58a0d0fd2be14203b98dc53efa802bc199f6b83f1bce6847d4019261589306d7

General

Target

696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe
Size

624KB
MD5

696647054432c3ddafefffa7e192c0d8
SHA1

e042f232e5aba808b162e936289f937e5d7afa9f
SHA256

58a0d0fd2be14203b98dc53efa802bc199f6b83f1bce6847d4019261589306d7
SHA512

2d492eecbc4d797719f3ffad2cbb78bb7edac1b04a66da3af746ccce53e6420d5c0358663096c34785095fb9a33502cfc9b643e2f8bb2a5b5699e6af753af138
SSDEEP

12288:wp4pNfz3ymJnJ8QCFkxCaQTOl2+x5GpX/U:KEtl9mRda1T5GJ/U

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

HelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 2 IoCs

Processes:

HelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2440 HelpMe.exe

pid	process
2440	HelpMe.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe

description	ioc	process
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

HelpMe.exe

description ioc process

File opened for modification F:\AUTORUN.INF HelpMe.exe
File opened for modification C:\AUTORUN.INF HelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 6 IoCs

Processes:

HelpMe.exe696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe.exe	696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 2 IoCs

Processes:

HelpMe.exe696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

HelpMe.exe696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe

pid process

2440 HelpMe.exe
2440 HelpMe.exe
5012 696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe
5012 696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe

pid	process
2440	HelpMe.exe
2440	HelpMe.exe
5012	696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe
5012	696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe

description	pid	process	target process
PID 5012 wrote to memory of 2440	5012	696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe	HelpMe.exe
PID 5012 wrote to memory of 2440	5012	696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe	HelpMe.exe
PID 5012 wrote to memory of 2440	5012	696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\696647054432c3ddafefffa7e192c0d8_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4364,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.exe

Filesize
448KB

MD5
a34f3532de4f2579a75769ff43d85b45

SHA1
1f2d7728ed5e4d7c09240552f72bd8e4c46bb4d8

SHA256
fadd8a7bd20af267874ed77a6a872ef1b61a5b1a8f84a5f3895145a621220f22

SHA512
a820448c2cf7835b3fc17decc3959088bb7fb093d813ed91a1ef8b71a910668ff916856b55610d97a4da0e91b9e1c26cd3345aac8c54bbec6bbcf427b8e3fd2e

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.4MB

MD5
a90b356bf68360f87ad76949bedfc7f5

SHA1
2c3694f748c1c6b1f2acc371d76bb14f0168e27b

SHA256
e79f33bb6c54d31d22cbbb8e620a4271bdb5f0ed15c428ef1b8ef9fdcfa243bf

SHA512
6104f18324de260a74be34ed41d60d2199c9eb18a337bb6b6de10e62b9f0780ddc253a667cf453aa8e7d7f4739861cfc302b52b4fe8a504d2835da36ce9badfb

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.4MB

MD5
955362b6d26bef37d77a4d64e344bab9

SHA1
35d0f13d3293d26d127eb8d26d584c8fc03f4b66

SHA256
f94784acf542adf824ce79c3edf4007690f1267d812325a7f1ab1dfcd78239e5

SHA512
257bceba07e03d876fce40756fa5079f0efe0d3e9e24e3234070f045b0909b3e942e6fac1def970dd0ff7485bc0cce45503bfbeb323c444651b8f4c47f303284

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
448KB

MD5
f37584ccd558a8098f9f3d203c55e366

SHA1
51201251845b44270718be6f042faf618e79cbbe

SHA256
58e2e26f1cbc51a7a47811ded83e6d5a724f9e8adf9b40ef1ac6f610d7a86a78

SHA512
d468113c39a25fc04995cd688c5336f14140d9705b31207bd0318bb1afecfb91ae4240fac1ddf02bf74da9db102e2b57eb75ed8e517c4f20df523625d000f3ba

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
786KB

MD5
51d7d39fe108488781d11a06cf3f24f0

SHA1
f111ae20f51fc6f42ab17d37d7e5a90a1b0b6492

SHA256
848c163fcde78475cc70b7710d08e28ebe0b81b56e559c14daa943cbb8f23a6c

SHA512
8fd66886a334295d0d0c06ab846565ecd1858e0d50ec29ad71a2f33fd2107a6d372eb65dff72e130a119d3052d3645e0aa6bb19810c70d6152ff7c9b12953b97

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/2440-6-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2440-68-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5012-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5012-1-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/5012-19-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads