793c32d6660a388f837206d748cd633275ea1bf9ca2d9919f7994bdcef578cbb

General

Target

72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
Size

1.1MB
MD5

72f15dce2fb58c6bb1a9abb63a38e456
SHA1

e1ae8b2bc824aee591cd16a10d1506651b9d2144
SHA256

793c32d6660a388f837206d748cd633275ea1bf9ca2d9919f7994bdcef578cbb
SHA512

f841b6b0327eaa513abcc3a715a3111566fa0c4c04e72f1213f443f1f75439858a64ae86c1bf5cd0e3ec8c58bcf845071d1c7561f85ce5e1cb02502597c43c5c
SSDEEP

24576:KEtl9mRda1ISGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvQ:BEs1ly

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

Processes:

72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2636 HelpMe.exe
Loads dropped DLL 2 IoCs

Processes:

72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe

pid process

2804 72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
2804 72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe

pid	process
2636	HelpMe.exe

pid	process
2804	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
2804	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\H:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\Q:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\V:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\I:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\L:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\W:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\Y:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\Z:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\R:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\E:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\M:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\T:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\J:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\S:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\X:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\G:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\K:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\N:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\P:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\U:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\O:	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe

description	pid	process	target process
PID 2804 wrote to memory of 2636	2804	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe	HelpMe.exe
PID 2804 wrote to memory of 2636	2804	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe	HelpMe.exe
PID 2804 wrote to memory of 2636	2804	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe	HelpMe.exe
PID 2804 wrote to memory of 2636	2804	72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72f15dce2fb58c6bb1a9abb63a38e456_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2636

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe
Filesize
1.1MB

MD5
b17aae8c37314ec0429f39d376a45e34

SHA1
6211b6a0dedbf3da38624c39946a2802efa95a89

SHA256
87bae06e07edb1bc68f5274fd1ad5bbbca549b7caa273ceec5e34c5ea0d3fe81

SHA512
651c6b04e68c32511e3ce6cd2a1e2e14ba71f6658a111cbf965b4594073312ef5c109fb9b3eb227678c362dabd9ec7665f6e0eac3aeb30d2d18eeb957bf3c8bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
950B

MD5
39bd79ada1122c5fb724fb8a79a271a8

SHA1
217382ce612788f5d38ecf97a64c82e42cb13f95

SHA256
f041331d1cef81ac2e2125d649698749f02dcfa4a49eab248c25dd0e57648bcf

SHA512
9a067f4e0ac64e1423f9659a13ca3ef7091f184ed2f762cf5b7e51225a10251bf446a85ce13808e4364e8822e16897fd17f0a1388a93249d62d731c3d5d9f38e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
26bf70ca1b09e4359d0ddfc483b8a545

SHA1
27d3817b8156e638d0fb03d9bbc5d933674d64cf

SHA256
073ff194f5b4637954782f95c227e732b2d87f30bc4a6d8a7df7c2c21ea639d8

SHA512
e5bdccaa77f14fbda9bb848d22546fb01d9f11e1419f033bc19bd753569fd869286c0933d04b968ffff2cfad2c0a509aac7f7a8b59da3a80066957018933875f

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe
Filesize
1.1MB

MD5
72f15dce2fb58c6bb1a9abb63a38e456

SHA1
e1ae8b2bc824aee591cd16a10d1506651b9d2144

SHA256
793c32d6660a388f837206d748cd633275ea1bf9ca2d9919f7994bdcef578cbb

SHA512
f841b6b0327eaa513abcc3a715a3111566fa0c4c04e72f1213f443f1f75439858a64ae86c1bf5cd0e3ec8c58bcf845071d1c7561f85ce5e1cb02502597c43c5c

Download Submit
\Windows\SysWOW64\HelpMe.exe
Filesize
904KB

MD5
e26000dba8f52a56600e5c5436a50a19

SHA1
0a95842bfce35f13aa529c0d5111822de72d7bbf

SHA256
038e206e0798a10e79bc4c27228038874a5551a4537617c21fd6065ed0f8d760

SHA512
0634e152aa93eee78e927fa63b37fcfe2ca91e71794d36cac3067bb2269afbf888b53f57dc4bd999048e8209283d40c2dd868a0de4b54081edce7f154a5f74a4

Download Submit
memory/2636-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2636-242-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2636-243-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2804-11-0x0000000001DE0000-0x0000000001E58000-memory.dmp

Filesize
480KB

Download
memory/2804-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2804-4-0x0000000001DE0000-0x0000000001E58000-memory.dmp

Filesize
480KB

Download
memory/2804-165-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2804-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2804-236-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2804-241-0x0000000001DE0000-0x0000000001E58000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads