9e2f4ef9183bc4afda30e02eae0ccf797b6306ad8affdf3f57875a7d77a7448650b43808645fe353853f6eb85a91446bf1666153de15aa5483e9af424bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 412708dc92ad8bf18dbefff41a4db980
SHA1 0cd20a668c0aca85b67a19d4553305cd072107ce
SHA256 e5a6adf5f16b3b2454f8d95ac2c16a4139cbdfe5fca8ff7cd8588c0741682886
SHA512 6475548e1910de4243db39261a45477bf677b601de6c1fc629d42bd561f4f977db52079fefaf04903e1ec21c17c0cbda9f9005b891b471ef3c4957add2fcd612

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9ae35dc6b01d10ea6e75d878c264f6bf
SHA1 5db4522d718a0c107b0f993baf7724baeee197ad
SHA256 9fff7c87f0d329935fadd4f0e7dd2f50962b22e971ed5e694d9d5722f9ab30cb
SHA512 d4c8e13952120f949216e386f18ac7953fd9c9e9c00d5793c0ac3c1ee487c138f36474147e4a64158e13abc670945358a6bd65a18295057f2fbf12d61abfffb3

memory/3948-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3cca72ac1687a8795f5d42e605a28ba
SHA1 28ed1505aeba34daaf104344189027400772700e
SHA256 5319d239dba1f861679b64c5406377bce901fe6722138f130fed4e569e40d8be
SHA512 c82f31ffee5f9947358cf6072bbabf9e0afdb63a581255e38ef6624794fa8df8546355d06d4b5a89373b63881d7b6e3702808ad2be4f1eaec2fff125f478258c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f5ae3cd701440f8f7e73637345f7e57
SHA1 8d693666d896bdc0e0d53e36169046dbc6e64377
SHA256 c517ac1c14e8d4889f4bd9eaf6a110c43950cf421f0f003a064e15a998628eaf
SHA512 a61e22500ce5fff2663b88a4a182ac9f7a5cfdda5a31d7d4331e4c1a338100c3fba9df96a57552e988e77f1b9d5fd32c2e9a7a5606d75c7b287cba8042561b84

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 599ca79ea389006a9e77d43c6e0beea7
SHA1 6964b529e6c2610035b502ca7053808eb97f93fe
SHA256 63449c3ceeed1fea5157d41d948ba5099b61459edae932cd618c97ae24e29348
SHA512 6aeee1babdbc8a87ac84cac65a97cd6322ec3fa7fda75afab547634110ed55859a5e16aa836e33eb5b915f888bc92a72c16f1ad2b7d5638393eaaf73858800ce

memory/3948-77-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd4106ced93e9483bc029cdf329bc80e
SHA1 9aa6f415a675d734bae8a9b3012cce804c21f1ea
SHA256 6702c9ec1a7d5a8411a7bf816946fa301b86ee5bb0cc014aa7e4cc3959a8b9ea
SHA512 69b69c62652f3157aa35cfc2d52d373da0d347ff52644c23d51cf41cd39a4e973347fcd13b613ce862bae72005d108e8f32d0dfeda39a29827329588614fb366

memory/1096-78-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c1012682ba1fff82b70cc36cf7b23d1
SHA1 e2dbd75903b7bd4acab415bad2d2e0565bd46290
SHA256 c518dd1444334492e5f39be249f256325d3e3b8745acf3140a009f90e13042a1
SHA512 ffa69cc17c0976cba4cbcd11c9ef6d5718045a6f50a36153342129bf73ef4b4627c1aa64ba3176feba35e511651b7a4274df0204eed13a3e7d9b6294d30da696

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 de4c3740241e257e4535b42b1979543c
SHA1 e5f9a967fdb593036d6864c9fe9fa55a6a898a97
SHA256 21650bde9e648a157889ad0105c285a5274663d42584a3f039b134c6905a15da
SHA512 37bdda25d88ffa7dfd5bd3b16551accaf6ede29aaa7b7267ab368987049fb2c172e3f48d28a2fe6ebd92c99c6e358f166ef8a0922c7e86fefe0b039fb6c42bb4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 42fd3a839a1e3ababc124eb85b98b055
SHA1 c5adc72960bff4eb3576e911671463ccf9b9fd8b
SHA256 644a6bb24c32ea8807f0095e5a8ceafe831e586d84f016b85ba47c6ad1cf32ab
SHA512 794a59091c2350ca38602613442055e1c4d4224df4f761f93a9efabaab838e80c4e278565724bc7acacd2141a7050493e5dd61ee0eee3538d90dd04c001b7c97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4d40b9e625f946ae5f8e94bae25ea7c9
SHA1 8269588565022d33e187f87cef2eed45a47e1025
SHA256 854c0bd4a9cf328ba24ccdf9a614b10095376f9be5409f2e117d60798509fb7c
SHA512 3e236540af3e2880e9f3ce4348a7587452f359452af48f4488840d37f3dfd41622357a1a59c7948f2e284a554275267719a5415702ac0a0b9385ddb7b4786139

memory/3948-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-90-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 92b443a10bc5664325274fbceec4495e
SHA1 360e82e587e5c1b2569e359879f52e4220626468
SHA256 983a2e9139026258dc48b85a38e6af782316f86cf253472801c4f357095c477d
SHA512 97c76427fe36f33fac194598bee3a165945b412c0cbf314ff1165ad5eb97aeb3ed100ea88b4dff4947a66575833a2d8c5549e981b0cef70e249b3e09eaad0d44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 74876dd3e555b1860c71bf2d370893a7
SHA1 37413029e650f4d69ed29f39a9f28570ea550baa
SHA256 3e93a03a435e0136c0f6dc578e03e512a135c40c33a0762b6f9d44daf8106dc0
SHA512 41c6d38fa837c519cbd5310cb250959563842b004090c4bacd6488584de9bc9e263c9bb5c3b089d0473d1729d23f3beb2fc72d866b4db35d7617798e67ed76f4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7563604b911d0e1c78243f8ce77d58cd
SHA1 09c9a38b3780c68e9067faf3d2c50f241099fa68
SHA256 52f86e752a401b18cbf48d452e3c77ceae029e8c01553835089694a0ca7e6fd4
SHA512 2b40c19b193b8d19d51e7ee22f86999cbeab9026a414d5ef6bfc5f556828efb132efb6e29e129a67e4535feaa61f821c1ee18f1292eb3253d3d06263158948fc

memory/3948-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 223ef3f79add68cee5193168dbdbbb6d
SHA1 c95ab0da1f14b67d38463c13cd0b76ef7dd11496
SHA256 7b8cbe1525faef6c3d057329b9d23c3b3132fbbdc6ef800f022219cedf3331a5
SHA512 60df0bf86d390737796f7ede4d454c0ed89eabc6947d28f6526c8aaabeae84c701681fb77e019b1a262277538179b3acec09188e051332de5b7f6633eb32e83e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4e428d42d45b8efde74dd90c26c3c5c
SHA1 c78f39ff34f1a57634a525eab172a29049281e8e
SHA256 8f3e688285ca7230ae5743d090741978c5ef360d614206d67a7cdfda13e8fb1a
SHA512 a43cec853dd59e30b51d293e793b56c5ada969b4bc098694cf3eda7b0b838cff4a6457808512b1685b44f4872a95e8b8882b2091e0831257b230fcf8a5478f74

memory/3948-109-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-110-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3de5d468f96f901c754bdee82ecb92b
SHA1 8a454a810a367bd2a4b286deb0a77726c36ea442
SHA256 53e8774d5df19be2dde6a072de6d0f1c77a4d1ea11f8127358fe6adc8dba345d
SHA512 b7e679966a8edd7c1d1b50c1e27105790d249c7c2cde9d08d6f33c6857df5807b250ae924854b0133ef9bd55c61857ff1cfe17043a38f052d068cff08a86199c

memory/3948-115-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-116-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cf0e4f6c3b4307964941e34dd1c62038
SHA1 03534e174b7e97a192da35f7fb94ce107eaa8eaa
SHA256 9ba34cc863a5b05c57dfb072a92efb20c4aa565054aec0e178b68cc53282c489
SHA512 0649f37a0b06a9fd15c66ca14e24a146761e2a7c218836d84de7efb55273c28c52e2b5f94e8e2ef14855a47c0a6c97d2e75255f780b0c486d03b7980ed4b1441

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec2d28eb6b476f613e88c8e347bc9490
SHA1 bb7a9c33cb4b4db233c53082cf12b31eaccbd564
SHA256 05ac73c80fc0da1d51bb2c06f453640c7bfcfa1913dec105d6a968d5920e3ab1
SHA512 214b99e81b176389a3b173c49673d8aeefb2c65086cf8148b297dd32bc26cb8bae21c27af9f16f9a9f1ba0afae96b4f66fc8333d2da2fa1b5f6d38d1a0df5438

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3fd7e6206924197a256a10c8859c3865
SHA1 9a10e359661be20c63d8beec5d07c925e1c99739
SHA256 99398174a02774bd60b5c0770ada39339e887cd03894c40c36c2ffb0b1994df9
SHA512 2ed880bb58e35ff6507cacfa7c4889aabf7436b171cec930e4b9fd2f90b4121ac98afb4c3ffef598254a9b61b10bf9f817a29de9916af617fee55636144960c5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f607826773ceb14e45e5aee31f352a10
SHA1 df77095c1521819a2b8b4251dd3dbcfed36886f8
SHA256 1ba69f936e3d982525312d00603beca7154069f664d1ff01b41a0dc0735a3dbc
SHA512 64b1a9aa5398a0c9104b6fab1e180b596c31c3e697f0f6adaa020736c36250efcff03e7029ac1537f5be6657664ea8b207f36392c084f1bea3fd9959918373e7

memory/3948-128-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-129-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 26f01584a1c4a9576aa931fba93dcb69
SHA1 ea2ce7ab889a56b0e3f86efa2a248ded0797db9f
SHA256 5ca8f352bbc99d405e71ddaf991b9c0ee30045feb93a0671f282787ff35b1a91
SHA512 1cb3a633bf649557dd0ea883bee682fbb9f22b0fa999fa14ac19307f77b56b0621c93c8c53953e14018cdd10f3a793af827e5f093ea61a3b5246947ba4eef88f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f725029f462ffe6190d8f434d08b0ca
SHA1 6528527331e27a0827975356360560a7faac3fe4
SHA256 2fa0094a194240c7baf7d894947634cad4ae7cb1384fbfe9d9827d3f938d8cec
SHA512 0ca09eac28392b62990f2cef5d3979d39bc0eb3ed460f42b2e562281b8dca7b53af12b1300a88adbf40ea9acd1fa53340dc4467ae200c697a9aaa632e568f060

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 40a4ed39143a088595b9089c8f24a898
SHA1 a425bc89fabc21db9ed87776575c42acafccf606
SHA256 0f2b3eb2e01ed22fc65492b155a0e9110045fe730b6bf417d2dbc87b9a01bdb7
SHA512 e722de191896c0f6a197157fea42fdfebd626463387f37563da354928257ff808459ac9b30706db562fbc5e7dad5578f7023a5ca91809f8714a9de17f0c5086e

memory/3948-137-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-138-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 54b1117ef8fbb9be32798922c646f989
SHA1 d6cf7bbdd53925a599037143f5b01c1f18d5dd54
SHA256 a2ca502099a8d4e6c3874f31e87c61f4de080f1a24391ba0846a2eff84d6b353
SHA512 a808e34f49cc7e4abde15ef51b72b82cc8fb09fe69f803fafeaf7892dee6baf89821f752a29b5e470543b384bfd0640b2fcaedd3cde40e439cfdd8533ffba617

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd36f3994a23bcfb2b5afaab47dbf3e8
SHA1 362d69b9dd10a5a898ace7b4e6ce2a439bcaac28
SHA256 299d4a5ad49f6e5bf1b0c3d97fc7d4cc7363baa0edb8e7a441e4687d47ac9dc1
SHA512 e34a0ddbf288eb32821a216f9d89524971059fe8d91e33a556ed3e2a2cf21c88ef4e1498285c27c42daa09293ef0cc072ab616766c1d2a3298296db2d3cdba96

memory/3948-147-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-148-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f3ae4aaaa3cb476ad69a9175be12e308
SHA1 275d60a3825a4a842fed9d2940038655f00da74a
SHA256 d98cc1ba1923d4b02a087b03e3bfeb704921ae6643a38fdffb675486c975d1c4
SHA512 5f911079e08a402cbda553cd513edb33b72b9b22dbdbfd20d5bd3080d0d7fa5bb8e5bb1704eefec4bcae979ba0074abb15662727748e4ceb857cd8c319a3020b

memory/3948-153-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7bf045907ca44c51ef72c1231157bf03
SHA1 e966cc4617c2139f25919e19bf7c94c9bca4e97f
SHA256 f38ab2404efc1bae4563a33685ea30c6195c1eb846dbd63d6744df6046f31109
SHA512 1a5234492673ee68a7f0f5da2c777125c6609b5ba5ffdb69c47aba257d1958e736515d3dfa98318b2d64dec7f2e3fb41fdaa86eb33bee4751cc2fce4d9566a0f

memory/1096-158-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 259d582df5b0e086163b0a12c4cc255c
SHA1 89fa4f0f7a71397fd44a26f2a9152460ac9f36fe
SHA256 015e1cfecf60cff7aba5cd8a99f8256b4d3daa5ed5145e6f9d4d410d3a386fe0
SHA512 4ce55c18048023247317614c287f17d7cd27891eadf152cb20c0020d125629df2e086bd7667744f27f4dfab7222d2152e320575badae6960587a2d2c5d1fbcbc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f6032e1a0b70a7710622a2e3fdef964
SHA1 b8e1668bd5a5e61457bc49a8cced790b5a4871e7
SHA256 245ee570f83eaa589c267f91a51672dd6a17fab7230ea1076d318712a658590a
SHA512 b0e66a2ea43d2e50c2ebe1ab61632fd8bf2b1f51546061609a3eaf55130338ecc7360fadefd4bd1b2478401bbe6e9e64739729c4f2867946b0aee76bc325560d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c07f2fe86d1571efa139ff86fc9f17d
SHA1 0f13844977e8c5d2dfd700407bc1f28cb9998158
SHA256 db36be331f98efa6bb992c1f26af2d369d085e4d17243554de78c96f2ea308d9
SHA512 73bde55ed13ba395a6ba363f0d745f6cb092d9f59df5aab52d9669a1a5f80ae0a21740fc2750097ee89f32e7362e6777861fc61a4d0f2a4e12064411caa83c61

memory/1096-168-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3948-167-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d4ec725e6aaef76885c19c2a35b9491
SHA1 946ba0c6b601768da0390463669aa91582469a8f
SHA256 17317fcb72ac8e766e9e7c95f265c8c8ba6afd71335c911155435954a5bdd5ab
SHA512 ae540466db45bffcaa834c7ac3900ad162085a7a59b9bcf7be3fd2a303ed52eb008783af04b0893eb898de861591e4412417655a51204dd9bb10b2a31035d799

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4411dab45a95bb8e331f95b0d740216
SHA1 a07ac50f3a1c00f7c4424706a6db8338302df4f0
SHA256 21e163bdcdeb892144feba58d8321af45e9d95646d04843ec68c8110cba55f3c
SHA512 efe327c43417ab951551d58c2f5169583dd97ca51b9b9080f1831af894f9839faf54ef1ca28529b6ef74a1ae9df66838c720dddb03c675467f97c4b7ba868d0f

memory/3948-177-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1096-178-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e2aeab42e1f6df1c7c4902060867f8a
SHA1 af0157ddf3366d2732bc97468f58382d33b845f0
SHA256 05f5de760d653a83ac4d7fed47a1ae44ca9ac7121c8992937fba4d1e0cd0a69d
SHA512 75d844b9ad7936470087f22510d78e95ab0249945dd1003a995a9fd6c617f29b0b84b030d7c14a9f8b03ffb25d48e4ad872635fd487218023be2fb80ac4ba66b

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 10:24

Reported

2024-05-10 10:27

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2000-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 6627dea74583c30016d687d35f9af46f
SHA1 c3b9fd9bf76b0ca875e7b9efe21fb68d9ced550d
SHA256 3f9f2a871895900e0b517584885ec518107fd3ec4a00269b706cb2041e2cd9e3
SHA512 d654985720840fe6abb56b23c2fc687ffe2a0cee768413b87bbf2618d979cdec581f0c93abd54198fefffa759f206d71d913e70ed110ccbf7c9a8364bdaeab72

memory/1856-10-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe

MD5 8edab9832e7b118921ca1828ce2dae70
SHA1 174f0f8be30da4691710dfce267ee7aa444a0688
SHA256 80214af59cdea6f7a8d961a0e97ce7765239bb8c87f43b2dd7a981ad0242b89b
SHA512 5ab0f0a31e3fd5f88dec23348e3a96f2853804e32ee048992744ac7c6e2623a4379fe0abc46ee1e9bab9d0bed57fffc2c83e8d118d7ffe56704fc72c513eeab1

F:\AutoRun.exe

MD5 2ea947ef32c34098f5db9a0fb419fde7
SHA1 7b31dfff7e9f932fa3e4d47128b0603f94096ebd
SHA256 b9b17212daed8c69f09c9933c9215824c23065e2e7593b3c3d8954610977d7b2
SHA512 9a58e7ba65eb4b3f2c15b96cf7a1bfe56d0645661d8f21c6f3b1bceedd617f4b333b65e6545e986ae4c171e84a1948ac6e92d8d11ad06496cb9b441dd44fe9d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9aeeb1aa04e77ef5f8b6f6361505ef88
SHA1 bd577c02912f63aaf38e5777d6e53a5109030312
SHA256 4c4cb12a831b7bd8c1ee5b96d682e3d43743fe0197f2dff4c417d49e4253ec6c
SHA512 4c820750c89d6f0d5bee8fb233b5a2c171d3ce74d226982a2c57cb8dfdcbd4f03962c125dcc09146f3b8b7bcdb7fd0c3ca3de87637c0c25cd46924e66ad1bd82

memory/2000-226-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-227-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b955921fef041dc75d10383750f6f0d2
SHA1 d7869f09444f69bfa8ed7fecd234c400472a22ea
SHA256 5af77c6c6bc99d224c2971fd5b8cbb641c8f902ceb8eb86213ccbf3e4ba0ee39
SHA512 78bb107863a915734b5eb2f9b6b248fd319524e9e434e1ddfa8ad4018d9eddcec92713d96260ae64962943c9a6f5643ede9ec5719f13e0fe50c550aa59a99c68

memory/2000-236-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-237-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-246-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-247-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-259-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-258-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-268-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-269-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-279-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-278-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-288-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-289-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-298-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-299-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-308-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-309-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-318-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-319-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-326-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-338-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-339-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-348-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-349-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-358-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1856-359-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2000-364-0x0000000000400000-0x0000000000478000-memory.dmp