Overview

overview

10

Static

static

7

3b31ef3f18...18.exe

windows7-x64

10

3b31ef3f18...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b31ef3f1883060891da317010b06b94_JaffaCakes118.exe

  • Size

    305KB

  • MD5

    3b31ef3f1883060891da317010b06b94

  • SHA1

    87aebc786f176421b87873780ac36b106085a6c3

  • SHA256

    51007ea697ffff05e8d9651634b0e37331b276bd176d117c260f54a10659abbe

  • SHA512

    232c9a57a81a3f8194f206229e4267cd08217798fb7251675db29f62391d50bdbe4bc886c77bbaababb990aae0b5066daf216ed6f0c8c1aa9bf84bb9e08a6347

  • SSDEEP

    6144:niMmXRH6pXfSb0ceR/VFAHh1kgcs0HW4ky+4ufk4vbAfxu/F/Q:dMMpXKb0hNGh1kG0HWo+E4vbAfxu/FY

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b31ef3f1883060891da317010b06b94_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b31ef3f1883060891da317010b06b94_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.exe
    Filesize

    305KB

    MD5

    7b45139150fcd1ac9771bd720ab0ffa3

    SHA1

    d18002047f0cc8a5bcc48331b0866231589b1a67

    SHA256

    f405da6502024ca563d7e7f588379636e9547cc29abf7e5be5715245064bcbe0

    SHA512

    6443b14f92f8766f00ec39ccb79e8170e75879a59a8925f4ed5c41f2750bf5f80789f0e0091b4bef30da3171bc81530bebbf9f7f7aff93d85e72c43b4d01af7c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    c04a0d6b01bb91996c36aea262f73fdb

    SHA1

    f2a2369aee177f0e43aaeaa6d3c85a144e271f81

    SHA256

    46cec0cfe2552c5dc3e97d0c158412c6e78f99d46b8c2bf9335a535e293d6b0f

    SHA512

    2464cc125d42e4fe915aef235361652067ea70cdfde2a9a293c76009038d3489bb40b5528d05b6f10e1deb547fd37854d48fc6ab577713f71c835201133e637f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    c4c55fe878299462c2babb605f20b284

    SHA1

    ddbd9770db8451da6d2cdac49b5fb1761099e09e

    SHA256

    1d9435bddc372e5da51a8cb602782ad10b8f80fbd8eb515dc9dcc2e88ad0864a

    SHA512

    5b5c4fc83e8db14c5372a0dda0ef80323a8a2d026acdff8997c94fa396895636f88bf5e00bfb2c3b8f93bfdd7a7e305f31e62ba6af2b4c6c8788d6579c221330

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    305KB

    MD5

    3b31ef3f1883060891da317010b06b94

    SHA1

    87aebc786f176421b87873780ac36b106085a6c3

    SHA256

    51007ea697ffff05e8d9651634b0e37331b276bd176d117c260f54a10659abbe

    SHA512

    232c9a57a81a3f8194f206229e4267cd08217798fb7251675db29f62391d50bdbe4bc886c77bbaababb990aae0b5066daf216ed6f0c8c1aa9bf84bb9e08a6347

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    304KB

    MD5

    1708f7b2826d63b2efc009da17801173

    SHA1

    587b4433d2498b1ce873e17361bf512c3da0eb6d

    SHA256

    035df3f8756b80fce57cf4263c6a92ba9935ec00f2eeac00983a88ff0e52b231

    SHA512

    0911b18c1f10ae216545cf2e4e57e600818e392d6607916d8ac85f110fdce0fa194c22dad067602ad98a952919b7bd78e9c40686827494cb2856c3d132578ed7

    Download Submit

  • memory/2380-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2544-10-0x0000000000300000-0x0000000000301000-memory.dmp

    Filesize

    4KB

    Download