Overview

overview

10

Static

static

7

369cf1eef9...18.exe

windows7-x64

10

369cf1eef9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/05/2024, 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    369cf1eef95bfc2c400be90a1288b2f4_JaffaCakes118.exe

  • Size

    878KB

  • MD5

    369cf1eef95bfc2c400be90a1288b2f4

  • SHA1

    c51c5cf9205c7a0203dd212d8fe409d3cc622c64

  • SHA256

    04457ffd43e4c864a0320e24b216d5ac2c1d6d854af4ef86f5094437b09a084b

  • SHA512

    ed994a202d3b0c2765b9c4c7744949e4ad3d890c875baed019a4e71f2aaa89d59b51e7e405c30feaf0a337c790f8978ab3196f6edfdc06064afdc8b98dd53808

  • SSDEEP

    24576:ZMMpXS0hN0V0HoSMMMpXS0hN0V0H0SGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHD9:Kwi0L0qlFwi0L0qp8

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\369cf1eef95bfc2c400be90a1288b2f4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\369cf1eef95bfc2c400be90a1288b2f4_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe
    Filesize

    879KB

    MD5

    3b06426dd5400d070391aa2bf56eca20

    SHA1

    c2520551bb2e32b86a2cbd03dcf41b626c294312

    SHA256

    a102d3a6926d8e42802f31f7b459cbe0602ece38d5c92a622e69081b60d2a756

    SHA512

    ea51332339982978aaa798df4200ee8e087545409442351ed3abf4d5b0570803b7ddfc75f285752dfb7ceddfa4bc4f32baca0906493e73cacf48a55a46855222

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    0eea33d0646f310b4ae0314b5aaf86fc

    SHA1

    68acd368d4206768e3169b976a2feddf44221e85

    SHA256

    9f44889d3239472254374fbfb644f70912f9dcc2dfd16c1d190e57892674f9a4

    SHA512

    da957381ab97295844b8de90c9a903ffb44b9de859a1c6fd61ad4cb783085e317addf823fcdca396be4837eed6bc2a23beaa6e5f524cb9a87e9e69d91171c705

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    5f857da621fd62c43340f7ca9eaa88f9

    SHA1

    d4ea40d8c0479130986b8a42287a39b2b44946f4

    SHA256

    aaa9e719b8b5e7bff132667092ca8b4fec19aa2d832dc1891f8033cb3e2dc1ba

    SHA512

    6dae78b25eb2377430c3bf942b2981b3746febbe4dda1bfc5b2a698cf020aff4e89dab04ce6d79245d83536bbcf8befece61774252084efdc8222ef2c7922779

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    878KB

    MD5

    369cf1eef95bfc2c400be90a1288b2f4

    SHA1

    c51c5cf9205c7a0203dd212d8fe409d3cc622c64

    SHA256

    04457ffd43e4c864a0320e24b216d5ac2c1d6d854af4ef86f5094437b09a084b

    SHA512

    ed994a202d3b0c2765b9c4c7744949e4ad3d890c875baed019a4e71f2aaa89d59b51e7e405c30feaf0a337c790f8978ab3196f6edfdc06064afdc8b98dd53808

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    705KB

    MD5

    bcffb43a6afc5a21f7997705e8f450bb

    SHA1

    59fc4bfb0abfbdaa62e7469f1350e53ec0a03a32

    SHA256

    310eeeb1ecf6c8834da10049b5b48a887960f29345c5dfb37dd72234196a840f

    SHA512

    a892bb10f7b81f671dffa27c1de18be7ddcb7c29ece2b212b375c1639b6674a87e4dbfcbcd6f82d4238e4c51ad7183b47c73cff9951d9be385952d7da4399d20

    Download Submit

  • memory/2136-263-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-323-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-229-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-363-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-239-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-353-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-241-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2136-9-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2136-343-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-251-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-331-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-313-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-303-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-273-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-293-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2136-283-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-330-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-258-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-302-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-272-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-312-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-282-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-228-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-292-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-322-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-342-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-250-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-352-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-238-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-362-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2188-240-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download