Malware Analysis Report

2024-09-09 20:24

Sample ID 240614-ae6jaa1anl
Target a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118
SHA256 b8105be854c4972c947a139f273296ae2fb50417a6e287ee70868a7988e29856
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8105be854c4972c947a139f273296ae2fb50417a6e287ee70868a7988e29856

Threat Level: Known bad

The file a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (93) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:08

Reported

2024-06-14 00:11

Platform

win7-20240611-en

Max time kernel

145s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (93) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/236-0-0x0000000000400000-0x0000000000478000-memory.dmp

memory/236-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 a0e115b3d88196469ec4aab4627eaa76
SHA1 ed68268054659df0fb58a59899bba5ddfb4d5ee5
SHA256 88c6b660b37620773ebd64c58b4e660a153bc1efd035a22161249bcf317f85a3
SHA512 d66b82b4fd3bc2836a5f80aca44d59eb65222d77d39852292432de70c7799697e47799f7dd6dd68150b1e268c198493cf84b33574eab2889f1dbfd3c0090212a

memory/236-4-0x0000000000480000-0x00000000004F8000-memory.dmp

memory/2024-11-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2024-12-0x00000000002A0000-0x00000000002A1000-memory.dmp

C:\Windows\SysWOW64\notepad.exe.exe

MD5 d20a0f1387b72576574c216ebfb85ef2
SHA1 988dba81892eda9e46fd48a63162eae73af9bd3c
SHA256 2f7f91ef7a5d76ee0b56c9c1f73386de353149ebeeff2e067333c438122ba311
SHA512 7839e38538197996fb55901c1ccb82e46330bee2d2cf0a9e21b6d1783176f99e31faf04723104d90a80f4af9c4fb62652d5ab825067140747be30061a8acdac5

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 397b6eb8ba5a3a8771869097a90b943d
SHA1 452c29447cc29dde6f604a704c8a48450216566a
SHA256 de74d17c39dbc6397ecf514d61dfe269ef07a9fcd74034611f61cb5eceaa03df
SHA512 bd33c3ec6ee2c5315b851443a40bfcbc8adde3a62328cda6a1d4d9bb9d87509a2a086cd0a2fea0b4032299ad93f169a52223c1333556cb9a550042ccc5954e51

memory/236-26-0x0000000000400000-0x0000000000478000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini.exe

MD5 9ed1865611cf9c2fe06bdc11b54eef71
SHA1 5a249cf39e4965f2a3e5079bde23df625d380166
SHA256 81cf5c611c5e23575c6ffe630a450e9fc2614f70baba0824c7154536037047dc
SHA512 22d3b691c044811942ea5fe843086dd63854f34c8595f3735afe9b8f649d4057d0f786a85b064ff02e56be7b88a3ae567d181b52cf7607c86c5198f9503ba6a0

memory/2024-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2024-250-0x00000000002A0000-0x00000000002A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 868c5d47cfbeb17a5ddca1f0fd77e1f8
SHA1 73b0b5ec38920dd666b03a51966d3c95372e9ea0
SHA256 05d66f8b68521fe72d8c205156b124a03189509269ad13763ed0c68a8f9d3843
SHA512 418730895a7f11d03241fb4079e36a3158caee1a71c3c0b9fc9b3805f0fde25b2421aa355c6fa1fc90de32c10a19bb34725e7652bb93a787f5020c1606296184

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:08

Reported

2024-06-14 00:11

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a73f60e8996cb4e49b78373b2035c4aa_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/4608-0-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4608-1-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 a0e115b3d88196469ec4aab4627eaa76
SHA1 ed68268054659df0fb58a59899bba5ddfb4d5ee5
SHA256 88c6b660b37620773ebd64c58b4e660a153bc1efd035a22161249bcf317f85a3
SHA512 d66b82b4fd3bc2836a5f80aca44d59eb65222d77d39852292432de70c7799697e47799f7dd6dd68150b1e268c198493cf84b33574eab2889f1dbfd3c0090212a

memory/4552-6-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 7fc7db7f9acc015737f1d64f817c5ba0
SHA1 70719a63f42205913c34d0d7e835ed5d2bbb0a04
SHA256 257ee1dafe87431089b0d6adaf74397fc9710ae994325e308ce73ff33d1e0d85
SHA512 99f9e62e7546ab8b365285cd7cc0a149d6002c001faf91aae4ae0ea69b059d723d44c057bc3d41c3320bcf584c9e71c75fdbbd47377e734c92f35e7ccd1c26ed

C:\Windows\SysWOW64\notepad.exe.exe

MD5 60419a98e0831c7eb0954a7159dc69fc
SHA1 cfbec4036074aaff01fa342facfa1911ad742eef
SHA256 57951b53c160fe12b16d27f7665619f174244f7df59668650324af5fc10155fe
SHA512 aca9259c56abfb53ab703fb7a3b1b49f18a9997bdac4875d1596c421fd1a1d84ac9aafdfc8ababdf674b41e9d377201cef259292c9927189b759e8667542736f

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 235902e02447fbcc998d3146bbddaaab
SHA1 48b805b01ef5a59d0685ce6d83bf43988587b3e3
SHA256 73fe2faa092b33d29f1e2ce610c4ae898a958dcea52d7a6bf7b76d7734418ba5
SHA512 18a46f8900e2ed5943b34c4acdd3c70ffa6c54069bdfbfd68907ca7677912dd06338dedf2f8f535088503570c8f08d3363b17c12bbc974de80a96cb199a9edc0

memory/4608-19-0x0000000000400000-0x0000000000478000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.exe

MD5 d39a2eefdb98436ba3d0f0fe7be0c39c
SHA1 ec68e3b5c88ade732cf23cd3434546ba0a3a2d19
SHA256 7354c7210493717e8edf498102fa83095eeecb606afa3346db52123a45fb8068
SHA512 983807e488c5acda7323f579e2cc6615b743739d347618363ea988c60c479d2fd3f191caf4e8f008a520a1e7d4a4a83931f6287929dc53f4999a437c1e1a54d5

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

memory/4552-68-0x0000000000400000-0x0000000000478000-memory.dmp