a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a

Analysis

max time kernel
145s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
Size

7.3MB
MD5

b59ca4732457793b33ccdeb9def9384d
SHA1

040e46799a87935827347ab12587176c2328bff6
SHA256

a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a
SHA512

5858b5afa3b385d0449999e6743d523be0fa63f12649cd2fe17f6092076f72f55dff31be95d9b7aa02e1cd58d4a7c5530a6d1fb7d571b69e6d6168de2cf044e0
SSDEEP

24576:zMMpXS0hN0V0HDIH53npi6IMMpXS0hN0V0HDIH53npi69:gwi0L0qK5XpiWwi0L0qK5Xpis

Score

10^/10

aspackv2 discovery persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000012115-2.dat	aspack_v212_v242
behavioral1/files/0x0008000000015e81-38.dat	aspack_v212_v242
behavioral1/files/0x0001000000000026-55.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
2604	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\O:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\V:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\X:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\I:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\Q:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\S:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\W:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\E:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\G:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\H:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\N:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\Y:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\M:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\U:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Z:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\K:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\T:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\J:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\L:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\P:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\R:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2620	2604	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2620	2604	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2620	2604	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2620	2604	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.exe

Filesize
7.3MB

MD5
e0b11765780545f2cf29f7b36d1610ec

SHA1
f671c17c05920e83166aaaff8019343398d8bd0d

SHA256
d17c6917e65cac5cef0e96ba36ec08447383337bcdb9a779fc960bdd4ff5802a

SHA512
98bd1e61777c6c99612c3e73d2d1ace4ace80de4ad5437fddc669c8d3242b71647ffe5fadae1c8428f5a9562950dce143a2bddb175b7311d2b05238164d6d0ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
457d44ee4081826ac2a081a49f780c84

SHA1
62d90b96570097eb74ce2cd0783c656647bd66d0

SHA256
813f9152825073675cde739071e98fc70acb859650863ab8a4e4f709ab83afff

SHA512
d08c0ae607df9b841d602ee4ef51bfc5b4629924ef625f2e704c3fcd1e9b4ef8c83fb305a5776f1557a35dcc317cfe2bd3bec0677cb4be7f73ee7402a649c550

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ac854b74118173ec102d46c0b0d6c11e

SHA1
c161776de204ef813086d89b2d9870fee853a169

SHA256
3034e08c8560fe2ba4f380e235abcba0f8d5553c0a4be22b241581daba1c455c

SHA512
a9f57c87e0f0a4645f03f43ea194233ada33fb064a03cfd92cc472fe34ccbb2553fb76587b8395c6294cb35681862b655867cce0d7045224a87ee6d602e70387

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.3MB

MD5
b59ca4732457793b33ccdeb9def9384d

SHA1
040e46799a87935827347ab12587176c2328bff6

SHA256
a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a

SHA512
5858b5afa3b385d0449999e6743d523be0fa63f12649cd2fe17f6092076f72f55dff31be95d9b7aa02e1cd58d4a7c5530a6d1fb7d571b69e6d6168de2cf044e0

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
7.0MB

MD5
110370870c145397469e856dc5f3a723

SHA1
c02ccff7eae9615fd8a50683670c361799e315e2

SHA256
b8a47c7a0ea0e67c89d254dcfc40779ef23e731c7b0bfaacd8e1f36cf024fe10

SHA512
52ea460f219eb63636589fbcdea1e864cf7a5bfe275258b52a30d45fd97fab8c810417ed5c3f3f7fc0d8cab3b85301ab7297416f4e81695e590a75751ccda7cc

Download Submit
memory/2604-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2620-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads