5872da3bb1e9a1f998a3c956c43e8ae63e1c5e986dc83487391b3618f4966464

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
Size

10.5MB
MD5

b07c67f412a581def4d61056832369a0
SHA1

342d67877ecc074a3bbfc22fa01993d6b9360e5c
SHA256

5872da3bb1e9a1f998a3c956c43e8ae63e1c5e986dc83487391b3618f4966464
SHA512

5b4c0ae5ab45da4dac1776716ec9556890af9133d82bf261ec79ba47657584dae7cd559341b20aac4b9e91f81a82e65352ac2bb9ddd7c5f657b1cda21f6746f7
SSDEEP

98304:xE2yQM+M6RkMkIM7ShMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMM0:xnnhI2lymI2lyJ

Score

10^/10

discovery persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2056	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
2056	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\U:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\K:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\L:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\J:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\Q:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\S:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\G:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\X:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\Z:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\A:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\H:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\T:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\B:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Y:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\V:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\W:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\I:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\P:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\R:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\M:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened (read-only)	\??\N:	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2836	2056	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2836	2056	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2836	2056	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2836	2056	b07c67f412a581def4d61056832369a0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\b07c67f412a581def4d61056832369a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b07c67f412a581def4d61056832369a0_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.exe

Filesize
10.5MB

MD5
3a9487a31ee23a35c1a50330fe0b616e

SHA1
de96467daa59379c36340ff0c8eecf09acbaa5d0

SHA256
141958236d1a4046fe3e9663c4a900cf40e49a9cd8d93671628efe9bce9c0f82

SHA512
8cd8fe68cec05a8a9f046cb62bb54b5d1ed000ea62f69b2bb6b692633a8b9346fbe243a8b8ca61081578bfeca72d7b2166c763b4885db7cdeccf1dcfa89e1af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
d685513528e0cdbd614135f4b6c3bd36

SHA1
326e272f395cc2c98905c51f5c088775c3ca8d17

SHA256
dcd684e10ebe95c096ae202bcdce3c0192afea2f9472574340e6fc76d5865648

SHA512
747c0b078707bf004b3cf58b23ad1c402f8cde665df6d3bdc563466b496f45bdfa5a5386f8a159126afb0a34f124a69e7de87ea15ddf364b2b252497f7fea80b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
eb6e5b358c124aab52ab232882601134

SHA1
e1352dba17cc5d84e93c97fa20f3f0a554b1a024

SHA256
a25c21f95982ce3353542f2b4e2dcf5d58e70747f0c52b656355e97a30eab360

SHA512
a17058dee877bdb9c14623f0c3d3109a9d5dae5e37443b503ee7dec2b00c9cd443dd45860fbe2a2575fd57de4838458792a1ccdf69903a8f3f1ea2e34e25695e

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
10.5MB

MD5
b07c67f412a581def4d61056832369a0

SHA1
342d67877ecc074a3bbfc22fa01993d6b9360e5c

SHA256
5872da3bb1e9a1f998a3c956c43e8ae63e1c5e986dc83487391b3618f4966464

SHA512
5b4c0ae5ab45da4dac1776716ec9556890af9133d82bf261ec79ba47657584dae7cd559341b20aac4b9e91f81a82e65352ac2bb9ddd7c5f657b1cda21f6746f7

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
7.6MB

MD5
48c5e32fa9fecda69ab222cc886d922c

SHA1
8a6e8ed5cf5f830a571a6c6e07eaeaa520166df4

SHA256
c31be7af3eb0d24c85ff9797d91026b7e17d3b17c3e3692bb958649afa3039d6

SHA512
c99b834aafcc33e2aba0c4a50b0688f436ca762c852cdb0fc1cd1e9b7a75d4423f7fb41e8c78b37ea77d0b2f29322fa270d6be6b64cd1953cf710eaaba174d17

Download Submit
memory/2056-94-0x0000000001F00000-0x0000000001F79000-memory.dmp

Filesize
484KB

Download
memory/2056-10-0x0000000001F00000-0x0000000001F79000-memory.dmp

Filesize
484KB

Download
memory/2056-56-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2056-0-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2056-5-0x0000000001F00000-0x0000000001F79000-memory.dmp

Filesize
484KB

Download
memory/2056-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2836-12-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2836-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2836-158-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2836-189-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads