05c4f0504bac495cc9ec6b30355c01bb3574dcf24ebf5f73ce2bd68316b0d492

General

Target

6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
Size

677KB
MD5

6ae36280ba9af6694960de5bb55aad9a
SHA1

24ae746e94b195dbef2079f89db9346e2695b14e
SHA256

05c4f0504bac495cc9ec6b30355c01bb3574dcf24ebf5f73ce2bd68316b0d492
SHA512

56b71d8cd15b1cad6f56f6d237b5ce2eb3dabc12b591524da4fa9bde1a80dd5376bd4c162645debc9ec2ed1dac5e470a6af3042a2649362f3c8cb532f9870bc2
SSDEEP

12288:ZMMpXKb0hNGh1kG0HWnAHU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtle:ZMMpXS0hN0V0HzSGB2uJ2s4otqFCJrW9

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe	aspack_v212_v242
F:\AutoRun.exe	aspack_v212_v242

Drops startup file 3 IoCs

Processes:

6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

1656 HelpMe.exe
Loads dropped DLL 2 IoCs

Processes:

6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

pid process

1796 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
1796 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

pid	process
1656	HelpMe.exe

pid	process
1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\P:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\U:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\Z:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\M:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\S:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\A:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\E:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\W:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\N:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\Q:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\R:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\V:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\L:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\K:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\X:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\G:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\O:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\I:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\J:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\T:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

HelpMe.exe6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

description	pid	process	target process
PID 1796 wrote to memory of 1656	1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe	HelpMe.exe
PID 1796 wrote to memory of 1656	1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe	HelpMe.exe
PID 1796 wrote to memory of 1656	1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe	HelpMe.exe
PID 1796 wrote to memory of 1656	1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe

Filesize
678KB

MD5
8972633821b623ece6027f4db644f8da

SHA1
5df249e844dbc79d860a1cacb3953c2a7d283c37

SHA256
3ee30fe78f19d1d3f6950c099a057e0bce79ca500ff12a5a52c3cb4804479c00

SHA512
3e7c3a906528718d488b6a3ce97a59faadbe1e5fe87f6705ba4ace3e32b68d33fd0381181c07606528be47670fa6e2eba379158806a20e9c4dbebf4c9d69eda3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1dc66bb80f920419baf93b661148faa6

SHA1
46e02cf469c1eb5e873d795ca6c1b50ef98bc265

SHA256
232c8e0b309e6b1bcbf8aba2a5efc83614f943b5089cbb046ed3657486344a67

SHA512
a038ec266afc13de7f48076501659cb082df6a70f07d609f869a623712cfd216381ffe7f7a70de3d6e2b5371e97045b5057e95f5b60d2d153d752c914b885ef3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
d77cdfe16446d4d5afbda293949ac75f

SHA1
eb7aae4d5c11dc20eb769a7743a73c48182579df

SHA256
be32c52bf7755767925f4c37fbdd7eefdbd285983fff36fa93b4d4ed67b2ad3c

SHA512
cf018169d4e56b8f1214f038e139b5e83251e11286292dfc04d76b142d75a8f876ddd8d376e5b8425428e8ee9f22065263fd417a5b6e8bea2ee4e8baae0a5356

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
677KB

MD5
6ae36280ba9af6694960de5bb55aad9a

SHA1
24ae746e94b195dbef2079f89db9346e2695b14e

SHA256
05c4f0504bac495cc9ec6b30355c01bb3574dcf24ebf5f73ce2bd68316b0d492

SHA512
56b71d8cd15b1cad6f56f6d237b5ce2eb3dabc12b591524da4fa9bde1a80dd5376bd4c162645debc9ec2ed1dac5e470a6af3042a2649362f3c8cb532f9870bc2

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
660KB

MD5
016169ea2344242b78031593b253b9b3

SHA1
7e382765b4082a0e04b0df26ea8e588668d58873

SHA256
31171ba31d85fefbc894e14478029b56d2e3cc5bb9c3b63310011a568578d58c

SHA512
7b10a0889de6ba892caca557f2db7b3cc83bb9109e255c012420cce0ee715eb1a0c918a7eaff5327756b5eccc6e728db146fda6d0b21c1c03f89706357bb0182

Download Submit
memory/1656-229-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-328-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-362-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-292-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-352-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-342-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-239-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1656-250-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-322-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-262-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-312-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-272-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-302-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-282-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-228-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-291-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-301-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-281-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-311-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-271-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-321-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-261-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-327-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-249-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-341-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-240-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1796-351-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-238-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-361-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads