Overview

overview

10

Static

static

3

6966470544...18.exe

windows7-x64

10

6966470544...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe

  • Size

    624KB

  • MD5

    696647054432c3ddafefffa7e192c0d8

  • SHA1

    e042f232e5aba808b162e936289f937e5d7afa9f

  • SHA256

    58a0d0fd2be14203b98dc53efa802bc199f6b83f1bce6847d4019261589306d7

  • SHA512

    2d492eecbc4d797719f3ffad2cbb78bb7edac1b04a66da3af746ccce53e6420d5c0358663096c34785095fb9a33502cfc9b643e2f8bb2a5b5699e6af753af138

  • SSDEEP

    12288:wp4pNfz3ymJnJ8QCFkxCaQTOl2+x5GpX/U:KEtl9mRda1T5GJ/U

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Renames multiple (93) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe
    Filesize

    448KB

    MD5

    1d602c38f5ff4006f112ef249e919b04

    SHA1

    efb98e204a4a84d157c13922340b05a3faeac29f

    SHA256

    3fa492d18fc035fe6f7b7dff8cf1e410c84779839bf81f1714f8e1a5993b7216

    SHA512

    bc1e2748ae365b35da63280fc79cce2af94270591559dddf95c2b53bb5ab64fe5f1b6a34e2c1ecd470e892dfd02142bc7d8b4d98cd992bfbedf6b72e63d816cd

    Download Submit
  • C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    ae90292f6383216dfb9fc442c6cd8cc5

    SHA1

    c0803700a2f3eb056c4046ff2c87b0e0ea36e229

    SHA256

    1af317ba1e95333c020d065e490b0e5e964e4fbc1c89fb6c04e52dd790d4f544

    SHA512

    f5a9ebd4da92f798d33e85c81daf1b82cc387fda9ffe37d0293ad02a287e64b89229196440bdd6496293b9a253da1cd1ac1ec681233bf7353a959954e71d8ec7

    Download Submit
  • C:\Windows\SysWOW64\notepad.exe.exe
    Filesize

    800KB

    MD5

    6e9936f7c03fb174a2c3932aa4ded0e0

    SHA1

    ecf530456e87c8097caa4d3e691f12a2cbff44ea

    SHA256

    58d1c5629e56dc07f924c4288c1b2e1f42d08583f8f7fa3b67d21198ffc7ae8e

    SHA512

    fceef09840765d84c94f650f62c9d9032e72846581916a209074b730d0e8f893383d34e9886f555c980fe1a06052f5fce4df04491ff6b50a05b800d504034e00

    Download Submit
  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit
  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    448KB

    MD5

    f37584ccd558a8098f9f3d203c55e366

    SHA1

    51201251845b44270718be6f042faf618e79cbbe

    SHA256

    58e2e26f1cbc51a7a47811ded83e6d5a724f9e8adf9b40ef1ac6f610d7a86a78

    SHA512

    d468113c39a25fc04995cd688c5336f14140d9705b31207bd0318bb1afecfb91ae4240fac1ddf02bf74da9db102e2b57eb75ed8e517c4f20df523625d000f3ba

    Download Submit
  • memory/1180-1-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1180-4-0x0000000000480000-0x00000000004F8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1180-0-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1180-26-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1628-13-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-75-0x0000000001EF0000-0x0000000001F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-249-0x0000000001EF0000-0x0000000001F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-254-0x0000000001EF0000-0x0000000001F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-253-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1628-257-0x0000000001EF0000-0x0000000001F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-258-0x0000000001EF0000-0x0000000001F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-11-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1628-261-0x0000000001EF0000-0x0000000001F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-264-0x0000000001EF0000-0x0000000001F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-268-0x0000000001EF0000-0x0000000001F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-275-0x0000000001EF0000-0x0000000001F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-290-0x0000000001EB0000-0x0000000001EC0000-memory.dmp
    Filesize

    64KB

    Download