f50222f85e3622c4417e8d2c487e6515d1ec20dfd5ba5a5a659ae506641ad806

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
Size

1.1MB
MD5

3c129117296a56976bcd73a8dd0f7674
SHA1

ce14bae42e0063c032e33c4ffd56c8d7b71d23ba
SHA256

f50222f85e3622c4417e8d2c487e6515d1ec20dfd5ba5a5a659ae506641ad806
SHA512

07fb0fde8718fc19985a45b0c53e696c0464e2be3a540d55348d864c0db121c1723d6ef6b71b4b7b8e08cfb55ab01a1875f9f21e0f331e47a7fa3e23be7ae364
SSDEEP

24576:KEtl9mRda1lSMMMpXS0hN0V0HoSTSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAj:BEs14Fwi0L0qlGX

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
2924	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\T:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\L:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\O:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\P:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\V:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\B:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\I:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\U:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\A:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\G:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\K:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\R:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\S:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\N:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\W:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\X:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\H:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\J:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\M:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2796	HelpMe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2796	2924	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2796	2924	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2796	2924	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2796	2924	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe

Filesize
1.1MB

MD5
ac60925584bdc0c3b7920dfbb554f5dd

SHA1
aa8570ac907b4f3515c4d8b895fcd6b88503ff2e

SHA256
24192a685f940f05d68f96c96f5c3b3900de03e04c24afc24b9c8f88229d6031

SHA512
736eb4bb86ae81c4d5c8361e53622ec71da0e8c3541ae247d84782e529fb65740385a5d7d77316d45f9ffdcfb0532ac7ffef823254e664260268f526e4e4387a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
33408064ba7066b7db6f7424c5b15b0d

SHA1
f87356113209fe1f5e0a97bf4b80bfc1ec98a008

SHA256
928c75baf8d04ba21c2c2e2d8b675f3ddea2e185f9143849d114de8ec830dbfe

SHA512
a45e49c89ef28b17d4029627d3ab57b930f823ce9bbc39bb406ca5215da09d296c18e5563abc1452377732c8a4064b9d3f7282ad311d33eacb82920f9eab9363

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
8cede839fd255f0c940ce1a7690c5b22

SHA1
0d38e9ce29e58f1bc8e18186f2f73af1022326d4

SHA256
53f2d1e4f22795829868ee71a44f592210cf51af30722910ad98f24390899156

SHA512
301d1b52d5706f55dd39ea84719e1a2f9d662668ab4255fefe7e3d4ddc046185b6cfdff7969f6b529e5989b0f00524d63c726f9f5ac49a97e55299b350b6f4ad

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.1MB

MD5
3c129117296a56976bcd73a8dd0f7674

SHA1
ce14bae42e0063c032e33c4ffd56c8d7b71d23ba

SHA256
f50222f85e3622c4417e8d2c487e6515d1ec20dfd5ba5a5a659ae506641ad806

SHA512
07fb0fde8718fc19985a45b0c53e696c0464e2be3a540d55348d864c0db121c1723d6ef6b71b4b7b8e08cfb55ab01a1875f9f21e0f331e47a7fa3e23be7ae364

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
1.1MB

MD5
c594d668331ec776be7848a22859a1a1

SHA1
d5b2774a269fbf92c5de643c02a6442ddd7d10c4

SHA256
89b8191f6c775a49e30c7af087b90ff436aace05a1cc413f7cce7dc1ef7d1447

SHA512
fbe758a115d35ca92b38f5f44a00cb88705f201e0bf9226593d95e4dec4396a304ef615b529e0ff0c0cc15d432eb92224a153b4ec0fe5adc65db852401bfd66e

Download Submit
memory/2796-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2796-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2796-246-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2924-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2924-4-0x0000000001EC0000-0x0000000001F38000-memory.dmp

Filesize
480KB

Download
memory/2924-235-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2924-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2924-240-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2924-245-0x0000000001EC0000-0x0000000001F38000-memory.dmp

Filesize
480KB

Download