7fe0c29468bc2390d320ae6d7af0e3727a5323e6b2e8d0b4f434a752388b23e2

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
Size

2.8MB
MD5

82218c42c0b0c726bc52fe1d36901cc9
SHA1

dad33cc4e84c48ded034cc1bc58240c4ea46a115
SHA256

7fe0c29468bc2390d320ae6d7af0e3727a5323e6b2e8d0b4f434a752388b23e2
SHA512

94479bf2f9460188109c4803abe47d89a369fabad40def9ad102dfb5fa36c9cdac1a6bdc3a98477e54076604783526b0330c1e8f0e92a5ba4d2f898ee6d0d240
SSDEEP

49152:DEs1ywi0L0qUB8NIMI8SfpwotkzaxcJ4kfxuO:DE2di0PIMzKpXOMg

Score

10^/10

discovery persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1788	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
784	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
784	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\E:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\P:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\S:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\W:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\H:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\J:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\K:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\N:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\U:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\V:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\R:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\Y:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\B:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\X:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\I:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\M:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\O:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\Q:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\T:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\Z:	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 1788	784	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe	31
PID 784 wrote to memory of 1788	784	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe	31
PID 784 wrote to memory of 1788	784	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe	31
PID 784 wrote to memory of 1788	784	82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82218c42c0b0c726bc52fe1d36901cc9_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe

Filesize
2.8MB

MD5
cacd77de4c249fa3717144d7c769c350

SHA1
1ba8ee971befaa97b4a31e750068af3226dee0c3

SHA256
1e6c27774fb20c9ddc546de63ba6e86cdf0e3e06287682207e4a6825b0910e82

SHA512
a994b92f5eed1bafbe7ee507d6f85a29e5b8672e8596cc52218f955967faf0ba51affbb4731fde028eb9acdf486c45e873cb2572e23fbe21ce384a13e190e52c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d86deb22ca1b33a7648bfbf652eb0df1

SHA1
66a66b20a80266e03bf97478abf458ce2cc16319

SHA256
79d7202f9a94d7dec7599a62fec8f3e2493be9e602887d15172f474c5b527aa8

SHA512
49ff5145eb7c53c1b698e5799423b992167391c48425c31d444343f4fe7ff86fac8a7398cefa63f28e7604618e3f442c57aaed669ad8ae468b33e8ab3570dad9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f5a7afe1bb11770d9bd30df944887db8

SHA1
bf151fb346627433cdcdc120f1c8c8b882ebdafd

SHA256
f05a4d18b11e18432b8e0023d923faa433d83a07c3da55d54c02d650e63c0ab9

SHA512
8de716384c49c0b91e8c5ccf5978f573394a49609d15627466d7767edea5d3e21b5a6ea57104cb471618aa746e8dfec414df8f61f990da5c062ed078bae7b845

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
2.8MB

MD5
82218c42c0b0c726bc52fe1d36901cc9

SHA1
dad33cc4e84c48ded034cc1bc58240c4ea46a115

SHA256
7fe0c29468bc2390d320ae6d7af0e3727a5323e6b2e8d0b4f434a752388b23e2

SHA512
94479bf2f9460188109c4803abe47d89a369fabad40def9ad102dfb5fa36c9cdac1a6bdc3a98477e54076604783526b0330c1e8f0e92a5ba4d2f898ee6d0d240

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.8MB

MD5
366a895382dfa1e19b9ae372e4f6866d

SHA1
c167f7de958f7ef00cfd7ff1ddbd71d73fee6c88

SHA256
8a533f8638ff5323555ad459b207049001797ca84e71db5c23512ccebde09e14

SHA512
38415c6ae96586ea6f675d2db579f38ec1aa55dc1419a7f1cef0951ae62943e3eedd796fd31ed986e2324ebafbee59f53412977f3e4bd5c825e9dafaf78238fd

Download Submit
memory/784-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1788-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads