05c4f0504bac495cc9ec6b30355c01bb3574dcf24ebf5f73ce2bd68316b0d492

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
Size

677KB
MD5

6ae36280ba9af6694960de5bb55aad9a
SHA1

24ae746e94b195dbef2079f89db9346e2695b14e
SHA256

05c4f0504bac495cc9ec6b30355c01bb3574dcf24ebf5f73ce2bd68316b0d492
SHA512

56b71d8cd15b1cad6f56f6d237b5ce2eb3dabc12b591524da4fa9bde1a80dd5376bd4c162645debc9ec2ed1dac5e470a6af3042a2649362f3c8cb532f9870bc2
SSDEEP

12288:ZMMpXKb0hNGh1kG0HWnAHU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtle:ZMMpXS0hN0V0HzSGB2uJ2s4otqFCJrW9

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000d00000001231a-2.dat	aspack_v212_v242
behavioral1/files/0x000800000001416f-38.dat	aspack_v212_v242
behavioral1/files/0x0001000000000026-54.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1656	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\U:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\Z:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\M:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\S:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\A:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\E:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\W:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\N:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\Q:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\R:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\V:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\L:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\K:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\X:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\G:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\O:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\I:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\J:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\T:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1656	1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe	28
PID 1796 wrote to memory of 1656	1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe	28
PID 1796 wrote to memory of 1656	1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe	28
PID 1796 wrote to memory of 1656	1796	6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe

Filesize
678KB

MD5
8972633821b623ece6027f4db644f8da

SHA1
5df249e844dbc79d860a1cacb3953c2a7d283c37

SHA256
3ee30fe78f19d1d3f6950c099a057e0bce79ca500ff12a5a52c3cb4804479c00

SHA512
3e7c3a906528718d488b6a3ce97a59faadbe1e5fe87f6705ba4ace3e32b68d33fd0381181c07606528be47670fa6e2eba379158806a20e9c4dbebf4c9d69eda3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1dc66bb80f920419baf93b661148faa6

SHA1
46e02cf469c1eb5e873d795ca6c1b50ef98bc265

SHA256
232c8e0b309e6b1bcbf8aba2a5efc83614f943b5089cbb046ed3657486344a67

SHA512
a038ec266afc13de7f48076501659cb082df6a70f07d609f869a623712cfd216381ffe7f7a70de3d6e2b5371e97045b5057e95f5b60d2d153d752c914b885ef3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
d77cdfe16446d4d5afbda293949ac75f

SHA1
eb7aae4d5c11dc20eb769a7743a73c48182579df

SHA256
be32c52bf7755767925f4c37fbdd7eefdbd285983fff36fa93b4d4ed67b2ad3c

SHA512
cf018169d4e56b8f1214f038e139b5e83251e11286292dfc04d76b142d75a8f876ddd8d376e5b8425428e8ee9f22065263fd417a5b6e8bea2ee4e8baae0a5356

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
677KB

MD5
6ae36280ba9af6694960de5bb55aad9a

SHA1
24ae746e94b195dbef2079f89db9346e2695b14e

SHA256
05c4f0504bac495cc9ec6b30355c01bb3574dcf24ebf5f73ce2bd68316b0d492

SHA512
56b71d8cd15b1cad6f56f6d237b5ce2eb3dabc12b591524da4fa9bde1a80dd5376bd4c162645debc9ec2ed1dac5e470a6af3042a2649362f3c8cb532f9870bc2

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
660KB

MD5
016169ea2344242b78031593b253b9b3

SHA1
7e382765b4082a0e04b0df26ea8e588668d58873

SHA256
31171ba31d85fefbc894e14478029b56d2e3cc5bb9c3b63310011a568578d58c

SHA512
7b10a0889de6ba892caca557f2db7b3cc83bb9109e255c012420cce0ee715eb1a0c918a7eaff5327756b5eccc6e728db146fda6d0b21c1c03f89706357bb0182

Download Submit
memory/1656-229-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-328-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-362-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-292-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-352-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-342-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-239-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1656-250-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-322-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-262-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-312-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-272-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-302-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-282-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-228-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-291-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-301-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-281-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-311-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-271-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-321-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-261-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-327-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-249-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-341-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-240-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1796-351-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-238-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-361-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads