Overview

overview

10

Static

static

3

67e66ebd63...18.exe

windows7-x64

10

67e66ebd63...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe

  • Size

    843KB

  • MD5

    67e66ebd63a38dbe2599eaf8e8e36154

  • SHA1

    2939b45589d48189538618a599c81ecc49e4d8dc

  • SHA256

    bd5d34c1e069176861d46539d8abceabb2e9060d54191080cd64eb4bf907b879

  • SHA512

    3257daaa155ad3c2f05e68d0a907177f20b317b95b69c32d75ae977d6e7945809ada572e4333b003d469aadd4b38493f48b476b271a7e3e78323d1e8dad0aab0

  • SSDEEP

    24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvo:oEs1hC

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe
    Filesize

    844KB

    MD5

    95909d584c93284345dd588d1037b96d

    SHA1

    19d1bedaf6a3940fc7a5c85c075bf6148bdab4a0

    SHA256

    2093d7a57ab4af151ed3b640248a069e1a03fe77692e9edcc20aa7d46c875752

    SHA512

    bea00154b573f8c1e60acce8a3513bd4d17bc204685c35480d5191982f25599dbcabbf2afcfebcfc1a41d3b95d25e64688d1aa013b918e1b1111fd956f80db95

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    95c93eb34c63f43c236ee1c551e64bdb

    SHA1

    a545c534c40400278cd3fd461bc60247c1504aca

    SHA256

    6fca10d82109f2d524b3882de6b1eebec64618e303dfd045b28a6569a589367c

    SHA512

    cbc26366532d3a7a40373e7105d76e080984ce4a9bd4710efc3b8b8eb642e7612b07221bf3256600b77b6e688201d9333d499ac0b1ea93a0ec19f60e52afa2f0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    8af98dbb33a06b1d232f40fb44d5956e

    SHA1

    20b2bef9c4b1a0619d0ce71f663b0c85dcbc2c05

    SHA256

    f3dd9bd382a48d745dec88a7c61d217fe7bcc3aed443339e7460ba9e0b466924

    SHA512

    139e5755a6d176494ebaaadedd09d417bb166f6b3310b0d48b990c38400ac4855d0f2e3a3d84752cdd05aa0ddecff49f3b96c1551d97765ddb09578ac2d266a2

    Download Submit
  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit
  • F:\AutoRun.exe
    Filesize

    843KB

    MD5

    67e66ebd63a38dbe2599eaf8e8e36154

    SHA1

    2939b45589d48189538618a599c81ecc49e4d8dc

    SHA256

    bd5d34c1e069176861d46539d8abceabb2e9060d54191080cd64eb4bf907b879

    SHA512

    3257daaa155ad3c2f05e68d0a907177f20b317b95b69c32d75ae977d6e7945809ada572e4333b003d469aadd4b38493f48b476b271a7e3e78323d1e8dad0aab0

    Download Submit
  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    843KB

    MD5

    94e936d354a971b1efa32c3f3402286b

    SHA1

    19b59e39a8b89a5e6253474a420698c5f7f1130f

    SHA256

    d261ebc6468002d45f08f2cd8bc4f2424a572e4ba0c63eba0d683659e8a65b78

    SHA512

    8bfae03cf7739ea0337f1006da53f47632cf5e34cb37d109fcc442649d7676c3f8a2612f69d852e47b1e9c35339a9ce5a7936f87551f7e24f46dbbf1aad2866d

    Download Submit
  • memory/2052-318-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-268-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-368-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-358-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-346-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-96-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-338-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-328-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-306-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-244-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-12-0x00000000003A0000-0x00000000003A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2052-246-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-298-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-256-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-288-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2052-278-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-245-0x0000000001E40000-0x0000000001EB7000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-327-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-267-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-287-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-1-0x00000000003B0000-0x00000000003B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2812-297-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-255-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-305-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-243-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-313-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-0-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-273-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-238-0x00000000003B0000-0x00000000003B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2812-337-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-173-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-345-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-4-0x0000000001E40000-0x0000000001EB7000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-357-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-91-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-367-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2812-11-0x0000000001E40000-0x0000000001EB7000-memory.dmp
    Filesize

    476KB

    Download