Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
a8b336554ce53c37d8b06cef70d20ea7
-
SHA1
a188091f32a0b43411e079ac80009ca7398bccad
-
SHA256
3d3d08830d0a221a8a3dd6caf33d5b6ad3c0e4dc61c731f1fd303c5b60b491a6
-
SHA512
a3b6afe121a4296c66dc8759a922ad99bb4050f7f0e7806478db6bcf8ea79ddf732c1ae87232bade79d0829c226c50f0ba94f759205a2d9f7bd2e019b791cdb4
-
SSDEEP
24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvE:oEs1hm
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" Client UrlCache MMF Ver 5.2 -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk Client UrlCache MMF Ver 5.2 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Executes dropped EXE 2 IoCs
pid Process 1656 HelpMe.exe 2368 Client UrlCache MMF Ver 5.2 -
Loads dropped DLL 4 IoCs
pid Process 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\O: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\Z: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\G: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\W: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\R: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\L: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\M: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\V: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\U: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\J: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\Q: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\S: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\I: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\P: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\T: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\X: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\Y: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\B: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\H: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\K: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\E: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\A: Client UrlCache MMF Ver 5.2 -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF Client UrlCache MMF Ver 5.2 File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\HelpMe.exe Client UrlCache MMF Ver 5.2 File opened for modification C:\Windows\SysWOW64\HelpMe.exe a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe File created C:\Windows\SysWOW64\notepad.exe.exe a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1640 wrote to memory of 1656 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 28 PID 1640 wrote to memory of 1656 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 28 PID 1640 wrote to memory of 1656 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 28 PID 1640 wrote to memory of 1656 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2368 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 29 PID 1640 wrote to memory of 2368 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 29 PID 1640 wrote to memory of 2368 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 29 PID 1640 wrote to memory of 2368 1640 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1656
-
-
C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2"C:\Users\Admin\AppData\Local\Temp\\Client UrlCache MMF Ver 5.2"2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f0f52ee197f71b7fe6adbadcb3160e06
SHA12d9d49befe4df58d17463054fc6a85f06e431b16
SHA256739b0f366cfe756157c49fe9afbd9a656170ac8ecc346346e51441b1b025d175
SHA512709faa451a0742281aa801992ceee2ba330d70f255ca5f2c40cc23e94aa479c25d5a406bef63bbd7e11568642e6db40dbb17038305f8701246c2e9aba1be7102
-
Filesize
950B
MD5d6496fe8b68d56b3d2818e2ba67bb29f
SHA1b474530d4d98787b58104858bf5eff39b35d4bd7
SHA256040a877fe88c3f72b9d4b16783d8a07be54280f37cbdbccb6325560ed5fc3432
SHA51225e443200b35dee0d099e90c2fd9efa1469c7ec5baf644ebd3b4c430d30be9f308875cd963a1a02f49600b3d4f9f37ed74091a5daa87472d06ae40ca8848277e
-
Filesize
1KB
MD597413aeb915614565c2a6f9947afdd76
SHA1b7495d425397f67d0fd536a1c7e1d5fe44be8114
SHA256f89b1f8c01ee0efda9c3727bd10af677ed8285e30db9c0d2558a01d85c139f92
SHA5125ba224143be2566b5b381bec340527bd68a3793fd56430e35f58c0008c1a90ddb1ea0e38661986f217e249c698c702ca58201aed286db913ef78bc3a4d8694b9
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
1.1MB
MD5a8b336554ce53c37d8b06cef70d20ea7
SHA1a188091f32a0b43411e079ac80009ca7398bccad
SHA2563d3d08830d0a221a8a3dd6caf33d5b6ad3c0e4dc61c731f1fd303c5b60b491a6
SHA512a3b6afe121a4296c66dc8759a922ad99bb4050f7f0e7806478db6bcf8ea79ddf732c1ae87232bade79d0829c226c50f0ba94f759205a2d9f7bd2e019b791cdb4
-
Filesize
1.1MB
MD55bd894512a1461986e3bcc6e8115fc01
SHA1094b1452ba2472b9056e0d085c5672c5f228caef
SHA2564582db4d3e503042fbf114517eb69c7e2ed76be2d830f6376698a99bb9721e3f
SHA5124a73dc0b63988ccd03b505e32d81ca9652057b60d138989112798c98aca006a8b524cb0ef46fc9b35fb744d858a7743a34e771eae1c5c8fb6fcf4529f227acc4