a92d97fb7a8d612e1070e584550240e7ab7b497ff329cca0d5df1ce0201eb90f

General

Target

71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
Size

488KB
MD5

71cf98c82961d83d08279eb8233de701
SHA1

5e026feb4eb5f9472ae51131afc69893c7a09bd7
SHA256

a92d97fb7a8d612e1070e584550240e7ab7b497ff329cca0d5df1ce0201eb90f
SHA512

4cfff9664be73559cf8f5b0c1295765406e2b791d7a62db9063042b9161da619cfbe2c7b750688b0b2040af64cd614355dcf12d931b0519ada719eb9b8985972
SSDEEP

12288:ZMMpXKb0hNGh1kG0HWnAlUoU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAG/:ZMMpXS0hN0V0HZZSGB2uJ2s4otqFCJrr

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

71cf98c82961d83d08279eb8233de701_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe	aspack_v212_v242
F:\AutoRun.exe	aspack_v212_v242

Drops startup file 3 IoCs

Processes:

71cf98c82961d83d08279eb8233de701_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2576 HelpMe.exe

pid	process
2576	HelpMe.exe

Loads dropped DLL 31 IoCs

Processes:

71cf98c82961d83d08279eb8233de701_JaffaCakes118.exeHelpMe.exe

pid	process
1912	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
1912	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe
2576	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

71cf98c82961d83d08279eb8233de701_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\J:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\X:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\O:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\Y:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\I:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\Q:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\K:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\M:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\T:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\V:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\A:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\H:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\U:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\G:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\N:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\P:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\E:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\R:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\W:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\Z:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\L:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\S:	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

HelpMe.exe71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

71cf98c82961d83d08279eb8233de701_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe

description	pid	process	target process
PID 1912 wrote to memory of 2576	1912	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe	HelpMe.exe
PID 1912 wrote to memory of 2576	1912	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe	HelpMe.exe
PID 1912 wrote to memory of 2576	1912	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe	HelpMe.exe
PID 1912 wrote to memory of 2576	1912	71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\71cf98c82961d83d08279eb8233de701_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2576

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe
Filesize
489KB

MD5
648acc4ed38455823a3a087bab5251bf

SHA1
67b797e670e399d95039c2a9fdb644f085094d79

SHA256
dda9fb2edf01ead788f0b37939b62b324b8987c4bf647026fb80047aeebc5fcd

SHA512
39cbfa04fc46df1ea36bce0f7672c081721d3b877c0fb6b14090b939ad143cd9413015f3e47c78df096df288ad4b02f5d04db183801f84ac743bd8151a57a46f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
959978435764d7ad6e556333f9cae72a

SHA1
6f8642a8edb20ef8a4574fbf621fc9a786d3bcf6

SHA256
83ee1f55e58665cbd2081eef02032ad3586e06c2c0c79a5ea207466206c8b4cd

SHA512
903c440cf2043d7c782537ac07276a625a8ab08a063be4bde3c3a59a0b71a4dcee814ecd053298dd7b1841a50d8065d9456805b2c957d3394b5ad260f83835ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
73f5c818e3ad9c18eeb132ac48fc706c

SHA1
ff15ad42ada4f6465ac3d9bb08cbe14efe968242

SHA256
48cd42c56c7effb6f2b6ca0d89e69dca24593637fdc57a9aadd1219dad3f7fca

SHA512
ed47cbd06d9ca95764a4c38ed340854f29d5f401553ba0c87407dfb8b5abad6a63c5ffd7bb810e4b65c4adaaf0615bd0f58c49d6ca92d3b543e173740511c50f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe
Filesize
488KB

MD5
71cf98c82961d83d08279eb8233de701

SHA1
5e026feb4eb5f9472ae51131afc69893c7a09bd7

SHA256
a92d97fb7a8d612e1070e584550240e7ab7b497ff329cca0d5df1ce0201eb90f

SHA512
4cfff9664be73559cf8f5b0c1295765406e2b791d7a62db9063042b9161da619cfbe2c7b750688b0b2040af64cd614355dcf12d931b0519ada719eb9b8985972

Download Submit
\Windows\SysWOW64\HelpMe.exe
Filesize
448KB

MD5
5fb5f2c8cd52e4825dd8174382db5497

SHA1
2c2458d0012a9671b402c4efa8478a8cd5a6e9b9

SHA256
1c2c904e3f306a26601c0e221547b579f368bf4a770128515ab59b4b6e624a6e

SHA512
f4f7826cd67c2c4019903bfefedbc4ddebd8b4930b3d491a3db071e5219327e17c097fe2dda2c21af75ff0aa4c1bdc3512ef1ada148389cf10b2d79305b21013

Download Submit
memory/1912-281-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-255-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-230-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-364-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-242-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-358-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-244-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1912-317-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-352-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-269-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-344-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1912-340-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-293-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-329-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1912-305-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-256-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-306-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-318-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-294-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-330-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-282-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-341-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-270-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-345-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2576-353-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-243-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-359-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-231-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2576-365-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads