Malware Analysis Report

2025-01-03 08:25

Sample ID 240617-havvzssenj
Target b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118
SHA256 cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0

Threat Level: Known bad

The file b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 06:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 06:32

Reported

2024-06-17 06:35

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/2144-0-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2144-1-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 58cab97dd444edeb9b74b345bae4913b
SHA1 ffb6d71f4c1a368b2b8b1d7ba0ac7e4845857960
SHA256 f0f5c84912fbd1277d4580ad2986a9309a3cbcc1ae38af8583612cec16bdcaa3
SHA512 6306bbcb50ef693cd139725d21fa94d6998a2bebb111b7701c4937b5a3f048314f9de243537d21ec840589eeb2dc85517c7a3a6c1b4121b101ee74634332123d

memory/32-6-0x0000000000400000-0x0000000000478000-memory.dmp

memory/32-7-0x0000000000640000-0x0000000000641000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 988f25d94e9f210dc9483bb5074fc225
SHA1 df7da4f0e273fe023cc6ed7d36d27c47cc6ba329
SHA256 50f11753b44561ccfed5aaa5bacfa392ca1289b51b1a4d68e0c2a250660a538a
SHA512 1b206ef2d804f3bd104e6bebd42f410a4577de73bbcd7a041ef62b24bde6961d945707094b8589203c09f45011e43587b58f5cce05ca6fe9920ca488786aaf39

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 d951c69a4c8e10b76a859dffbb6cdf53
SHA1 63f6f760f5f2388825c08293a5dfde86b5c686c8
SHA256 ac6f9ecfbbaa50efc65bf5a312d49cfac6c76e46c86a4a406f3e83707ee3873d
SHA512 6303c42f6b724f5ef5c35e9214ca4c9abe0199a912a4f40cd8281d5fc77d305123e867e4eeedb78261a0ec9694ec2c726b328606a2fa1d3edea767e3e75e2989

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 b7375630562dd579a90c2ca6ea03be9a
SHA1 50519b84f1480c45acd4a7678a330300f8c8c874
SHA256 cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0
SHA512 b0bece7b89e5912382140dd811385d3d63f8d7bace722918328eead5ef93b00719e543a798785b05808cd1d5463f4d1c353523493f021107babcaef9d0f872a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0fbc177e5463237edf112f1e382be6c3
SHA1 be7e6caecdc50732ce72d236e876e06693ba2f4b
SHA256 6aed147d77769f8cedc6491adcf025d1b40d6452250884645a7e2d45422cfec0
SHA512 c85ffea4a79380cdc9e615c553f0aab2e5d78ca0b3f75eeae2c7dbba24b6d4036efaa52123c1b33335abc745b89ab30a864e28359fa9bcb4a694a84e69d8bce8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 172eaf1d1e4509ccb8dcc06cf7f25c8e
SHA1 989ff1023ad05242750feda20e39f3e3984bdf31
SHA256 493390de5ca7ae948b51d545acfec6b30c90e3870b11b954acf24af014c8536e
SHA512 ed35b1144b5ddd1ebf6fe3fade8f85a6615a1a88e3fbec4bb3380ce21989e7ad6389b66b588de8952f0691a572429d0e16423a7ebd89af2e40fb915a09119cdb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 439670d39f090e88ae759651ce5e6af1
SHA1 ec119f4bc1a5313a6b07a5665e3f07224fc55205
SHA256 52aa4f34d8d39458df708c61db607dba5e79ded8a9d732f21c725609244a4f8c
SHA512 6134fc65b581f1a1d480a86038aca4263aa57bf79f4f706e79468c7ebc238f258daf8706a129775ee651410869ac0dcb2f4ae95d8e371b1c2af41c6e2a6b5296

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e615373156a4f20bdda27f78966689a
SHA1 5d689b7e134b3d635d726a196babb199a8d4b839
SHA256 76bea8c0766dabceac4f7d4aa4b723929d1ae47c62e8e7ffd824d8eb7f3330e8
SHA512 50a626df93204672c179b89248a4a4deb2ce78aa6f319896d4d79c31dc36675e7806488323368c289c59779aa3d9ce65da3fb32507efa87dc1a229427b7d496a

memory/2144-55-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2144-56-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4135e46790f8b8d7e581ef860c67a1b
SHA1 cbbf248a9ff61f1ea682d167e2b8a16b337e93c8
SHA256 6c3dd2f36b584caf27f975881d6ae883357d1f0fd4d873497daec5ef639bb9cf
SHA512 fe779e8e1d7abdad7bc15d35d927fcc843f9257878c17695db16f3c5d8c3766aefc03d39c17614152548ce426d09d7b59031a42067d90f219e609e2ace40b3db

memory/32-61-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80b03cdf8d63066edc11a0b9e21699f6
SHA1 4cc335c303c0d4a0c6c41d483dad3098c60d9364
SHA256 e44c5782e1ba52a3a6f1f20fa0fdc377af7304f53c13bc3a469375741ceae504
SHA512 1579f375f256047abe7e7cf1d436c24fe7169f26ce77a8a2944fa9ffd009a608360417d43113351749758efd2ed4056211a0764108c77495d640f6b30320b074

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 289b48ec7aef0668c8ce94e79bd35594
SHA1 69488ba4f6b573ff4e90f7f1f44a8bf92e368bc7
SHA256 b9ed7f54bc3709813c64a6145164bf0b8f46d7f3f40914c2f958002e3c17f9e7
SHA512 89cb656b46e26bf42c16ed9f52cbfd423f944ec42356f2722c6eb4269e44fd0d96309d23b9d03c36ec5dd27c4b2fd055aca816c0aa151432238201b10f669236

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4af4d5342572a6186cd470fd176e8b86
SHA1 43305705e04557b8597409b2ad44763b421275a9
SHA256 9a59ec18996532f983e6f312e7caf3361bb3333dcdb80d82e39225093120ef45
SHA512 a4235dc888f15e2d4e3b809f9f023139249e769826afbf3016b393e62619ff871bf8b27cdd981c593d2511be44bacfc4e96130511660493f8d46d4648e5dc10b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3ce887fdd1ed7375fdbcd5496cdea117
SHA1 5e62d6a013c35febf306a82837d38336877c6454
SHA256 5d3ac24087db28edba8285a716d8c0007bb73297a92638971754e5adccdbd26e
SHA512 d43c7f6f52245b47546ab68039745702b21e6e8c9e5e758c6d72b0bf7dc81fedc668022236e90b2aa711fb8823f718aa802fd3450e50dc9e00851c30d073da2a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a9395ca4ad8b2373f96958dde887ab52
SHA1 87ccd26bbee4abaabd3cdaf3eeda59118aacbf82
SHA256 ccaf7f32b66a295734edfaba786091aa0a9c6cea63ab318a26d69c57ab652c00
SHA512 1077cc7cae66234684bdc5a288049230d02ba81afbae93a48658498203f592229676ff49f393a9c0314d16b1051656308b52b43b09759500ce2caa46621b5840

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d4adb4895b783a95f94a27302208abd9
SHA1 c9cb5364d1b07f4600ce746e487827b09b5c1810
SHA256 bef4031a25dc98137442b902a843f98127fd4ec237859ad69e38add4154525ff
SHA512 add4dac9294547845aee50493ed98711a692b1382010a8a31d8402e76cda20f55c0735885bfc6c028c40eba0fe0518d9f2870c047fff377ea5c2977b021b709c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 675471a3587e170574f6d70702ebe071
SHA1 d994a68a6daa1898a89f81c25b247bb6ba250caf
SHA256 dcb4ca081a979abf059192dd84d394a8b886d0f625557d9c92b04a2567ec4023
SHA512 3e2d69a4e77c1e16e2625b5156a99090314be26d316bbaac10fa2a4caa600fed1d3e19fe1f846a64c3ae423819ae7c5cbbba8308ca6d434253185fafa339cfd5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b1b930773b25f3db5cad359924e0e67
SHA1 88d49c96348b86c29c3821128fd07daf907c02cd
SHA256 ec8c7ff56526c55068de1e0c80be399b5f114c5df0247bdbe604e897aad6d789
SHA512 5f0108cd8b1e50d36c2a2b2c243e6d900eb53c349e3d40c63b09eef9719a47744640152cfdabd52823a43bcd98578a6d77403fc81a2d0b203e933ee386956fa5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2425a716727129fe916c8e017d5fc44
SHA1 24dd37b551703e1c6aad5386700d87f30fc3ce87
SHA256 3ab08065a5648201c3bf8be1edaa2bc01c49629e5b8726dd20d61f973032b827
SHA512 ce90db6611969e9b8b71f685738456fac2189e289df369c15ad390ac3e2948d8865df8649fcfaba9907263655442685188fb6a6d10410ced5d49321894e25ad2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2cc046895c81ef4795181b7dad1a7007
SHA1 3f3faf2f0d72c566940d4e4de09327811e4f33d3
SHA256 769fa7a42065ee87d27be2d5f198df1bdd0fdd9beeb121cc7b0d8a7b9771f1b7
SHA512 244774a91f19f32ac555f0ffca53cd93c7bc53c8683f79faaa1fe5be8936fa88858d5eed32bcf9655d2b2904511d2e5ff5069fdd9a91c90632dfa41d8e1c6c88

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af2e95920347af85ca2535bc6e2273ec
SHA1 f0eb75ffd8379f8ab1b5f3391951e0b30de58579
SHA256 90bd093779e2b038ec1a490789fc5c0a6068749af308af7661c3af7b13d4c833
SHA512 0282499946bb7fceabf024e4a26acc6f7dd9c616d270c6f3c52008fca6dc81fbbbacb6be89f33149bb429159976790942ac13b5b627b1c22b28bb505d5bf64ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5c515455c6c19b340d92d55ec50be057
SHA1 97bdaf65eb8a656a9f13c647b968fc0041291d26
SHA256 e8f5f6d67940ad4c77e8fb5bca23da8f6ce77ac969ee39ad28e4f5437e595c13
SHA512 95e790c156c1bd433c2f1d0bd53c7331d53c003602611f5bd00c1d52010c83fbbe5d26cb20f66ff5a43aadeaa1618341e6c2d9f785dd89ae0a8560c07be90458

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 545279dd33528191ffef62d7ad93b343
SHA1 566cf7ca60e64c7f969c0ee234d20a205a078f6f
SHA256 9ed3dfd938075db4e16855ab792efc1ea3786fd9068577816a0d7bac7811ba15
SHA512 4dab4f6472db90b2477c5f4decd45e1cd7495bcef1a146128244f10243156e2111386a31a7ab63d7b73b9eb967a002f13a371e2b539b62751861a2d954780a30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9675800585c3676711fb9352a1cfc917
SHA1 0e60521a556a83ddc72f62bbb234267fd8f0a7f7
SHA256 2ef4aed16a83dfa223b46371000ae79d94897ffa4d4022e38b0749e5b11976bd
SHA512 cf29e64592a578a5337b7113e7c18a3bdcb94850a2bcda8fb3d2e1ee766ed05215807284aab6cb44d851a7882ee99ac68b1bf4662d5b325272940ed7d4d486af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 082877c68f3babd31458a9fe029d946b
SHA1 47013ffbedf72eb8b5ba2a52aaaf337ca8a589b6
SHA256 b33465a6a92d07325d23af0481cc1c59e7035630b7dfc55e6b27dfea0918e51d
SHA512 e544281426a692d902abb13a3f15c4298416abb3858837b2f39f4c35f9d58c41d85bfa4ea90e2158f06e3e579e705e55c467bb369bfd9c95c8e7f8a55109253f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1de74afa3737783fb057ba87cab8aae9
SHA1 4b72f9e7fb1e01c43f22f6bb34af2b37d2e6f653
SHA256 1f96c5fa52e7750ecc46264f582a2e1c79619332d519efaa0f30b61e906cbfa2
SHA512 21b35996be667fd7aa8ada387f862873885f73e552a69c598d495c84c94cdf0530d7a7e5a1698536c3e3d5edbbd3ad576ed5a66465c619a0863d5f04cf41fc39

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7f8d800cf9522d2b8dfaf6950e557d9e
SHA1 53d812c49fcfc53ff99db7363e3a4c9f9f43422a
SHA256 8d230fced62b7beebd7f01b0c7d150cf8df7e50d4952ea95f605359ee64c0020
SHA512 77a9403bf89a05c3fcb988693a9b56e28e978b3ae80a8fc3710ee3b8248dc02f39b469ecb746e3254044927dd4f5deb4fff0e0526386b02b6c8c4cbd2b29b4aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d32175ea69351e86235a2741cec08fa4
SHA1 5e1dd61e6d7421b6a8196dea3d74f3c1fcca7249
SHA256 972834244ef5d3370bfcc88939626b5d2eee40a9c2c7b50e72b5670434e93c40
SHA512 d368b5eb1d448d09102dddc2f72a18f6dd7a2fdc7a138e6f682a4bd9f2330d150bcac16f65a51beb0af40f2504a0862f0d51f27107d7a8df01f6c127dbf224d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4de2bb2bb30406f603ac636ea1497ff5
SHA1 a57a7bdb1d76986d6967ace7921b2ebbe2bb25db
SHA256 f9f4decae8fc34aa9ccf1f40bbcb168162c4458991abcf6922acb6b3c7439196
SHA512 b798e1c73ad359ea503634a410983d01e7ebd992412a0b6395f6e4e0e69af59800e445581ffcdcf8208a559eb4e5de1bfa942fe44d733ecbe14a39dc6d6b1add

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c483dc5d7402a623fad02bfac7ef2752
SHA1 59ad184b130b006c45c788685cd177a124c039b3
SHA256 fd3628aa9b0bcc483f47f90082b46cf9e18f70cef57f1d13317a1b49dc651251
SHA512 0cbee9365d93a433fc3bd4c9c9988c754ce15b9b039fd79bb5f69c6e30a41f60b6dba41c25b9dd027b20a52409ab7e2cef48719f8304c5c78020ed8ead304101

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7882642fd3dc15c49774ae7662fa1ae0
SHA1 a1fcbf27c8979bb12389d63abd7676ea787a29e0
SHA256 8ae34af17818b1b3a9110d5a052dc777abe732fd2cb4920480e8cdd7f9044993
SHA512 9c86e134368f5d3c20118bcf5c13081bcbfdfcb87b11d7f33e798fbfa0a0f92616019e58214a2e90e3906fd1f49ed1acbd8de44445ec047785a9153f35a458cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5c06e399c06bebada095165d29e5812f
SHA1 c3d1e2e876b164ba350beff72f869ee9b6c96fcb
SHA256 aca979331219db0f509eff33bd4c49016a8d617fbe638c07af5264bb49627402
SHA512 e7d9e47a110fa64696ff70e13dc87008ecfee93842a7b6165a6491db62ce88d87edabfde48aafa56a23327d695b34e5f0eb1e45ba90432729c14175a636bd47c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3ff672234ce81ebd6e83c6b65936cab9
SHA1 4d82568d955f730d2e432ea78af9ff8dc31b6605
SHA256 a53ff741f5acb0992d0708d037f3078808247afd8c3c35015b8897e0c062370f
SHA512 d7f16e5cd2d5466884f880ee8c19b8df8bb916b00fae936aa22e076b7259450bffe8e111f147fda6d25e6ec9ab6b5bb766b01db62b74e43873e010eccba86ae6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 792c7be0c2f836c21027dd2b83a7540d
SHA1 3c38c37e37b398becaa9ad9e48ca2a07b3745229
SHA256 9123e28500bf3f1484add2d8151ce91b57cf832fba2bda049d4f16c41c8a4851
SHA512 adbcf4c12957c276dc2a13968590149ed8994fbebbc432c735d92c75c4f1e64aedaa9878c3cbaf732f6600ff2c1983ce002802577724b9d1471c9872af4bf96b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1c8342cc218ac5721a92a879c1231400
SHA1 f77edb43b1ea6e5af7762c5845b7861807d9af9f
SHA256 ab39c71107b5bf03846e52c6c7d864b304b598f904b2a8f286f9f9ebb95db6b3
SHA512 3350f88bda58dc302a8dfbc2c1a4ea25fcdcd6e93bb0e279a1758f35105984a58062e402ed846661ecdede7a9edb9c3c580540605a6d47e3deef4a818ca8c7e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b75adf8c13ef663fb2a0b6dcfa5d25a6
SHA1 b1ec40f6603320766855f1c9bd8a5a9e368f5bfa
SHA256 6590f6ae31dfd865eae03c9d5c1cc8368fbae1b398ddd69a041db28aad54a38a
SHA512 0d4264b6359eb9587ca729edbfb807bc39ccda82596fe2a26d215d9299bbe8b56d6835d45ae8cfc3ce907073b01bba29c5689d3679476fb133a76d34d2b98801

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7fa6a450e94ba7b5ea3cfb4f8249f522
SHA1 3787d7b62cd2e5ac91d9316ccf554c04550c45a7
SHA256 cdf37f9e7b4b6e3aef1f9b07b7a3a8cb5a35c8c11a71edc86df1e2ce2699889c
SHA512 5ab60a9789955c2c4e6b6b3a16a8368840e4dc15745d8cf2efb674542a4ccb662a8f827bb216d5bac06eacc6b1f78dea8756cf69ed4dd4c5c89e1be5b1602589

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e47d749008552e341b9cca0c1f8cdb96
SHA1 e1a80dc43c4dd4ad6c3a1f55b6517c375583599a
SHA256 8bece23d1746cbea14da7be5c88b0bf6db9381c149782fd2bf973391a3f4e42c
SHA512 2793e9ba2c46158d397b30536a7c9eb9f6bd3a21c965f987e48f23e4cc8060d709efbafe2d8ff68cee4444f8addbf065f50930f308dffdcb401cfce263227cfd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e48c5e5b020bb83424c87ea9053525ce
SHA1 eae76366e92ead44704093cfbf71d277cd2d478e
SHA256 5616c5e4b62ef249a99828f7baef64056ca8d9ebdc8d93947cda370edc1259d2
SHA512 3565d41185b938b72315bc416acdaab3a00ca68afca1eb8ee31c12bc02a673b248165fcdfbd29ed344c7436b384d5ba4db54456591601ece1a4c32b50b1b6425

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3d35748a83dc05c8eee0599fd59e888d
SHA1 8fdef87fdbf0ef4c09b5bb63b228ed6cd6340ce1
SHA256 da87fe3084d25501a9b30a7dd751d817773236ea02508590d370ad0fc3bb61fb
SHA512 f53b2b590ebc3eb00c175a4e01827f1394aaf7d5b4be8a0190d05728b782ba8d940ce303aa2aba2895f21a6f5635db9169506bb6dc9fbf15a612476c0802455e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa9273c924948880d3870079ad340806
SHA1 103efaadbef81bece0cd04a07d2fead049c69180
SHA256 325e46fc7dca7727cf958cdace6970a8d86db5815dac583d082de137e4ee2396
SHA512 eb0818becdd4937bb5553985abc04fc625a1122c570bd1f1d1d44100c7c48245dc402c6454295713701767240c81e5eb3e792448e6756795ae6078ee1fd76ff8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c05a74f28f209e053c5fde135f48012
SHA1 c05778c8dfd87c50af5b3ae282a6a0a8742897b1
SHA256 4f9c4dc9fab1be9f1e859928f61ba87c9c5fba17e3d738bff7013f3771707834
SHA512 138df322154c46d556de397910918964ef8303dac9b33b068691a60520490cec6b564c617946d85324e6e93fe4e5362ff848bf491e381f2bd7c0404e82210758

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12e88acb86c6d960ed1bfd3ea37cd579
SHA1 b5ae7e3c47f56e3c5aa2a31fa30968faea03cfe0
SHA256 840dff0159a2c2e8fe4f6db3aa80a7576fdb858a4240d010e31422e63bcaab7a
SHA512 48ca59b4738465bfbe40d7791484c8952f1f10b066d084a03d8a878da461c9a13170222396a18ebe07204130603971e9463a823bd450dd7c6eda39eda5d14569

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0942440ef0680f6933d3db01d06776ab
SHA1 1df6fd4913125eb4e84eb64ac3559f61ad54f363
SHA256 edaa2c3375cf7e72f9da45114d827a9f7efe344b25002b20ec80fa1d6d7db32e
SHA512 03fd0cf4bbe305a6d4783587d42c7d97602c4911e9eefcdc285c374707c6e2a8ae209970059a4e89c182444d8210c06a3c9a4c2c577da8b6e85d7f022c46f93c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab18c9b75ee36a41ff07340ef4193292
SHA1 490fac6924778293d1f05b7e726024fde2bb188a
SHA256 0fefdff4ed07f6132c8d2d2cb031c846d25f43c6efecca02dc541afb5198d635
SHA512 00ddf84425cdbf6ce071735009c2ac402c636a63c7816a437b20db9ff5746d778ca2567e745b417fa90690465e38beba21b08dbbbe1bf211765f879f2ca70383

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6185f759a15a220d6ab7fc5dd792b3da
SHA1 375987f28a754689dba06fa6a880766b53b883cf
SHA256 22f13f0eb49dffb9e9f0533c2567200020a97f7d8798ee7cbe66c8506d60bde1
SHA512 9922dbea842a1c44ed55541acf460896f64ecec5fa8f87eb3bd096f2356c3b67ac081881c9ec3cf885800af1efa12a92fa091f7dedb348b847e9ceede046ab64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 102752dd67ef5f7ffdc7fc7ac096742f
SHA1 ac8437b0e83bdfd528159b87d3939bc01550c234
SHA256 23912021b5edd43f4385d77d3b882df6cae59c9791fa6ef559c872056306cca3
SHA512 d187da06fa139973e2ac3466e02c027bfb82a8e3cf7e95be27e6a742160d3616e47a0f98b25b99e511d6713743a2439bcfd6ffdca35d440d4134da438975ebb5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3843bd4f8e02e660a43f98385635e7e
SHA1 614e81db57997c6f5f59f9d75badb13c3f2bf1c7
SHA256 048a63467ddfa16496ee2a690a445c5ad80f34199b71fcb1ad560792f4006703
SHA512 49895478eb7b88543c7a29b01bd7ae1bc9e3ab8e510e8b3ff2768223805afd97a20e21fa1f08b21c13ef58c8deee9b4550f0935826da90b6ad8f3c943a2071ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f79baeaf8bcd6ce444d4428c5a6e2975
SHA1 c597f2b0c5e2056a4fec1f8fe6a92bcaa5fc870c
SHA256 c18a9b7b0b100aa9bfdd0079acb84309f4ee2bf53a5924da01582a664b259f9a
SHA512 e3efce0ffb12d8bd9168d5f77159f9a9b4648a90c51f51904811fcb074f54e8915c60abacd9d1d30b2398ced6273bcaf17b521b1c344c12b9ae4ff530a400dc4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 73ff03856f4fba08d5cd304d503fe1a3
SHA1 1eb9455ac0ba253af929841b7a969b5f4b30e982
SHA256 9182e11e3824d96b7cc75547421bb79d244477cab81cd242f298dc1a7de070b9
SHA512 57f378d4700b4b3c91502338add6710141c9bbe66c115632ca26d78fb5372e225c32aa18f33603379eccbfa10af8669ecec02c0e66fa8501027a038839b1fed5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 534e027b7d6889a99bf5e96b0baa99f0
SHA1 1bdba459367ee5834c697376a20853f6f91d0384
SHA256 ab7170de353111c333fc76b8fca6518d390509694e3858273962fac06c98229b
SHA512 f9da3d3c2370321f58d2253d98e21051b948b9631287d995b5c3e207e79d3a12e14e9bb4f73dafc1e2e631ca978e1b8a46b09ffd0e6760b67d70f5b1eab39cdc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a3485244420b1f4de2b51d1d068ec43
SHA1 c5541531bdc2a5932490ad49d69c30492853145c
SHA256 160e84f910ba0f0bc3478733d6eaae5b256749925ceac778c0719e9517238617
SHA512 747f94ce0261e4a30a4b05da944194f5740354ca9d8c1a5cc7208c6baeab521fca54a5263e16850f0afa30195bbe5396548d250662e943285e10cf309350a2ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5a4e4fa029f8adf1ccf19264937cf6f6
SHA1 adb4ba90622c8001995e669bfc7494e2a9705bd9
SHA256 3e365e8e1114553b2fc2cd45b4cbce35d03c45d1df076760b37c79fc469836c7
SHA512 72c6a6bd3eec104f1c68096dd1e74893b7c98a14a4c10d39289348b38a48a129a7f950f16f8ed4ecc22c1ecedde7dba44291dc852d80b33023d6641231d3c7f0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 384494a888689581e86515a5e6f7ffc8
SHA1 bdf8c2962e57285a96e3a5a1a0a738a048c166dd
SHA256 2d449a97d65ff0eaef1ee76c195efbfd56741d0f54d90f31a66906a55da26dd9
SHA512 d1de584dcde3b0d175e6861555cd7bc4a729f5b6f22da1ae339209c4c39127166b0930b09ecaa042a21644cf101741bc667cb59e1c9a0df33a02e6b593eb43c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e9516ca0cb9bf39f4b53aeba27d912ec
SHA1 2e27d8d592143a4ea24dde872c3248cd1b2d3240
SHA256 b9701d635d6be4ec37f336d109d31244f83fdd3b7546578e6cc8b50b4b3bf2dd
SHA512 4c5efeadefc0a1bd2f63dc2f3420baf5e2db9fad19943e34bf8981260d8fc540be547162e4882ae820c77f96a8e5b292c1ac9b5a3d065cd3b7c6ca244deae697

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 06:32

Reported

2024-06-17 06:35

Platform

win7-20240220-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2172-0-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 58cab97dd444edeb9b74b345bae4913b
SHA1 ffb6d71f4c1a368b2b8b1d7ba0ac7e4845857960
SHA256 f0f5c84912fbd1277d4580ad2986a9309a3cbcc1ae38af8583612cec16bdcaa3
SHA512 6306bbcb50ef693cd139725d21fa94d6998a2bebb111b7701c4937b5a3f048314f9de243537d21ec840589eeb2dc85517c7a3a6c1b4121b101ee74634332123d

memory/2172-4-0x0000000001E50000-0x0000000001EC8000-memory.dmp

memory/1592-11-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-13-0x0000000000220000-0x0000000000221000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe

MD5 9efc5e15dda68d9f8ba65a07ffe7f981
SHA1 b6a5e2a6b4eef575a7a1101ab08ba29d12ac9f34
SHA256 e9fed9482158bd62c7172bda2afd89d56aa82f00f1d120726bf53f5c043a93a8
SHA512 9f059bd422978686c4c3426f25b5c284ade118a9a5650d4323f933d3893ad0463a82d00ddfc216a179cff1c2cde41fa80f4c34bdf5d7af50a9d5440a69e0f853

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 b7375630562dd579a90c2ca6ea03be9a
SHA1 50519b84f1480c45acd4a7678a330300f8c8c874
SHA256 cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0
SHA512 b0bece7b89e5912382140dd811385d3d63f8d7bace722918328eead5ef93b00719e543a798785b05808cd1d5463f4d1c353523493f021107babcaef9d0f872a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f579091a6a455ef9e024022a4a856973
SHA1 ad569552b4a0beb9a1f007cd744b7cffa32f45c4
SHA256 b0835d1cfc7365baa9126184d9a8d9dd4c42d21607bbbb97a1bebc988f341648
SHA512 545391aa343dda28c04b3e732fe3656c80ebe6c2f534d64a5084a4e7aaf5e44e5ea191c70237c7a85f65bebdafbcba7c9ca6908ccc35c565d208d15d8d2df676

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 36658043f87dbb8dca3660f4cd919c5d
SHA1 c19f2f55c41a09360736fe9c64583d4eef295790
SHA256 5051ed62cdd9debf54f4e36dcf3ba483e7322322fa8735aeddcd348487188f96
SHA512 2e657f4325f24606310b42fac49fcfe58fe45d76eab8572e61a146c799cc534e6cfe667c349b6a680814c051c3081ba3adc8bb630e635b8b1afcd364bff9f876

memory/2172-231-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-236-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2172-241-0x0000000001E50000-0x0000000001EC8000-memory.dmp

memory/1592-242-0x0000000000400000-0x0000000000478000-memory.dmp