Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 06:32
Static task
static1
Behavioral task
behavioral1
Sample
b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe
-
Size
920KB
-
MD5
b7375630562dd579a90c2ca6ea03be9a
-
SHA1
50519b84f1480c45acd4a7678a330300f8c8c874
-
SHA256
cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0
-
SHA512
b0bece7b89e5912382140dd811385d3d63f8d7bace722918328eead5ef93b00719e543a798785b05808cd1d5463f4d1c353523493f021107babcaef9d0f872a2
-
SSDEEP
24576:KEtl9mRda1ISGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvp:BEs1lP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1592 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2172 b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe 2172 b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\J: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\M: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\T: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\E: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\K: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\P: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\R: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\V: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\Z: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\G: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\H: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\B: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\O: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\U: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\Q: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\W: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\N: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\X: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\A: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\L: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\S: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\Y: b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2172 wrote to memory of 1592 2172 b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe 28 PID 2172 wrote to memory of 1592 2172 b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe 28 PID 2172 wrote to memory of 1592 2172 b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe 28 PID 2172 wrote to memory of 1592 2172 b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
921KB
MD59efc5e15dda68d9f8ba65a07ffe7f981
SHA1b6a5e2a6b4eef575a7a1101ab08ba29d12ac9f34
SHA256e9fed9482158bd62c7172bda2afd89d56aa82f00f1d120726bf53f5c043a93a8
SHA5129f059bd422978686c4c3426f25b5c284ade118a9a5650d4323f933d3893ad0463a82d00ddfc216a179cff1c2cde41fa80f4c34bdf5d7af50a9d5440a69e0f853
-
Filesize
1KB
MD5f579091a6a455ef9e024022a4a856973
SHA1ad569552b4a0beb9a1f007cd744b7cffa32f45c4
SHA256b0835d1cfc7365baa9126184d9a8d9dd4c42d21607bbbb97a1bebc988f341648
SHA512545391aa343dda28c04b3e732fe3656c80ebe6c2f534d64a5084a4e7aaf5e44e5ea191c70237c7a85f65bebdafbcba7c9ca6908ccc35c565d208d15d8d2df676
-
Filesize
950B
MD536658043f87dbb8dca3660f4cd919c5d
SHA1c19f2f55c41a09360736fe9c64583d4eef295790
SHA2565051ed62cdd9debf54f4e36dcf3ba483e7322322fa8735aeddcd348487188f96
SHA5122e657f4325f24606310b42fac49fcfe58fe45d76eab8572e61a146c799cc534e6cfe667c349b6a680814c051c3081ba3adc8bb630e635b8b1afcd364bff9f876
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
920KB
MD5b7375630562dd579a90c2ca6ea03be9a
SHA150519b84f1480c45acd4a7678a330300f8c8c874
SHA256cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0
SHA512b0bece7b89e5912382140dd811385d3d63f8d7bace722918328eead5ef93b00719e543a798785b05808cd1d5463f4d1c353523493f021107babcaef9d0f872a2
-
Filesize
877KB
MD558cab97dd444edeb9b74b345bae4913b
SHA1ffb6d71f4c1a368b2b8b1d7ba0ac7e4845857960
SHA256f0f5c84912fbd1277d4580ad2986a9309a3cbcc1ae38af8583612cec16bdcaa3
SHA5126306bbcb50ef693cd139725d21fa94d6998a2bebb111b7701c4937b5a3f048314f9de243537d21ec840589eeb2dc85517c7a3a6c1b4121b101ee74634332123d