Malware Analysis Report

2025-01-03 08:25

Sample ID 240617-eya9psyaml
Target b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118
SHA256 8741ccbf5c4054699732d5414e86346a851aeecf954900a1c9bf614f11af4230
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8741ccbf5c4054699732d5414e86346a851aeecf954900a1c9bf614f11af4230

Threat Level: Known bad

The file b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 04:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 04:20

Reported

2024-06-17 04:23

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1392-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1392-1-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 129dfca94187120f825c592892e52f6c
SHA1 8dff7e86e0d128c2339f7dbdedab8f5609e34dab
SHA256 78f41d1ba212c04adfcf990c352036dc5f46a27779236b85d85c54b4398d6ce5
SHA512 b5db05cde57313476eaa21bd7876120db643d5866ab7c83d9b1c19a416c77e27451da318960a533a7874ac18128323e8b22bd8cb31d5be0de1c10319f32c0d82

memory/4772-6-0x0000000000630000-0x0000000000631000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 293ffa627ebd6227198a0510e773aa53
SHA1 dd0a202089965471392de5fa7e2868d04895f2bb
SHA256 6e88620daa7dfaf95852ecc3291970b4f2ba405000c12241fb2d422cb0101a71
SHA512 95174f532adc53eeebc69527eddc1804d14a1bbc4a4e152fb049ddfc743865b3f77e29fcbbc0108f7a81bee2dcbdfc98d5bbf9fb07b19ac44ec843c4776fc2eb

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 e3b1adb985d735d8ad0115a15e68cf77
SHA1 9de33da2c520daf65693e5c1cf550de43f2a7c5f
SHA256 01005ab1553c2a10d69aa7e11434dd244e228692a2697a8ff1efa8cff135c4bc
SHA512 8a9d36a4ce0126fb6839260dd8be4128d9ba76e763bdf1ea06daeaf5e10b9fc10febd2620f4bad3fa389d53a2042915abb0aee17f6a2ff0e1b8219ecbc5f298e

F:\AutoRun.exe

MD5 b6b8b4a3bc16c2f4b558ed1e4516c944
SHA1 9952e8cc06cc8509fa9b2b0d2708c46a7dcb5aa8
SHA256 8741ccbf5c4054699732d5414e86346a851aeecf954900a1c9bf614f11af4230
SHA512 0344cdf8cd666595a7fb16dee0bbf6dd80fd3e849d0bffaaa67b0ae43013598f920a1bd6916f05b56d07ab5a178c33606b488d03f91a3a611609bdf627a5d49b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4dbb45ef49de1e04686a46fa5e020b61
SHA1 d2461476e622c8bcc619c5de65d10d76caa9665a
SHA256 a41855c8c6206ba596499b9655edea6f28b436e9acf3942fdcafc31f66af787b
SHA512 c1db826d187600e83766e08feafb609478c9593ef626a2bbfbe7e1fb87326aff5dddbfb7aded63a491912269668bb13190fb3eee487bb44a90984aea1828bc38

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e6cfdd44201f3ccea94eb197c5906892
SHA1 c3c337874bafad5dcb2d98806ebf833a74ea3e19
SHA256 290ee17b0f7ff8328f3f43811c748042ca7fb34426f48693bc5324538bf79008
SHA512 8ff9b7a54b5a7c1edd0c832456ea3c05e06d40f576e666efd01722c7350e9ef7fda69575cc839d01effac54eaf858883e622c5c2c29ce55060df2b390a82d01d

memory/1392-50-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-51-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c3188b669eb4425b217df3283cca209
SHA1 fc7617768f39b23813dcb54c47bdc69d6757c988
SHA256 1707a308e73a4d25e0d83ba924c8b7feb81a5b86eb8d4130778502f0ae57305c
SHA512 6ace0dce8f4dc9f0cc178dc6b5f89c7ea72fbb79eb4e03106a3ecb7b72f2c8151df29709dac755d22e67139b6aacdb1863aa7e19ad897daa5de5d05d2a6b3748

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ce9753e3b242771b23b62bedfc55cea
SHA1 d0a8ff2f90dbde1190712f74dded06f7592d3cf4
SHA256 7a9e3cae514926296a4e856151c248da727dddc1999f871f617d27a1e7632d7f
SHA512 ececba4248d79c886b82886b188c96c76726f4fc2baeaffefd2b4874d7332fb1fd09be79484e2bf1b0de517462158e6eb3334918c95ab13ad557f2edb7429e8b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 99540e9e8052f1e429092ecc825cb280
SHA1 800cd4a0b294eefbbaf573e5e4e3a7e477e282ec
SHA256 ceab8f09faf7b4079241fc905df18a2ac074cbd4358337c18a1f109b79525237
SHA512 cdfd9a9a2a44b18bf6876d16405267dd5d116f9f8895114a1d83c87fc34834a96bde74add7dc581d16e298c0831a7951f3f133198ff895868f1969162fe74a0a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4bc9ea740399676e2d03bcd3108d6f4
SHA1 35a3a762d62c21fe9437e3f904c7227f90f7dc5a
SHA256 73263ce499fa87d4b16964e219453efc042847dcd554733e8f77df60a1448974
SHA512 de9a2c2912ae16434a7adcf147d10783b4c01b8f46cdef294f7475146f0b3eecb44baf200b9ec6c05764128a99fb029a41daaad3e404640da545064deacb1ad7

memory/1392-60-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-62-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-61-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd3f95ffa66931c3926d4e83cf0229e5
SHA1 5523a14dd64a4db1300910b1101c83e19cc92ed3
SHA256 3e4d667304068cb81cbfe321345a92077f4a2389c2da760c74755eb374cab575
SHA512 bf99ecc2a7f1672ea2d1cd63e88c502b734c481efe3673481145dbbf20ecdf76f538e5ca1085de05f5b4c268a63c7ef0c3625ed4867eaeecb4d1db56dcfe4c77

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 63f9ddad7958a79a9433d395ff62d0ed
SHA1 b710b7d68a51851bff2088bf2747a8058db67597
SHA256 b58c764beba42b763ad4d8b0dfd428f7648532a56315f25923d24b27815e6c9d
SHA512 1e9933714716f5893a1ee85898b6425fd6ebe3d8482dd029fe8866ad9aa44f13d7cee7085a1eee61086c6b296f245d01bc3201e07ec70518165565c01f0df342

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 662d3b63b1b6abcfd7a69c6f57ef2d13
SHA1 dedba3c1178931d427109c831072a7353d47f068
SHA256 09e15542e6ca8a3988fb34aa2227cd8c793c80a08f28d47af0bf20f8f6592c32
SHA512 8870b55140c02a97805eef149003b6a1c270fa8f94024146f1c3527ec41a91a33697361934e3b1c831c3009b31b33ec415eb19f8317d8c25baa2b54e6af46cea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b223c57d55bd4e4da9474e2602f10258
SHA1 01eda2004397c56809655099a94764a3b71a96c8
SHA256 488022823f0243a0eec2f55e9d12a7ce8792bf04c73627ef9022507e8930e003
SHA512 2c1be33a457b41acf0b872ca892cd47905f2a73339480058598ec3f988af4117b15994e525e364be41287a1346ab96a0f38bddb06c60e4a84d25e82e823cb09b

memory/1392-71-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-72-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a56e0b737ff5dec96542f258d80b752c
SHA1 eaf8664e79dbea3c2ef3d64981ec9ead79ca6d50
SHA256 181684804c89884b136771785481d0aa8dbf80f2e1e41dbf66eb69c059499cc0
SHA512 a69d4a0f6156fc6ea22e2abcf31f1cef68be5fc61a343a3c2c631322e05856933d746f64b3e52c6b27683dfbe35a09191073b4059fbfb3cbd05cc7089ff99acb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d457f3eb76e271301720bdcea211e5ce
SHA1 3ee9b1a0f98d56dafee5d012de12f74ab43e1106
SHA256 ede247fddd92cd088262f626d54674fb2b53abfdb0fcaa7988fc4c1b1854d732
SHA512 f0b4d3c658014fd4c3cd6d0d06d08b0d98f63c4d28462e36ba12c333b7393f65daa05ca389cdac7ac9dc60d042d286c037161656e23e2e360841964607270789

memory/1392-79-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-80-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b97f696c89503c4c37bf2d7c35957b88
SHA1 e6a719dbf1564a7793630f124c77255245a38f37
SHA256 e60a316f3d9c24fdfa594adab9ed7b5bf96d97f7d9a393ceea76078dd53304a4
SHA512 53203c350db8489c6a1f16fb11a7936d8ac32178b586975e0d0990fa292dd477b804fdde1eff25edf453ae44c75dc0f8ffcec32f003bc84812cb5f9c816588ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cf79db81100cec48cabd1ee1d007e3fe
SHA1 b4645797012f167dda277f91d7e64a54058acdc2
SHA256 17d0e82efec15d1e603f0597ba39b482bbf0eb1b9481a04f3b2ccff37d0c7435
SHA512 1b53bb767bd98348cecf66514513704e0508cd2215f296e36a6fab8edf8a788b5a76dca9a60e9d6bcce91dbc3b153c1281386635a9f0b44b9a54cd9bb878223f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db7234c847e970c697a48d92b268dc1a
SHA1 c9106b1be26b3f43c307ed87ec00d1047ebe7a32
SHA256 039dd8ad44e710d8fdf5db2ca09b97b3f335b76599b0e467798eb07dcba1dd60
SHA512 8cfd0b3bd5e36622bf608b6fb05748b30791fc5ea2fedd31c0d80e65f064c40b98f3121d5e782246803035595763a8f07d584a26c20d8e411ff1c01dc9dc7f97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3fdb072f4c727745e02432c66863dafd
SHA1 247c6a118fa924ff763287ded5bd976f08597bd7
SHA256 3306ec9cf42e60630ec0aaf62f4c72727fd2d2bb951cadc3a444d469a9ac4302
SHA512 b52be67c2c6a5237e12514d389a3782cbaad4fead2ec68bb550c81f6cab155779e5d22e4c0d65709d0a4da451f42d784fe8fed582b2c55075dd408da75e2cc9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d29986b88740cf5c9b6f413ebef13dd
SHA1 3f0c9e382eb4c8bb0e04f933f6bf14a03c4d81c5
SHA256 0ba3bc72784cd1dd639962619fd162465be230fdf03d654eca3a7934858cf735
SHA512 e61986e1935d3da6b0235e1a78467c456139f1c77b3d8dc566c2405f59a52d1f4b5d0360b8a94020c7eaabcdb435c9cee9dcbd55a32561105669730259d3faea

memory/1392-91-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-92-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8bb2e93d6de609fb61d6b03ec427c29a
SHA1 a6d730c69afe0c6c8b15773893758cbf232de6cc
SHA256 57e732adf3c206c4b58e9d89c1f78d6e860fcae6dd06c146d5176522ab5aa75b
SHA512 c03d2365cf997a544e28c674936913187a25d258d61f13bf001670f3fdee47b53c92a961ab9d44112e32849cff98539b85a7378b01de6f3986c0b2e46a288677

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 05400850332c2d6a6fe97ebf489af886
SHA1 82499ad8f12f7f4273ae4e5e50ede76bcf4f8165
SHA256 3c61e18b4991c983c5490cd7b7e5c169c33900be46fa18ec936a517721e1a35c
SHA512 ebbf0d2032d628928b35f9fbf26ef9086cd1e2e5a9f76df14d7c350d0f3e929c7b25c944d287df2bc904aeb28dad1b5a82dd6cf5efc70c0c53e31e005b38bfb2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 055bd31dbfd42d40d1e978c549ac4c56
SHA1 4a2aecb6d89d9a05bd1753482a8d01d5e8f725ba
SHA256 a261c375ff31ad775478f42aa96fff8b3bfede479e72610457a271e7a7f817e7
SHA512 b42bd271b749735e9eb28004e644e848cb5dbeac802415081f2771d2ecd035b53fd732cee5e22246195fd8dacb0064c7d10729295dc46a4c0210fb6d18b2f952

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c6eb19fecc4b7d988cea7b93d4a9d1dd
SHA1 c1bc0b26d51755ba744dfbef005c1f6bcedcc9d1
SHA256 aaf4040791edc5281bacf53b2d4f1ca013c197bcd4a8cf16d173c0b57621978e
SHA512 e94320290a120ad7b9afee4085a5826c8fb123b5abefebd1bcf74b4b881a8c195dd02f54866813d5ef7ba1a0dfd2fe451ed235a6d3dc353d76289a44fa73a89a

memory/1392-103-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-104-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a05fcdba5ffe6ed245fd70a93eb30486
SHA1 41c70b7cab2fbadb0a22bc875343eb4a5b030ae0
SHA256 83e32f9df9c4ecc83e37c713e8599a050046e59c8fbe3e15b902d17101a12a4e
SHA512 0064f74724976a236f267c7ef2c5ae6945169ac86c8dcede9a620a338884699bd7320038a12432502a5b298bbd118de9cea8c1aed861e283be5279f5898b05a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 442a014c81c86cd8104a62a3cb86abe7
SHA1 d49980f6c07a8ca9d52884527d124c4dc2417122
SHA256 c381c18f4ea0f88068fc2fc91ace465e5028e5c4b737740d093190ed4f8cfd28
SHA512 169f73b5ab8e5ba46b1e7ab8decca8635967b8aedde6ec537c88b2b09840fdba929bf51e67786cde44da2e3138bea66737c6b52654f3c0e353035ed359fb6ac4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a727f2d40d5411e5f32579069ddec899
SHA1 f56e9806928e41679476f5dcb0aff753579833e8
SHA256 cc8ceca7ccdfa4a38d5b276b08f155d6bfd9d5056bf526a3777e2fa14eadc4dc
SHA512 0b520898e2e78219e2c574b6a8e7de7141c72cc89b3f772460c546304cd4074f51abb1b9b885d0ad840d302cbb1f47a28105767a1047ac8324b102af61e0901a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86c67ebec090ac9a80bf5489d9f1bc1f
SHA1 271b7a0e3f6dafc0c02ac4fc53471640a451de5a
SHA256 fd6e8336275d4c746187f2acbbba32c379e8b14a65c1605fd647226e06e711b9
SHA512 3d1b0e8d2819a3151af41225e3d6eda8d36fc5e0489ec5e14189e8436ddef3bb4c689cbbd8ac1e42a05b8909194e51b8550d89d48381a833b278e02e78c23ee5

memory/1392-113-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-114-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3be06f04e0e6a87708c07fbefb72e4f9
SHA1 007057d16c05be504604139fbee30337b9dc822f
SHA256 e8b8b1bc4b9b5ae91afbe9faa7eb56f0aa3a9dd2e4c392a2c6e3648b76fec616
SHA512 f7010a80934edbfcaf1c305530b53b8b7b5e1c47655d3e620a2fbc855f04b98b14df703ccb31390f60e697ec667bfbbce070852133de0f9b49ca2833c197a1df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b0ae5ee7796a8b93973717231579873f
SHA1 8bcdf24deac05482c428f86c883d41180dbde33e
SHA256 0158fd27e83182a762514ec8663f2430a65e33f4bab16f1a16cd8415af2481b4
SHA512 c0c87f012aa5f6428178f5f83c8a66cf09912cafd80f325a8bcd89e50176c5954884efeda5b2e131efb0d42dcd3ce9a5687cf1caf883ee5d8a8e9aa4be7e46e8

memory/1392-119-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a7a289e6fe3d2cecbf7d8e68a42b00dd
SHA1 e0a4f70f44ea341fe5fc975d38b008a7c33e4410
SHA256 3b5ddde6976cfb0ada1bc37ba5e214295f124caf56a6fda80c3ca28c29d6a341
SHA512 eab998ee4f005631e309edfac3ff8beea125cd94880056e567dc32adfe24d62ec9f888954159a5f7aa6b1e089176e03ec47fca1d309d88d8a9f8f7d83e4ee3d0

memory/4772-124-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6cd775155c839c93ba9453c20c6b11ce
SHA1 30573385ad74c40b4b146420c68476de14677bc3
SHA256 c54465b07aff78302048fc92a3e42bdb57a627446fe36b5edf33a13198be981a
SHA512 86b7ddb7ddf5f080fe972774d07b457c4e3dcfae8bd5d16172eca0ee51af05ed197b9c246194197dbc59348d3a5307f7e2f3c14b28d5325459543c71e9773809

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 211fbe4907f408cfec34a76bc7d25cd8
SHA1 57cc76d061d40afc86c6e281aee93a46d159cd06
SHA256 431e4ad1b2cdf3e0c00f77468e56db2f471c4544d4a5a960849c1d94e0cd42d8
SHA512 6f4aacf14ae573a96a474200b4bf1b22f6c09af80fb93728248a63149a06b237cf2bdd7fca962047ee3b0f612cff029e822bf076263a6cfae650a84ec9a9eaec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 473f85a170ff42ac572024ed1c11c241
SHA1 916c885ae824c16c9fd9cbe229b65021d4dddbf0
SHA256 9e678077495b5be351509221445043be0eac88970d3136a5fb28505b70316010
SHA512 dd12b92b15df1140f109a67babfaed511a2f3383e630b597018686a98f5a53924f56e072555fc014863cbb94ea1128265d2241b5b801acf6993e6ba1048f4b49

memory/1392-133-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-134-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 de26944c4b2fe01ccc885249f3386b71
SHA1 56b48df0a62b1948389b35bbf1c3985ad0505108
SHA256 f1fda25c00e5f952dd9fb1a9e1f9bd19573c467445fe32afd4d69f8a24374ba5
SHA512 d36378de759a84a2a9a6fa71563df45b7f340a372ef1e70e7354efe6cb83d9f8caf8436395a0ce69dfb0058066e79c0b9042a4fced31c82bb98d016e924ce0c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 151bce10b5b4359f921f12764bee5490
SHA1 b1c9538fdbde0acceca59bc9198b1c72b665c4df
SHA256 839627a358398bdb8a9d0a7a2f2649b8e74afa822c6d9ac860991bd2bd0b40a0
SHA512 90a97b5760d7433bcf8117f142c29c3873cb1313454aecf910ff5d91cd3d5b8aed5aefb4a3ac3d6628b06440cf6a7d4be0562bd2b1a32c4072d10f6e6d1861ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 51e8c7258b6ae87b1e50956b0d703540
SHA1 0bb05110e50b1fc0fb702af2c68b2667d0656fb1
SHA256 2871100a0cde5eaa325fde9698820c8dba3a0ff084200863e5fb20790408dbac
SHA512 a74536843aa02a9d967ae3e9776d03eae9a06d6a8cf27d958df13bc2e7190f0fdb57c015c116876cdaccae4003e4f5be0c9b817404b40e329902803b71addb09

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7756a7097308dac210de2040e6979ee7
SHA1 7550201d678c2f87d64d85884ef85071f5390573
SHA256 ac83d57147f5c331160e409620dccead4168105e4cd28f8b848a594c8c5ce96e
SHA512 484fbe5f6d6514725b5f66d7d5249ab1d570202be7411de8329d8d51c9700b756e19cbb279312eaaf389b27e87959f67699ff644d961411732079adaea4579f4

memory/1392-143-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-144-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d42a28317a3b7fd1a6164ce86d7bd29f
SHA1 fe03740eb416087d4c732a6f9ac5355d6f77962e
SHA256 61611c44b7b75c761f6486e5c35d4273ab0be2d070357c4a73ce47770e61fc62
SHA512 44435522ba2b21ebe2ad22a4541b2b7ebc2b8b8e0edfd760610636d112cd000776d7f89f5290a88f04211338bb09204da24bd9d0c2643d7cb3c69ef50ea19e58

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 98383656e8c35123989bd696799560b6
SHA1 7e9f6d69f3fa26ce7f063e26454add83578b19de
SHA256 869ce585f7fb7e0775fed7a976138d1e1fcb8365c72a292ef1863814a72cb8b7
SHA512 f383e802d5e70cc3c58f3c12eeb2037aa7ccf7331d210d1a07fe547e74ecb65a9701657ca9447beb6f4ff4820b2ec9b19d70e78b3c50574d1e495f28448e2d41

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 37eef8d16fdae78f5def805cf278b423
SHA1 dce47fe4252baed8b831d09c1de3ff691a4f682e
SHA256 81f6ee5a378724754581eaa42fc04ffb16785d064bf2a1cd003c7c0213a71e8a
SHA512 3692db195b45b5037d9cb2fd17a9ca5450dae5d895c07f5997b2ce132cdeffe89736d7f24b96f8a3999922851980d96a4d789be3e913c0e6f3ab092d2c8a8947

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da7b58118858b6bd1b7da255cd6d1c90
SHA1 028826fe9e3e039ab21adcbd1c1d89158b19af0f
SHA256 75ebbca35426db2f32794d890922d7c8c2f3cda389be856bf51699c62b12bc28
SHA512 b8591655abe2a4f02347cfd587570824628b9f288bb850fb05dd368d02a3c40f4f04b5815f6ab2f59ffd90ca9e676dcc17b070279fdd2d52723c18c9adaed955

memory/1392-153-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-154-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b066743eec939c5cdd7c027901e54209
SHA1 4676ff8fa77f4de540c947b75c0b148de77d8572
SHA256 934752872b7a917870d82fb442791c42e4b7de3ae0bdd727168fa06eb4c7ef3b
SHA512 9b62885036f6da95d42c8e63f18faf64b0c347f03f97975af3b6292f58a1b74dffbbe932a8101829bb4e386df92094afbb0123dc4c93d770031192bef0585afd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ae82f62694b0bd3a23e55744b892e125
SHA1 c87d14900a797bc01d5183c9735b761a2a84d9ad
SHA256 86d4a1b9bb6252943dc0e897bf74d90820aa146ec4c650ed98e770a131848a28
SHA512 65f3fa0ade268a0ebc6bc700c23f9a787d30914b9c0013907f4143b6bcff2c7c670d5a80ce30fe1f2b2a6fd48ba185a7fa2f8b10aa7b59a3eb7128284fca6e56

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e81f2a5bb6e80ad6e12e9b960eaea620
SHA1 23e28645162502d2cf3557a8089278bb55bdd969
SHA256 e3dabefcda9d1d2c348b077463766ee6c5ecb07ac63823f847cc986640691f85
SHA512 83e82a53be9fc9c381a7f740c619a66914d64624393965778ca059cd2f1295cbd64d728d637b7fb3ceaf0290a42328b82c628fbadfd5a427a65e70157e34f6d1

memory/1392-163-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-164-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c76a3b697c08093e4cfe3aa34c2d12a
SHA1 1ae47ec67394948abbfa3a5adf81fd39b4b0b545
SHA256 e54e02ba6b3f5bc52c661121bbb535288e98f651e8d509874ad7dffa4b4399f5
SHA512 7c27e6a147dd2ac0d83c4be0de5a04c0f4d36fc58dcaf102f7ac5f2551e4d6a37949adc311a183e26f5978c09870459747a7a9b880fda0ed0f8126165fa79c90

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1886f01fd5ff4138bf677aeeba74f72e
SHA1 adfea33f87bae956dc980a2a51e34f541786d5d9
SHA256 ed43421359c0a9f310073a7feb18e572dee77718915a7966122495c9a08c20c3
SHA512 5ffca21713dd5f9d7488126cd0f7c268d5799f91c7bf4f6133a405286a03373186d048a7271618b35076aeead33a9fce73782c24936c9ec503c92423a1ee3608

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 576e7bdb66c7f2359464436c55057cb5
SHA1 ce789949e9c938f641f4315c26ad552e53837cb6
SHA256 243e30702a12aaabe7bafdab2bc2b15fdb58c73646ac288a41e3384569cc0475
SHA512 f8e71870677bfcae6aa6cebcd7c1905c5e323df279485c070db22345eff800af5f09a0dd35ed13bfd935eb0b59b2b36990f37f178bcd6ad1270a5d1c9274d23e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 83d6ac8089f5c66387dbbd265f7feb7f
SHA1 d8f30660362b54e7a2febae637c028a6c99d323e
SHA256 83ca4f51ddd71bda4157af7485f9a4dce88e3ad7d87c16c35fdc7c5006e770f5
SHA512 f331397b502417cc609eded2807fad8f576090e0ef074df7ea77c26c72abb6d715fc352562c9aa8bc1730787c13f948dcfaaac37f97710d703c92e51e6fbc7e3

memory/1392-173-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-174-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cfe40a34077f5cb10917fb4886f7d3b2
SHA1 298979025890ac5efbd7b905069389f373dfcc96
SHA256 a5d0278fc94a374fb017056e9930c83b583cdd39b55822b3d92d69a58cea193f
SHA512 c13c6b5fa9fac78056208d2e5656144b8f2ec171dc443810bb16fd960a919c68982b6829076075a17981b72d8e0d4efe4d25c558943dc5c72c570171414497ed

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e0384ca2b4bd652fbd568ba55410baa
SHA1 127ccb2c072a2723115fe62165a777325ac995e1
SHA256 b3acbcde49a1c939c32e51d8cb7fa59b5739a4ff854bc02ca9df97ae85a9190c
SHA512 e305ab0dac7689bfd6d6d9a232cbb7d9092d38ad8d05a851bcc803cd1596b0a3d1fd679b86bde3767fd562d906f92084ee41797858e848abcbc7cb4e27c41df9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ed28b9b83dbcbaaee728c4e1a8efea3a
SHA1 47d9e11df2e0d38d64eddc170be02af7345f5c8a
SHA256 78a7200d1b0e118575d4e0429d223f81b18ff22ddb0d7182383e5577d6ae1fa3
SHA512 59398ab5cf8a1897f9336e577f2dd4aa8eb869cbcc705bdf5ee576433cf1b90822c75ec1f812fb2da08a922caefdff89ec89ebb3fbc358c04df5169922575738

memory/1392-183-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4772-184-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5766e680fbc215ff0457185b3ade7ed7
SHA1 6850b1c4b0489c6d2c1ff1f6b4cc4609b4e209ad
SHA256 77dce6ba752588702e7c6a1a2e5d601ecd0204437588f9b9d36cfe6e5fa476e6
SHA512 6cf7c01d7b8a3d9d6d11696acbba120a00e160003ddf355840d58eb8fc4ed39ab8c7a6048f4f279fe3cc5f1e163527ddd1ebe58b341a3fc3521553855c7091a1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa55abf97f5d82bbed7f85030f2f21d5
SHA1 25807ce331091f558da147ce121e8f004b5be7bd
SHA256 c78166a42d4709aef954dd0e6fbb4b6bb10f13dad3cf4b169c1a32c88700dead
SHA512 3c08e0a34d080151139a6ac8a4a0ff5845c0f731bdbadfd147df29693621e41cab8977b154db53f58e50f25a79516f59b1a7a8aab5bf76f892e53682423f33cd

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 04:20

Reported

2024-06-17 04:23

Platform

win7-20240611-en

Max time kernel

146s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2576-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 129dfca94187120f825c592892e52f6c
SHA1 8dff7e86e0d128c2339f7dbdedab8f5609e34dab
SHA256 78f41d1ba212c04adfcf990c352036dc5f46a27779236b85d85c54b4398d6ce5
SHA512 b5db05cde57313476eaa21bd7876120db643d5866ab7c83d9b1c19a416c77e27451da318960a533a7874ac18128323e8b22bd8cb31d5be0de1c10319f32c0d82

memory/2576-4-0x0000000002AA0000-0x0000000002B17000-memory.dmp

memory/3032-11-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-13-0x0000000000320000-0x0000000000321000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.exe

MD5 a41d0325347e1216b6bcf69f4d7c80c5
SHA1 1605087728bc044400f238f74a454f7aca4427b5
SHA256 8fa687d9f15fc91a5ea1cde367b3116da296bf995a06d8cd4f1879dd27d587b3
SHA512 5c24293f730465ad18e472597dc26aebcf3bbad076bc05a58ea4df5bea90159a210fe5aaddbb6288e6c4089f0e78befd8235b2a54f571c630d355d4bfba891d7

F:\AutoRun.exe

MD5 b6b8b4a3bc16c2f4b558ed1e4516c944
SHA1 9952e8cc06cc8509fa9b2b0d2708c46a7dcb5aa8
SHA256 8741ccbf5c4054699732d5414e86346a851aeecf954900a1c9bf614f11af4230
SHA512 0344cdf8cd666595a7fb16dee0bbf6dd80fd3e849d0bffaaa67b0ae43013598f920a1bd6916f05b56d07ab5a178c33606b488d03f91a3a611609bdf627a5d49b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2576-103-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ed5a8222d853afdc411e846bcb462678
SHA1 f3039025458e013e1303d9f6074bb458551feec3
SHA256 12a5f1f044f9dbcbb34c8add13786b4c9ff745ef40ae4c5578e75289508e7070
SHA512 b6cc698d8bd3cb0c2fa69e78076b1e9193bda3a1ee5925f128bf98672924cbb354be6f93c27a0eae57812410fbeca0d32b19fe6553737bdc533a3343bc6cc572

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d067b426efa482dce37bca3260072fbd
SHA1 42337b172088c36eb70321c1169f9f19413bface
SHA256 9d2ffea80565ef6199ad01b5417f2eab3f40046a81e735ca11378a4f35c72431
SHA512 c88a1cf6d869bccbcb9d9e329400a3464cb5abf7661bb90543daffc6f11a2d26b478e338b5710fd29a85ee3d26e7b407da9b468afe171bbda7bdd4a41f96fca7

memory/3032-110-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-119-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2576-228-0x0000000002AA0000-0x0000000002B17000-memory.dmp

memory/2576-243-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-244-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-245-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-254-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-255-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-264-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-265-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-276-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-277-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-286-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-287-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-296-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-297-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-304-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-305-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-316-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-317-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-326-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-327-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-336-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-337-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-344-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-345-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-356-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-357-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2576-366-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3032-367-0x0000000000400000-0x0000000000477000-memory.dmp