Analysis
-
max time kernel
145s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:50
Static task
static1
Behavioral task
behavioral1
Sample
a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
a0e2d36c6dc3a660509580a4c43cfd34
-
SHA1
124d896477e98621ddcba0d75120016091fc866b
-
SHA256
a1b7b3c80c80febd8d6b1358cba8492a540234215a2bfbe0dc7d49683e6fac44
-
SHA512
ddcc10920dd7c2c90b1d0ec653158f324d74b70be9970d50283186bbadbfbb7b80876040cb32cc9db2ac70be54848058e196607a1ee522d7920771a63f681664
-
SSDEEP
24576:KEtl9mRda1ISGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvb:BEs1lp1tRaMMMMM2MMMMMS5W/j
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HelpMe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Drops startup file 2 IoCs
Processes:
HelpMe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Executes dropped EXE 1 IoCs
Processes:
HelpMe.exepid process 3800 HelpMe.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
HelpMe.exedescription ioc process File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
HelpMe.exedescription ioc process File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification C:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 6 IoCs
Processes:
a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exeHelpMe.exedescription ioc process File created C:\Windows\SysWOW64\HelpMe.exe a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\notepad.exe.exe HelpMe.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\notepad.exe.exe a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
Processes:
HelpMe.exea0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe HelpMe.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
HelpMe.exea0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exepid process 3800 HelpMe.exe 3800 HelpMe.exe 3856 a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe 3856 a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exedescription pid process target process PID 3856 wrote to memory of 3800 3856 a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe HelpMe.exe PID 3856 wrote to memory of 3800 3856 a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe HelpMe.exe PID 3856 wrote to memory of 3800 3856 a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe HelpMe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0e2d36c6dc3a660509580a4c43cfd34_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
901KB
MD5d4cc100663b30789283fa13a9440f286
SHA19116ceb8225e3b302e67b4c27eba2ef703b634e1
SHA256af1298703a74412a6d8a3daf701a70c4448ec1b26d5ca3ebd426979e53e3640e
SHA5126dcc0e7b0bd66be3a61dc08423613dc9a8b6b4a00de9b7371a07bfc5ed5fd8de1077c34728cbf6fc05021a98c8a154324f9a8c7b9b24e30afd745cd38b5631fe
-
Filesize
1.8MB
MD52d5577ed73a5549c17ad9cf96874da98
SHA186f5f257e07f30434a93d2a5ba8f3796a2473f61
SHA2564b3d7e2c90834f6214da7698e33a0a69459e0a57d3a3acf6796481e762f128de
SHA5121c0476d5ef4038108e7aec69100e9cfba0400a2817b838b17b07d08bed8feac35e257230b5ce5f3b5d97298592b867a0a31c8ce701fcc170b1af8f6af7ea4620
-
Filesize
901KB
MD596c6cd4e81790949780f17a02975e2d0
SHA1c8090a2cc130d772dbf88f6f1bc3bd19eba5a2ec
SHA2560b09876b0b50fb10766ad32c2c13bac101f59c58c347a80459ef8aff86e84aa2
SHA512664cd14591a39635661f1b16e11ef0f98f6430e689ac1e2e3ff057c8706512f7cf6ac6137c7b074cfaeacce3a162c797b1845cfc90ffd3777c1127af49ce5abd
-
Filesize
1.2MB
MD5b099c2d686015e14bd2d0b8dbb598e82
SHA1316dbd9cc287d22eeb93984797bedda73ad761b3
SHA256a7ad9c7de2f56fb627cb947673f2996cfe4dcba9e36ea6bff85a8b4539c81b8f
SHA512f9674f4ebaa3c5304492dc305e3a648f65499c411c65d010cd1f0b2b8cdc2f634b9a0b5c972664243f9223821e0f34b007699d43fdd4827e329b555ce4633f10
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47