b8105be854c4972c947a139f273296ae2fb50417a6e287ee70868a7988e29856

General

Target

a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe
Size

841KB
MD5

a73f60e8996cb4e49b78373b2035c4aa
SHA1

d446554e503baba18f61e9a08e67b351843acdc7
SHA256

b8105be854c4972c947a139f273296ae2fb50417a6e287ee70868a7988e29856
SHA512

9c93dad68cf8391a2af29195956dba0aa2545299cd7035527be4c7f35af9bec4a271758397102a4ac2662f762fdcc4d5ba4f8c504fb6f56db1cf41acc1667a11
SSDEEP

24576:KEtl9mRda1ISGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvD:BEs1l91tRaMMMMM2MMMMM9

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

HelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 2 IoCs

Processes:

HelpMe.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2024 HelpMe.exe
Loads dropped DLL 2 IoCs

Processes:

a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

pid process

236 a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe
236 a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

pid	process
2024	HelpMe.exe

pid	process
236	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe
236	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe

description	ioc	process
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

HelpMe.exe

description ioc process

File opened for modification F:\AUTORUN.INF HelpMe.exe
File opened for modification C:\AUTORUN.INF HelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 6 IoCs

Processes:

HelpMe.exea73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe.exe	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 2 IoCs

Processes:

HelpMe.exea73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HelpMe.exea73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

pid process

2024 HelpMe.exe
236 a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

pid	process
2024	HelpMe.exe
236	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

description	pid	process	target process
PID 236 wrote to memory of 2024	236	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe	HelpMe.exe
PID 236 wrote to memory of 2024	236	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe	HelpMe.exe
PID 236 wrote to memory of 2024	236	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe	HelpMe.exe
PID 236 wrote to memory of 2024	236	a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:236

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2024

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini.exe
Filesize
782KB

MD5
9ed1865611cf9c2fe06bdc11b54eef71

SHA1
5a249cf39e4965f2a3e5079bde23df625d380166

SHA256
81cf5c611c5e23575c6ffe630a450e9fc2614f70baba0824c7154536037047dc

SHA512
22d3b691c044811942ea5fe843086dd63854f34c8595f3735afe9b8f649d4057d0f786a85b064ff02e56be7b88a3ae567d181b52cf7607c86c5198f9503ba6a0

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
Filesize
1.6MB

MD5
397b6eb8ba5a3a8771869097a90b943d

SHA1
452c29447cc29dde6f604a704c8a48450216566a

SHA256
de74d17c39dbc6397ecf514d61dfe269ef07a9fcd74034611f61cb5eceaa03df

SHA512
bd33c3ec6ee2c5315b851443a40bfcbc8adde3a62328cda6a1d4d9bb9d87509a2a086cd0a2fea0b4032299ad93f169a52223c1333556cb9a550042ccc5954e51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
868c5d47cfbeb17a5ddca1f0fd77e1f8

SHA1
73b0b5ec38920dd666b03a51966d3c95372e9ea0

SHA256
05d66f8b68521fe72d8c205156b124a03189509269ad13763ed0c68a8f9d3843

SHA512
418730895a7f11d03241fb4079e36a3158caee1a71c3c0b9fc9b3805f0fde25b2421aa355c6fa1fc90de32c10a19bb34725e7652bb93a787f5020c1606296184

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe
Filesize
1017KB

MD5
d20a0f1387b72576574c216ebfb85ef2

SHA1
988dba81892eda9e46fd48a63162eae73af9bd3c

SHA256
2f7f91ef7a5d76ee0b56c9c1f73386de353149ebeeff2e067333c438122ba311

SHA512
7839e38538197996fb55901c1ccb82e46330bee2d2cf0a9e21b6d1783176f99e31faf04723104d90a80f4af9c4fb62652d5ab825067140747be30061a8acdac5

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
\Windows\SysWOW64\HelpMe.exe
Filesize
782KB

MD5
a0e115b3d88196469ec4aab4627eaa76

SHA1
ed68268054659df0fb58a59899bba5ddfb4d5ee5

SHA256
88c6b660b37620773ebd64c58b4e660a153bc1efd035a22161249bcf317f85a3

SHA512
d66b82b4fd3bc2836a5f80aca44d59eb65222d77d39852292432de70c7799697e47799f7dd6dd68150b1e268c198493cf84b33574eab2889f1dbfd3c0090212a

Download Submit
memory/236-4-0x0000000000480000-0x00000000004F8000-memory.dmp

Filesize
480KB

Download
memory/236-26-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/236-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/236-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2024-12-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2024-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2024-249-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2024-250-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads