Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 07:27
Static task
static1
Behavioral task
behavioral1
Sample
b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
b7627865ebb11f7512bf13d1aa0deab6
-
SHA1
a7ed0db06d85193426dceb71ce7d38988f39420b
-
SHA256
c68f09f188aeb65d6001571f7882009084ce27ef915b154f781635378b6d0b40
-
SHA512
fb6d7553dd4a63eaaf3a4fe27f35f8207988b6c5ebdcaa6c8d0135139c3136306c2921d8e237ab0a0710d9d06a31b1880767e8af7ebc7fb401601f4ce5e3edf0
-
SSDEEP
24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvU:oEs1hi
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2972 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 1636 b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe 1636 b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\A: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\H: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\U: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\Y: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\B: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\G: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\X: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\I: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\P: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\T: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\Z: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\J: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\L: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\O: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\E: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\M: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\R: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\V: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\N: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\Q: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\S: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\K: b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1636 wrote to memory of 2972 1636 b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe 28 PID 1636 wrote to memory of 2972 1636 b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe 28 PID 1636 wrote to memory of 2972 1636 b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe 28 PID 1636 wrote to memory of 2972 1636 b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5082c57bfff321a3aac210289f32e4e45
SHA1d1870bf89682e6e8b8b68e356dbb47b5f54f3f29
SHA256fdac8659f87170090f9a8d0d9848bfe552b3c40c21e52fee42955943cd8e21d6
SHA5124374a61328869888de8c5be8cdf4546ef0de9545c346ee3f25c99dd084c26c552193e4b2464eb8748f6603915db093c65d45e40a2b3945f877c11c34e417fad7
-
Filesize
1KB
MD5b32a644b635822ca16a6ed146a8cc4e2
SHA1253863d8a13054f2148b2eebe88d19ed9d4e82a9
SHA2564a0889778f3a75762230f08c17562cb614c92c6161442858f4b7f5dc2ed3de88
SHA512cd67e4a83616e5fccb894b179237d89470095090c39b11880617fb9e6d55fc442f4cdff93bb02ad2ed6e1695cbc8b2a57f04b56448e5bc79e436d0bbb9792380
-
Filesize
950B
MD50381112327105cde94231152781be38c
SHA12446015bf5ddb0c099602b189672307ea9b76207
SHA2566eeb429e294600f6ecdeeea57ae6ffd6aef18b48ed2f69eb2f890259a3d26a3a
SHA512c89ac5b0f907b417eb592c893066af3962164ffd53c255755aa860cee8b56199b9805bbce5d17be1dd49343a67123784a2323c3d1fc4fb35e33fe870023a3754
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
1.3MB
MD5b7627865ebb11f7512bf13d1aa0deab6
SHA1a7ed0db06d85193426dceb71ce7d38988f39420b
SHA256c68f09f188aeb65d6001571f7882009084ce27ef915b154f781635378b6d0b40
SHA512fb6d7553dd4a63eaaf3a4fe27f35f8207988b6c5ebdcaa6c8d0135139c3136306c2921d8e237ab0a0710d9d06a31b1880767e8af7ebc7fb401601f4ce5e3edf0
-
Filesize
1.3MB
MD5dc07e9ab8f299d656ccb86184b1acfb5
SHA132c24fb13f1e60d6d2a60fb19fb1ff9477244040
SHA256c16108b15e11821eafdaedfd28c9d5f3f612b656e0a1b9e2e3b10c4f5932a6a3
SHA5124d74294f50a378641e8e8e50413eacb3b54123838be2f4283c91f5db15c1d899fe1899c7afed1c1d8cb6c9cb332bb92dc3b42fd2bfac362b6692bac11181d0e4