Analysis
-
max time kernel
80s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
a8b336554ce53c37d8b06cef70d20ea7
-
SHA1
a188091f32a0b43411e079ac80009ca7398bccad
-
SHA256
3d3d08830d0a221a8a3dd6caf33d5b6ad3c0e4dc61c731f1fd303c5b60b491a6
-
SHA512
a3b6afe121a4296c66dc8759a922ad99bb4050f7f0e7806478db6bcf8ea79ddf732c1ae87232bade79d0829c226c50f0ba94f759205a2d9f7bd2e019b791cdb4
-
SSDEEP
24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvE:oEs1hm
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" Client UrlCache MMF Ver 5.2 -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk Client UrlCache MMF Ver 5.2 -
Executes dropped EXE 2 IoCs
pid Process 3472 HelpMe.exe 1980 Client UrlCache MMF Ver 5.2 -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\X: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\E: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\H: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\I: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\P: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\S: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\G: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\Q: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\K: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\V: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\W: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\J: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\O: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\R: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\L: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\M: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\Y: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\A: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\B: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\Z: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\N: Client UrlCache MMF Ver 5.2 File opened (read-only) \??\U: Client UrlCache MMF Ver 5.2 -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF Client UrlCache MMF Ver 5.2 File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe Client UrlCache MMF Ver 5.2 File opened for modification C:\Windows\SysWOW64\HelpMe.exe a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe File created C:\Windows\SysWOW64\notepad.exe.exe a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4904 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 4904 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4904 wrote to memory of 3472 4904 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 83 PID 4904 wrote to memory of 3472 4904 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 83 PID 4904 wrote to memory of 3472 4904 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 83 PID 4904 wrote to memory of 1980 4904 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 84 PID 4904 wrote to memory of 1980 4904 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 84 PID 4904 wrote to memory of 1980 4904 a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:3472
-
-
C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2"C:\Users\Admin\AppData\Local\Temp\\Client UrlCache MMF Ver 5.2"2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD50d4138d0f70b49f3736418ccdd8a0ee2
SHA1cc2a751c97e4a0e55264ec854ccec72a042d206b
SHA256c8baa7cf4471fbaa3c1b0d9a220460047921cab2db92d4328b9633d63e97df68
SHA51202abf224e26859bcbe3dac15ee880d7f1ebd94faa5faee6eef87e594a29508aa51c44cc58e0586dd6035776964264f91f6552300e48a3783ec24e943778139c7
-
Filesize
1.1MB
MD5a8b336554ce53c37d8b06cef70d20ea7
SHA1a188091f32a0b43411e079ac80009ca7398bccad
SHA2563d3d08830d0a221a8a3dd6caf33d5b6ad3c0e4dc61c731f1fd303c5b60b491a6
SHA512a3b6afe121a4296c66dc8759a922ad99bb4050f7f0e7806478db6bcf8ea79ddf732c1ae87232bade79d0829c226c50f0ba94f759205a2d9f7bd2e019b791cdb4
-
Filesize
1019B
MD557688e17b4481fe859fdd651aeb93edf
SHA1219bb98fd874a06f946624a9788ac794aee9f04e
SHA2567f7e87334ac61f64a358ba20a74365ef958ecfe2451e5057c965941f23db99cf
SHA512fbb40e8a1d1ac290098bd274fbc3ab3c68287f27faa2dda166208a39a3b41d03947ebece94ba6ec17adb87de9f4637bbec43cb714017e052c2be7f130932542b
-
Filesize
1019B
MD5e271e94ca71bbbf4499a15a32d02bdb5
SHA1a10a3eb1aa021250e74fb3ecf3f1ea2b0ae0f80d
SHA256ec45952472ce76a8412434646b9bba91351fdfca85192a86fba3e66c1cc6317d
SHA5121910a2cd59232fdd964f6e8dfed64bd0db46dc2f10dcc905d9dccea3d9ea21e94711b54d868d57e8349b75f8e1aeaf6085c1e7c4171696ea3ee6b7e8a373d19d
-
Filesize
1019B
MD59193ffb94622b5d8c3e412975d8af9a2
SHA1166ebe72618815e0ed385835fe3846d191eeef27
SHA256469daa84b039d6c9a74b70d31ec149d847eaffa2c3634afad45f3f18f4de6845
SHA5121a4f3b38998c68845dac73ed7bef8ca91ad5f60de9de765ef3a5a6cc50ca64e8e4bb5bcd54c060801fa601bc2621ac458d2c58b0a759ce14ae2b5670273e3ddb
-
Filesize
1KB
MD5667bff8f0d9cf9bc9934ee96cf09e192
SHA12581b4384180974beb8d2cc43b2e0f31801afa61
SHA256874fd017d7a48296b55ba72d8ce4dc2f6b2f6237f7e5af67c8dc1efc3261c190
SHA512923024fe6abd0d79160b038b05c895e854b7b68c65a4c1a30546d5c3972d9944b680e5b39fec10a8a42a2705cfe2fa88b0f5a0ee72291bf9a6290eaeda712dea
-
Filesize
1019B
MD5b61d326158214e8bf2aafac4c9e9bde3
SHA1150e24550a8c925c7fd14e10f52cc0218b78c9da
SHA256574ea0c43cac49d9e01caba15638294e4600bd938aebdcaf5f3560b3ce1cc766
SHA512d9a9a06f997da2c3cf02b60a956ecd2b07f3b4d1453385fb7a43609dfac171ffaec314d4bdfa4baefb2b7bdfef813f5eb6fecfa0f450c90166d543c5b6e62ce7
-
Filesize
1KB
MD55a05b2f5c223eeea71c30a04f2f5c947
SHA13de14caa95a7af7962535e6fdaa9a35be8057dc9
SHA256669c247909e92e319ce0104b9c72b954054152bf90eaeba05d066dab7f79a7a4
SHA5126da22354a2f20c22c7947aacf6d1da7ccaf62adbf4ca4520435de32dbc273e4943a55f6c8fc25fdf064e17410faf91d6aa2669962c51d79aaf01f4e0dc524a64
-
Filesize
1019B
MD5f1eaf859d9632d5adc7caa7b7343ada5
SHA18b5d0e00ef3d6bdb4420ea6c54ce2f6607fe6528
SHA256007c06ff851ba65a1fdb2edf790acae1d162acf33741455717e2bd43d991c0c8
SHA512a2221ca548cd2d4f7c0a03c3cf8e8a1140ce04cc3ccb65a1bca9ce9f8f59e699345761b9c95e573556ef26bb082f5ab491425503cd698c2064d1c39f58f9a449
-
Filesize
1019B
MD513e028ae48ddeb4a3b1f82492d4f097d
SHA1da8373e4faa89d370203e8d1affe546cc9e4f5e4
SHA256c7ef8a8f3363caff70572447aed56df0e3d189468a8fac9a57c55d5a31437d20
SHA512ffd357d1cd7e241df1f13f46f23be398e719332d771fc6f9d627464af6f450c1ae9677773d7460f278e1283da8330e68ca5ab21443f918ba906b9bc555c0e872
-
Filesize
1KB
MD512dc3f3fe8a11ec27113dc7cdc502828
SHA126c0bd0a5d02a3d029efe9a5461d55640a157255
SHA2563cf96005c6c13f5c97468c1570cfe8315e05502365a4471d5f6d90a60ca82acd
SHA512313cce48db73b626fe66f3e850b0d0f52e82979f96c941fe1aeb2eeb5a018d3ed76c310d417928a4ffc1808431c3ef07f94843a3721d6844cdad39b16bae235a
-
Filesize
1019B
MD511ad418734110b294fa2df15500a4725
SHA12c323c173d816b08b684830460129ab93da479ad
SHA256d61a949903fcca0044dec270435dde9ca8153885584bee397d237f25562a20b7
SHA5128d574848c96e0aa4fc927625a154780c1ef1648a0eb48c23795006834a4f954a65f3e0c1828237524862158c5c073bf2a9eb709f8bc93c554bd32f1318e9fd2a
-
Filesize
1019B
MD5c0468b29907270203ad43020ec5d8325
SHA191caabf12088e9fbc1675a9ac875ffdbe1b4aaea
SHA2567cbbbb6009a6129aa2395adb88e52d078f32e0f93bfe3a247f62dafd88a808de
SHA5124bc6e29ec259589e29b9374ef228b6bb8e72d77cb70a03f522b693ca0beafe18058fbd9ef7c77aeb92227a81702a158e3fac720f6a611340821a5c9f7a5de966
-
Filesize
1KB
MD564fea02b6ca6eaa863fcdd011fe02572
SHA167b50b47740ef6e7b8dc43022b77d35ef69eded1
SHA256a7186fc03cd5e843595fe674a3bd702307254f8c4522cee53fabdb51fc15a9d4
SHA5124acf1c1c680563d75a7b7224486ea3ca73bb0ced92c7e54b4438eb7385bc18a5a7d1363ed5b0154c5169af6bd20905139c7c3f5899b4de8d35f92039a8a5d8d4
-
Filesize
1019B
MD530410008ae1331298ab9cebcaef27697
SHA1b45947efc7ffd8690ba1b5e20dc417d3c92257e6
SHA2564a7c63830ec21c3e8c69cada35777208cd79904d16497ef0547677730658a0cc
SHA5123d7d75670ef7970c490323b99d0b9bcf14cfa25bc4b4aa0fc9f75f0c21a66ba3c6646ab752766682cbf79cea04824aaca51974c3f40928c2e29b27e37f6368c0
-
Filesize
1KB
MD5dc3ff220815370761490730c6d31d14a
SHA1bbd5ca42b630108cc3c8727d4a6ef331528e3d21
SHA25667c7f2d4450b4efda3b2851e12e851bbd5b205ba681ed219ee659a74f1a7547a
SHA5124162c65e58e984f54d175db25c4293ce64c30aa61ae4e1f0d824f5f87ff03ad7fc821863bf2448773bbfb5263fe226cbe130f4fe7c1615a4980cc05958785024
-
Filesize
1019B
MD5cc4b4f869f8b3efdc2c30c739ccfc808
SHA198c0ca27e2caf999459d6aa0f035d55100b168bb
SHA25696ced6ef472584b84f01dca2843d4b34d81560bf73c765635a4d77148ccfda1b
SHA512be997f55492e99acd0c9f1ab5007db07a31447523b2eeb35568354723b3c37af5e42062515699672aa2e0ef7fdd8b4158692f1826fc454e807964de0b9048f9d
-
Filesize
1019B
MD5171a2de5b3535ac563315dee4ab9eee6
SHA19881e3a79053d9214a35212713b7d155a380e6e5
SHA2568627e9ded145757dd4253421c1de543bac4d8cbd9de35b3eecf15661f4e4ee0d
SHA5125b8406776a46dd3bab9c57057caad80180ee9582721ad8b748469f1f8246be1d790be186d5221726383d7ab1c771eac2291ec67ef266d6a34d79352344c76693
-
Filesize
1KB
MD532a133c9595fa50c36983a857a53081d
SHA11385eb42b7361079d4e84b9ae7002b0b85321995
SHA2567554c559d6a54db778b9a9d0908605bbc12ed0f88f763f008fc757f2a39cc95d
SHA512e7364da65f964b9874205b955da5a23d3d47af3b40a0f4e18cfeb669231a97d5e9cd4932e299e6aaba29bb82eaa05c1db27a6b259acc2af0790b309455bd3c87
-
Filesize
1019B
MD5ba19c56253b85214c36b4e95786a4543
SHA1f93c3bc084cec73bae5b3c4cd862d637ac02d41a
SHA256df8c0f54cae2c579bb798f98d3205c426f68a586959d52117a7f363e07397a35
SHA512168eb8fa656a7abc117d63adf29b64ba15ff195963dac415bc47515052bfc32765cc649db1e9720551324b05dd445c124adc2811afb0068e594230af838ded35
-
Filesize
1019B
MD580d3db2317a57ca6acdaff5e4baa37d6
SHA11c894d07ddb09564dedc53f4e621f33d9bba6def
SHA25604a20ee20c22d0d2523edbe8579dc9feb4f01c4b29a5ac335bf2c93e0e53bc38
SHA5125e1c68dc2b22020f0b26405bf548d447573de9c4e85c4250157d5427c4cc275a10ec17389701a3112e209149b0acd25ee93817921c0e40fa791657e467b9cbec
-
Filesize
1KB
MD5b4c2b71e00899a8a7a0630e6b1fe2c48
SHA1976ce63b95f3a52fadd79ae71e3bed2ddd27e048
SHA256ac60b61d66becfebfbfef3848ef29e5364e74bc2ef6985f9cee480a4ca5c2716
SHA5126b6ad18e9f7a521a402198f1d651550a100f76cbf7003f8bae83bed04bd7851eb2aa4ebaf937dc36e77d5a526a7cf778ef92d251c03414188027ed30416ce375
-
Filesize
1019B
MD5e873cca34f77f7f96c80ebaa6cb0ca02
SHA138a2f92cda3f2afb8023256289f4f76dae02cd30
SHA256672cb123849ae8df87968725a2a9c8b0d33953adb679e7b121a0415db2b9096f
SHA512bdc703664ff9bdf93bdd290cd2a45b7440ca6981a890f1058e92f5f07154c98a6d5dac96e1bca47ec109e70cfae15622dc53a9dc5a193b7df46a6cb1cfb47f25
-
Filesize
1KB
MD5124ba86f666ebd32154b59ce864776a8
SHA13d2c3c761eba2ee87f597af3072bf15c8232feb0
SHA256b0b24dcdb86be4815e4a73b0ec4c0d95562678e87cd9942dae83f39f9ad16ec5
SHA5125d3faad08975d5181293f0ebc6ec1a717d7c4d411ff7fa1ef386420979069f147a7e481e9321fac29a3d048279e276ef37aa1f01fb357d76e629697e0a0dd369
-
Filesize
1019B
MD54dc24750b285a9d0281ac51851c03f8d
SHA10f965d5c89ef025c5134a67e12809ab1a84c160c
SHA25631ac3f57ede8487f65265239a076809abf369d768150d10d2d244af286034eb3
SHA51221aae0f25c5af6116f499cd6179daa31214dacd021a483c92790e8fe31d76bd7bc7f38502ab1abb05b7ecc7463fa96a4f9b56b26dc7045df9cc91ba884668e46
-
Filesize
1.1MB
MD55bd894512a1461986e3bcc6e8115fc01
SHA1094b1452ba2472b9056e0d085c5672c5f228caef
SHA2564582db4d3e503042fbf114517eb69c7e2ed76be2d830f6376698a99bb9721e3f
SHA5124a73dc0b63988ccd03b505e32d81ca9652057b60d138989112798c98aca006a8b524cb0ef46fc9b35fb744d858a7743a34e771eae1c5c8fb6fcf4529f227acc4
-
Filesize
1.3MB
MD5169344ea569f4fe1b6f602bc0ede4ecf
SHA1aab0b9a7a7063c8dbc6706c92a4134b3b51ac71a
SHA2563aefed5919e893c78a0a979727de4ef070bb7416af6c55f7a4c5e409237f57e2
SHA5128dd81c44b6b2fab69f9e9c459eba22519512c7ca197049e0dc16916de0069b223839ec96bd1e966343ee6ffd2c65f601595a4f245e8da91b9970b99c0d26f77b
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47