69a72508098a148e77157803d53e32f2c5b1ff1e0a50a4a35c2a841e6c57ea70

General

Target

69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
Size

793KB
MD5

69f6b8b5c9fd357f8b525d5b9a42c1a1
SHA1

166521f50eaa4e383cf88355f2c502703315217e
SHA256

69a72508098a148e77157803d53e32f2c5b1ff1e0a50a4a35c2a841e6c57ea70
SHA512

58116dd3dc193c015cbf0b6b6d580b0a2190e4000f852c7b9d8cd57297ab02b2e98346af0e5a60860fe19fca73542b968e8baa5a5691e4c26ae9045d38ade40c
SSDEEP

24576:ZMMpXS0hN0V0HoSMMMpXS0hN0V0HoSeSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFW:Kwi0L0qlFwi0L0qlLn

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe	aspack_v212_v242
F:\AutoRun.exe	aspack_v212_v242

Drops startup file 3 IoCs

Processes:

HelpMe.exe69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2076 HelpMe.exe
Loads dropped DLL 2 IoCs

Processes:

69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe

pid process

2292 69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
2292 69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe

pid	process
2076	HelpMe.exe

pid	process
2292	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
2292	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\Y:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\K:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\M:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\N:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\W:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\H:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\O:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\R:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\U:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\J:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\L:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\P:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\Z:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\A:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\E:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\I:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\T:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\G:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\Q:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\X:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\S:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\V:	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe

description	pid	process	target process
PID 2292 wrote to memory of 2076	2292	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe	HelpMe.exe
PID 2292 wrote to memory of 2076	2292	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe	HelpMe.exe
PID 2292 wrote to memory of 2076	2292	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe	HelpMe.exe
PID 2292 wrote to memory of 2076	2292	69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69f6b8b5c9fd357f8b525d5b9a42c1a1JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe

Filesize
794KB

MD5
e858864c508b552e9d1c5c2e00c4c032

SHA1
1757db41eb0607ce118be91c6d9af847c99794c2

SHA256
589f6c2f3eae065a843bf059f59afb321ad0accb52a093e221ed725ba50a13c1

SHA512
15c01ae0b5be56fae25c386a2ddfa450d5f413bb80bd402c9933578bfb71b5e29f63c975005abc26f13cbd872e27549de53c73e5c4ef9b015acc4839ab1d58e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
610649b93eb5b00187d671642438c557

SHA1
faae3de1738b6f639c8d8c7bae6b926abe75417d

SHA256
4886f381b93be490f999ada29d192d6ce9a1ffaab72992d84ea6eb940dbcc5de

SHA512
2f5b5c852e04a0ec1233b2593868139cf36a8c7d28f16615541a17fb78d4a841170d9be794f5eec62727602ccd32517f37280d610fc5bacaa49b24be8260525f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
861b2a4ffa452248422b29565bd00438

SHA1
f72a835c00f0c49086df37964ddaed17a1cf29fa

SHA256
02b9da5b0a5b6bfc805d2a2733051fffe61f8ad34556fefff91524772812e21e

SHA512
2338fd75e868d85c7bace9c9addceed1a3b9baf28d8b83c7aecac1cd5c762bae7bbc1ecde7832f2eb4ded4cc0a915f9ec352f6c822be5cf331cfa86578bada4e

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
793KB

MD5
69f6b8b5c9fd357f8b525d5b9a42c1a1

SHA1
166521f50eaa4e383cf88355f2c502703315217e

SHA256
69a72508098a148e77157803d53e32f2c5b1ff1e0a50a4a35c2a841e6c57ea70

SHA512
58116dd3dc193c015cbf0b6b6d580b0a2190e4000f852c7b9d8cd57297ab02b2e98346af0e5a60860fe19fca73542b968e8baa5a5691e4c26ae9045d38ade40c

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
793KB

MD5
f9d945eb5aebb6bf6e63bbb5da01f79b

SHA1
41c9158406cf5ec061f51f0cc4d347bbc3ec6187

SHA256
58f465b3158e4e0789488a6cc83d06833e3972c5d432574689d92a7af7bf7111

SHA512
210383b810b6b4980d39dce77f3e39824511b6aff0cac50d3f86cd3d48783cebf9bb959c727403da9360682be2c2de446604d7f64bfe34c84f5cb442db5fdf51

Download Submit
memory/2076-311-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-291-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2076-361-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-351-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-238-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-249-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-341-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-331-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-259-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-321-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-271-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-301-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-281-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-248-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-270-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-296-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-280-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-310-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2292-320-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-290-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-330-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-258-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-340-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-101-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-350-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-239-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2292-360-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-237-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads