Malware Analysis Report

2025-01-06 13:03

Sample ID 240614-j7tvmasbne
Target a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118
SHA256 3d3d08830d0a221a8a3dd6caf33d5b6ad3c0e4dc61c731f1fd303c5b60b491a6
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d3d08830d0a221a8a3dd6caf33d5b6ad3c0e4dc61c731f1fd303c5b60b491a6

Threat Level: Known bad

The file a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 08:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 08:19

Reported

2024-06-14 08:21

Platform

win7-20240220-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2

"C:\Users\Admin\AppData\Local\Temp\\Client UrlCache MMF Ver 5.2"

Network

N/A

Files

memory/1640-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1640-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 5bd894512a1461986e3bcc6e8115fc01
SHA1 094b1452ba2472b9056e0d085c5672c5f228caef
SHA256 4582db4d3e503042fbf114517eb69c7e2ed76be2d830f6376698a99bb9721e3f
SHA512 4a73dc0b63988ccd03b505e32d81ca9652057b60d138989112798c98aca006a8b524cb0ef46fc9b35fb744d858a7743a34e771eae1c5c8fb6fcf4529f227acc4

memory/1640-4-0x0000000001F20000-0x0000000001F97000-memory.dmp

memory/1656-11-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-13-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2

MD5 a8b336554ce53c37d8b06cef70d20ea7
SHA1 a188091f32a0b43411e079ac80009ca7398bccad
SHA256 3d3d08830d0a221a8a3dd6caf33d5b6ad3c0e4dc61c731f1fd303c5b60b491a6
SHA512 a3b6afe121a4296c66dc8759a922ad99bb4050f7f0e7806478db6bcf8ea79ddf732c1ae87232bade79d0829c226c50f0ba94f759205a2d9f7bd2e019b791cdb4

memory/2368-24-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1640-23-0x0000000001F20000-0x0000000001F97000-memory.dmp

memory/1640-22-0x0000000001F20000-0x0000000001F97000-memory.dmp

memory/2368-26-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1640-31-0x0000000000400000-0x0000000000477000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe

MD5 f0f52ee197f71b7fe6adbadcb3160e06
SHA1 2d9d49befe4df58d17463054fc6a85f06e431b16
SHA256 739b0f366cfe756157c49fe9afbd9a656170ac8ecc346346e51441b1b025d175
SHA512 709faa451a0742281aa801992ceee2ba330d70f255ca5f2c40cc23e94aa479c25d5a406bef63bbd7e11568642e6db40dbb17038305f8701246c2e9aba1be7102

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 97413aeb915614565c2a6f9947afdd76
SHA1 b7495d425397f67d0fd536a1c7e1d5fe44be8114
SHA256 f89b1f8c01ee0efda9c3727bd10af677ed8285e30db9c0d2558a01d85c139f92
SHA512 5ba224143be2566b5b381bec340527bd68a3793fd56430e35f58c0008c1a90ddb1ea0e38661986f217e249c698c702ca58201aed286db913ef78bc3a4d8694b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1656-249-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-250-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d6496fe8b68d56b3d2818e2ba67bb29f
SHA1 b474530d4d98787b58104858bf5eff39b35d4bd7
SHA256 040a877fe88c3f72b9d4b16783d8a07be54280f37cbdbccb6325560ed5fc3432
SHA512 25e443200b35dee0d099e90c2fd9efa1469c7ec5baf644ebd3b4c430d30be9f308875cd963a1a02f49600b3d4f9f37ed74091a5daa87472d06ae40ca8848277e

memory/1656-255-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-260-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-262-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-261-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-271-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-272-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-279-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-284-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-293-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-294-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-303-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-304-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-313-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-314-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-323-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-324-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-333-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-334-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-343-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-344-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-351-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-352-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-363-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-364-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-373-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-374-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1656-382-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2368-383-0x0000000000400000-0x0000000000477000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 08:19

Reported

2024-06-17 10:00

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2 N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a8b336554ce53c37d8b06cef70d20ea7_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2

"C:\Users\Admin\AppData\Local\Temp\\Client UrlCache MMF Ver 5.2"

Network

Files

memory/4904-1-0x0000000000730000-0x0000000000731000-memory.dmp

memory/4904-0-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 5bd894512a1461986e3bcc6e8115fc01
SHA1 094b1452ba2472b9056e0d085c5672c5f228caef
SHA256 4582db4d3e503042fbf114517eb69c7e2ed76be2d830f6376698a99bb9721e3f
SHA512 4a73dc0b63988ccd03b505e32d81ca9652057b60d138989112798c98aca006a8b524cb0ef46fc9b35fb744d858a7743a34e771eae1c5c8fb6fcf4529f227acc4

memory/3472-5-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3472-7-0x0000000000560000-0x0000000000561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Client UrlCache MMF Ver 5.2

MD5 a8b336554ce53c37d8b06cef70d20ea7
SHA1 a188091f32a0b43411e079ac80009ca7398bccad
SHA256 3d3d08830d0a221a8a3dd6caf33d5b6ad3c0e4dc61c731f1fd303c5b60b491a6
SHA512 a3b6afe121a4296c66dc8759a922ad99bb4050f7f0e7806478db6bcf8ea79ddf732c1ae87232bade79d0829c226c50f0ba94f759205a2d9f7bd2e019b791cdb4

memory/1980-12-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1980-13-0x00000000022F0000-0x00000000022F1000-memory.dmp

C:\Windows\SysWOW64\notepad.exe.exe

MD5 169344ea569f4fe1b6f602bc0ede4ecf
SHA1 aab0b9a7a7063c8dbc6706c92a4134b3b51ac71a
SHA256 3aefed5919e893c78a0a979727de4ef070bb7416af6c55f7a4c5e409237f57e2
SHA512 8dd81c44b6b2fab69f9e9c459eba22519512c7ca197049e0dc16916de0069b223839ec96bd1e966343ee6ffd2c65f601595a4f245e8da91b9970b99c0d26f77b

memory/4904-19-0x0000000000400000-0x0000000000477000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.exe

MD5 0d4138d0f70b49f3736418ccdd8a0ee2
SHA1 cc2a751c97e4a0e55264ec854ccec72a042d206b
SHA256 c8baa7cf4471fbaa3c1b0d9a220460047921cab2db92d4328b9633d63e97df68
SHA512 02abf224e26859bcbe3dac15ee880d7f1ebd94faa5faee6eef87e594a29508aa51c44cc58e0586dd6035776964264f91f6552300e48a3783ec24e943778139c7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0468b29907270203ad43020ec5d8325
SHA1 91caabf12088e9fbc1675a9ac875ffdbe1b4aaea
SHA256 7cbbbb6009a6129aa2395adb88e52d078f32e0f93bfe3a247f62dafd88a808de
SHA512 4bc6e29ec259589e29b9374ef228b6bb8e72d77cb70a03f522b693ca0beafe18058fbd9ef7c77aeb92227a81702a158e3fac720f6a611340821a5c9f7a5de966

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 64fea02b6ca6eaa863fcdd011fe02572
SHA1 67b50b47740ef6e7b8dc43022b77d35ef69eded1
SHA256 a7186fc03cd5e843595fe674a3bd702307254f8c4522cee53fabdb51fc15a9d4
SHA512 4acf1c1c680563d75a7b7224486ea3ca73bb0ced92c7e54b4438eb7385bc18a5a7d1363ed5b0154c5169af6bd20905139c7c3f5899b4de8d35f92039a8a5d8d4

memory/3472-63-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1980-64-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 30410008ae1331298ab9cebcaef27697
SHA1 b45947efc7ffd8690ba1b5e20dc417d3c92257e6
SHA256 4a7c63830ec21c3e8c69cada35777208cd79904d16497ef0547677730658a0cc
SHA512 3d7d75670ef7970c490323b99d0b9bcf14cfa25bc4b4aa0fc9f75f0c21a66ba3c6646ab752766682cbf79cea04824aaca51974c3f40928c2e29b27e37f6368c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dc3ff220815370761490730c6d31d14a
SHA1 bbd5ca42b630108cc3c8727d4a6ef331528e3d21
SHA256 67c7f2d4450b4efda3b2851e12e851bbd5b205ba681ed219ee659a74f1a7547a
SHA512 4162c65e58e984f54d175db25c4293ce64c30aa61ae4e1f0d824f5f87ff03ad7fc821863bf2448773bbfb5263fe226cbe130f4fe7c1615a4980cc05958785024

memory/3472-69-0x0000000000560000-0x0000000000561000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc4b4f869f8b3efdc2c30c739ccfc808
SHA1 98c0ca27e2caf999459d6aa0f035d55100b168bb
SHA256 96ced6ef472584b84f01dca2843d4b34d81560bf73c765635a4d77148ccfda1b
SHA512 be997f55492e99acd0c9f1ab5007db07a31447523b2eeb35568354723b3c37af5e42062515699672aa2e0ef7fdd8b4158692f1826fc454e807964de0b9048f9d

memory/3472-74-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1980-76-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1980-75-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 171a2de5b3535ac563315dee4ab9eee6
SHA1 9881e3a79053d9214a35212713b7d155a380e6e5
SHA256 8627e9ded145757dd4253421c1de543bac4d8cbd9de35b3eecf15661f4e4ee0d
SHA512 5b8406776a46dd3bab9c57057caad80180ee9582721ad8b748469f1f8246be1d790be186d5221726383d7ab1c771eac2291ec67ef266d6a34d79352344c76693

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 32a133c9595fa50c36983a857a53081d
SHA1 1385eb42b7361079d4e84b9ae7002b0b85321995
SHA256 7554c559d6a54db778b9a9d0908605bbc12ed0f88f763f008fc757f2a39cc95d
SHA512 e7364da65f964b9874205b955da5a23d3d47af3b40a0f4e18cfeb669231a97d5e9cd4932e299e6aaba29bb82eaa05c1db27a6b259acc2af0790b309455bd3c87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ba19c56253b85214c36b4e95786a4543
SHA1 f93c3bc084cec73bae5b3c4cd862d637ac02d41a
SHA256 df8c0f54cae2c579bb798f98d3205c426f68a586959d52117a7f363e07397a35
SHA512 168eb8fa656a7abc117d63adf29b64ba15ff195963dac415bc47515052bfc32765cc649db1e9720551324b05dd445c124adc2811afb0068e594230af838ded35

memory/3472-85-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1980-86-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80d3db2317a57ca6acdaff5e4baa37d6
SHA1 1c894d07ddb09564dedc53f4e621f33d9bba6def
SHA256 04a20ee20c22d0d2523edbe8579dc9feb4f01c4b29a5ac335bf2c93e0e53bc38
SHA512 5e1c68dc2b22020f0b26405bf548d447573de9c4e85c4250157d5427c4cc275a10ec17389701a3112e209149b0acd25ee93817921c0e40fa791657e467b9cbec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b4c2b71e00899a8a7a0630e6b1fe2c48
SHA1 976ce63b95f3a52fadd79ae71e3bed2ddd27e048
SHA256 ac60b61d66becfebfbfef3848ef29e5364e74bc2ef6985f9cee480a4ca5c2716
SHA512 6b6ad18e9f7a521a402198f1d651550a100f76cbf7003f8bae83bed04bd7851eb2aa4ebaf937dc36e77d5a526a7cf778ef92d251c03414188027ed30416ce375

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e873cca34f77f7f96c80ebaa6cb0ca02
SHA1 38a2f92cda3f2afb8023256289f4f76dae02cd30
SHA256 672cb123849ae8df87968725a2a9c8b0d33953adb679e7b121a0415db2b9096f
SHA512 bdc703664ff9bdf93bdd290cd2a45b7440ca6981a890f1058e92f5f07154c98a6d5dac96e1bca47ec109e70cfae15622dc53a9dc5a193b7df46a6cb1cfb47f25

memory/3472-93-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1980-94-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 124ba86f666ebd32154b59ce864776a8
SHA1 3d2c3c761eba2ee87f597af3072bf15c8232feb0
SHA256 b0b24dcdb86be4815e4a73b0ec4c0d95562678e87cd9942dae83f39f9ad16ec5
SHA512 5d3faad08975d5181293f0ebc6ec1a717d7c4d411ff7fa1ef386420979069f147a7e481e9321fac29a3d048279e276ef37aa1f01fb357d76e629697e0a0dd369

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4dc24750b285a9d0281ac51851c03f8d
SHA1 0f965d5c89ef025c5134a67e12809ab1a84c160c
SHA256 31ac3f57ede8487f65265239a076809abf369d768150d10d2d244af286034eb3
SHA512 21aae0f25c5af6116f499cd6179daa31214dacd021a483c92790e8fe31d76bd7bc7f38502ab1abb05b7ecc7463fa96a4f9b56b26dc7045df9cc91ba884668e46

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 57688e17b4481fe859fdd651aeb93edf
SHA1 219bb98fd874a06f946624a9788ac794aee9f04e
SHA256 7f7e87334ac61f64a358ba20a74365ef958ecfe2451e5057c965941f23db99cf
SHA512 fbb40e8a1d1ac290098bd274fbc3ab3c68287f27faa2dda166208a39a3b41d03947ebece94ba6ec17adb87de9f4637bbec43cb714017e052c2be7f130932542b

memory/3472-105-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1980-106-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e271e94ca71bbbf4499a15a32d02bdb5
SHA1 a10a3eb1aa021250e74fb3ecf3f1ea2b0ae0f80d
SHA256 ec45952472ce76a8412434646b9bba91351fdfca85192a86fba3e66c1cc6317d
SHA512 1910a2cd59232fdd964f6e8dfed64bd0db46dc2f10dcc905d9dccea3d9ea21e94711b54d868d57e8349b75f8e1aeaf6085c1e7c4171696ea3ee6b7e8a373d19d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9193ffb94622b5d8c3e412975d8af9a2
SHA1 166ebe72618815e0ed385835fe3846d191eeef27
SHA256 469daa84b039d6c9a74b70d31ec149d847eaffa2c3634afad45f3f18f4de6845
SHA512 1a4f3b38998c68845dac73ed7bef8ca91ad5f60de9de765ef3a5a6cc50ca64e8e4bb5bcd54c060801fa601bc2621ac458d2c58b0a759ce14ae2b5670273e3ddb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 667bff8f0d9cf9bc9934ee96cf09e192
SHA1 2581b4384180974beb8d2cc43b2e0f31801afa61
SHA256 874fd017d7a48296b55ba72d8ce4dc2f6b2f6237f7e5af67c8dc1efc3261c190
SHA512 923024fe6abd0d79160b038b05c895e854b7b68c65a4c1a30546d5c3972d9944b680e5b39fec10a8a42a2705cfe2fa88b0f5a0ee72291bf9a6290eaeda712dea

memory/3472-117-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1980-118-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b61d326158214e8bf2aafac4c9e9bde3
SHA1 150e24550a8c925c7fd14e10f52cc0218b78c9da
SHA256 574ea0c43cac49d9e01caba15638294e4600bd938aebdcaf5f3560b3ce1cc766
SHA512 d9a9a06f997da2c3cf02b60a956ecd2b07f3b4d1453385fb7a43609dfac171ffaec314d4bdfa4baefb2b7bdfef813f5eb6fecfa0f450c90166d543c5b6e62ce7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5a05b2f5c223eeea71c30a04f2f5c947
SHA1 3de14caa95a7af7962535e6fdaa9a35be8057dc9
SHA256 669c247909e92e319ce0104b9c72b954054152bf90eaeba05d066dab7f79a7a4
SHA512 6da22354a2f20c22c7947aacf6d1da7ccaf62adbf4ca4520435de32dbc273e4943a55f6c8fc25fdf064e17410faf91d6aa2669962c51d79aaf01f4e0dc524a64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1eaf859d9632d5adc7caa7b7343ada5
SHA1 8b5d0e00ef3d6bdb4420ea6c54ce2f6607fe6528
SHA256 007c06ff851ba65a1fdb2edf790acae1d162acf33741455717e2bd43d991c0c8
SHA512 a2221ca548cd2d4f7c0a03c3cf8e8a1140ce04cc3ccb65a1bca9ce9f8f59e699345761b9c95e573556ef26bb082f5ab491425503cd698c2064d1c39f58f9a449

memory/3472-127-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1980-128-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 13e028ae48ddeb4a3b1f82492d4f097d
SHA1 da8373e4faa89d370203e8d1affe546cc9e4f5e4
SHA256 c7ef8a8f3363caff70572447aed56df0e3d189468a8fac9a57c55d5a31437d20
SHA512 ffd357d1cd7e241df1f13f46f23be398e719332d771fc6f9d627464af6f450c1ae9677773d7460f278e1283da8330e68ca5ab21443f918ba906b9bc555c0e872

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12dc3f3fe8a11ec27113dc7cdc502828
SHA1 26c0bd0a5d02a3d029efe9a5461d55640a157255
SHA256 3cf96005c6c13f5c97468c1570cfe8315e05502365a4471d5f6d90a60ca82acd
SHA512 313cce48db73b626fe66f3e850b0d0f52e82979f96c941fe1aeb2eeb5a018d3ed76c310d417928a4ffc1808431c3ef07f94843a3721d6844cdad39b16bae235a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 11ad418734110b294fa2df15500a4725
SHA1 2c323c173d816b08b684830460129ab93da479ad
SHA256 d61a949903fcca0044dec270435dde9ca8153885584bee397d237f25562a20b7
SHA512 8d574848c96e0aa4fc927625a154780c1ef1648a0eb48c23795006834a4f954a65f3e0c1828237524862158c5c073bf2a9eb709f8bc93c554bd32f1318e9fd2a

memory/3472-135-0x0000000000400000-0x0000000000477000-memory.dmp