b2a48b3d6cdb2c103494d5d8815f1fd4a28a92426837b5abb2866f0c7758504b

General

Target

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
Size

783KB
MD5

73e272abeb5c6a076dd5931f7c7504cc
SHA1

7de6e15bb4ad00887423c4feb0b72eee291d0f53
SHA256

b2a48b3d6cdb2c103494d5d8815f1fd4a28a92426837b5abb2866f0c7758504b
SHA512

66b6de74f97a32aa45691350ee70ebe66436b39525d8fd1038041b318381509f82eb6cbf76597956deba1b37fb0aaac3988c6a7e11e16aa79ee06e851ed2ae68
SSDEEP

24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvH:oEs1hh

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2936 HelpMe.exe
Loads dropped DLL 2 IoCs

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe

pid process

2868 73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
2868 73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe

pid	process
2936	HelpMe.exe

pid	process
2868	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
2868	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\P:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\S:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\T:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\W:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\Y:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\E:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\H:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\G:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\J:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\L:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\M:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\U:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\Z:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\Q:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\R:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\V:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\A:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\B:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\X:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\I:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\K:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\N:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

HelpMe.exe73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe

description	pid	process	target process
PID 2868 wrote to memory of 2936	2868	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe	HelpMe.exe
PID 2868 wrote to memory of 2936	2868	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe	HelpMe.exe
PID 2868 wrote to memory of 2936	2868	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe	HelpMe.exe
PID 2868 wrote to memory of 2936	2868	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2936

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe
Filesize
784KB

MD5
713157ecd46b8182b189d6477447731e

SHA1
5aa21c37c3f1ddc875edcf454a67f32732b4cc19

SHA256
9cdae695d911280816296e6fa381055295982238a877dc7041f60314182cc9c4

SHA512
ad2b515fbb24237fb9e7968125001a5a475d2c7407181405d2d9a431edc84772706936f16e5309b7b44c197f829df94abdf0ebb86f91b88df995a02641a2aae5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
e415490e43231ff0216c8494301a65dd

SHA1
9c37425519ff920484eb12644124e2d71bac4b89

SHA256
8c2269a9d1f235711e62c3c08db98c3fa598b63615df47ac20421a6200a41545

SHA512
d04c687f56bd5d349bd1079df56e4ce7d28dbd7816585161bf5ec4740bc0f6950823f28d626e35e3baf2544fb1c0e917f37d6154cbeaad47bad56859b93e76e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
14387086bc2edaab0f47c3d96593035e

SHA1
6505f7d592da7c2830d12a32a48427978fade7e0

SHA256
5e6a4fde022c61638803105b903ec325fdaf25cc9ed9d4b21642b305e30a72e4

SHA512
905f334b189874b6450b4faafff40ff56b4404df7720354cfa70edbcc821be823abe6b7a1f6bdf63ac8f0b43ac71c9aa167185122a3881051214fb8824855d67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe
Filesize
783KB

MD5
73e272abeb5c6a076dd5931f7c7504cc

SHA1
7de6e15bb4ad00887423c4feb0b72eee291d0f53

SHA256
b2a48b3d6cdb2c103494d5d8815f1fd4a28a92426837b5abb2866f0c7758504b

SHA512
66b6de74f97a32aa45691350ee70ebe66436b39525d8fd1038041b318381509f82eb6cbf76597956deba1b37fb0aaac3988c6a7e11e16aa79ee06e851ed2ae68

Download Submit
\Windows\SysWOW64\HelpMe.exe
Filesize
722KB

MD5
9be3f0d7d4b6fa167c296af6f570ef4a

SHA1
014419a11092ca107c33f94e417e010ef24eeeb0

SHA256
bff3138b60ed4aa129f02990d36452b6091ebd12111954f1018046f16a7dac2f

SHA512
8749b9eef6868363063f05173565ce1bef861c356b777436d49cdcd05a04d4dd8cc2440c7d853f9e37840ccde7db7c6e857564f3d15bd0518856d036cb08cc89

Download Submit
memory/2868-263-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-239-0x0000000000490000-0x0000000000507000-memory.dmp

Filesize
476KB

Download
memory/2868-367-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-4-0x0000000000490000-0x0000000000507000-memory.dmp

Filesize
476KB

Download
memory/2868-231-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-233-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-357-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-234-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2868-297-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-347-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-244-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-335-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-255-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-327-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-317-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-277-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-307-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-287-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-245-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-288-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-298-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-278-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-308-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-268-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-318-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-256-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-328-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-246-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-336-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2936-348-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-232-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-358-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-11-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-368-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads