Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2024 06:32

General

  • Target

    b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe

  • Size

    920KB

  • MD5

    b7375630562dd579a90c2ca6ea03be9a

  • SHA1

    50519b84f1480c45acd4a7678a330300f8c8c874

  • SHA256

    cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0

  • SHA512

    b0bece7b89e5912382140dd811385d3d63f8d7bace722918328eead5ef93b00719e543a798785b05808cd1d5463f4d1c353523493f021107babcaef9d0f872a2

  • SSDEEP

    24576:KEtl9mRda1ISGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvp:BEs1lP

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe

    Filesize

    921KB

    MD5

    9efc5e15dda68d9f8ba65a07ffe7f981

    SHA1

    b6a5e2a6b4eef575a7a1101ab08ba29d12ac9f34

    SHA256

    e9fed9482158bd62c7172bda2afd89d56aa82f00f1d120726bf53f5c043a93a8

    SHA512

    9f059bd422978686c4c3426f25b5c284ade118a9a5650d4323f933d3893ad0463a82d00ddfc216a179cff1c2cde41fa80f4c34bdf5d7af50a9d5440a69e0f853

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    f579091a6a455ef9e024022a4a856973

    SHA1

    ad569552b4a0beb9a1f007cd744b7cffa32f45c4

    SHA256

    b0835d1cfc7365baa9126184d9a8d9dd4c42d21607bbbb97a1bebc988f341648

    SHA512

    545391aa343dda28c04b3e732fe3656c80ebe6c2f534d64a5084a4e7aaf5e44e5ea191c70237c7a85f65bebdafbcba7c9ca6908ccc35c565d208d15d8d2df676

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    36658043f87dbb8dca3660f4cd919c5d

    SHA1

    c19f2f55c41a09360736fe9c64583d4eef295790

    SHA256

    5051ed62cdd9debf54f4e36dcf3ba483e7322322fa8735aeddcd348487188f96

    SHA512

    2e657f4325f24606310b42fac49fcfe58fe45d76eab8572e61a146c799cc534e6cfe667c349b6a680814c051c3081ba3adc8bb630e635b8b1afcd364bff9f876

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    920KB

    MD5

    b7375630562dd579a90c2ca6ea03be9a

    SHA1

    50519b84f1480c45acd4a7678a330300f8c8c874

    SHA256

    cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0

    SHA512

    b0bece7b89e5912382140dd811385d3d63f8d7bace722918328eead5ef93b00719e543a798785b05808cd1d5463f4d1c353523493f021107babcaef9d0f872a2

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    877KB

    MD5

    58cab97dd444edeb9b74b345bae4913b

    SHA1

    ffb6d71f4c1a368b2b8b1d7ba0ac7e4845857960

    SHA256

    f0f5c84912fbd1277d4580ad2986a9309a3cbcc1ae38af8583612cec16bdcaa3

    SHA512

    6306bbcb50ef693cd139725d21fa94d6998a2bebb111b7701c4937b5a3f048314f9de243537d21ec840589eeb2dc85517c7a3a6c1b4121b101ee74634332123d

  • memory/1592-11-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1592-13-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/1592-242-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2172-0-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2172-4-0x0000000001E50000-0x0000000001EC8000-memory.dmp

    Filesize

    480KB

  • memory/2172-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2172-231-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2172-236-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2172-241-0x0000000001E50000-0x0000000001EC8000-memory.dmp

    Filesize

    480KB