Overview

overview

10

Static

static

7

c83ff2cf74...18.exe

windows7-x64

10

c83ff2cf74...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2024 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c83ff2cf7429c5d2db5ffc3b6c726513_JaffaCakes118.exe

  • Size

    818KB

  • MD5

    c83ff2cf7429c5d2db5ffc3b6c726513

  • SHA1

    32ff2329f2008b19c412d3ff1713d6e21d214089

  • SHA256

    34f3b58d67b44aade2d2cf60f95bfd99bf63e4ef182422d146caaf5bc0d7df54

  • SHA512

    9084757a71f3fb4860c3f54d705bbb041f1264758707aee155543f333d968f1069845287137b4b413b7195edae9496f43bce4fb5db1e8afe1425687b5f78d951

  • SSDEEP

    24576:ZMMpXS0hN0V0HZSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NW:Kwi0L0qkP

Score
10/10
aspackv2discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c83ff2cf7429c5d2db5ffc3b6c726513_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c83ff2cf7429c5d2db5ffc3b6c726513_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.exe
    Filesize

    819KB

    MD5

    fd639b283104fa9ff8bab75335d16b37

    SHA1

    c5889a1d26bb16346f5a9ca87ce6d1b4dfa72b92

    SHA256

    74561975cc4e703d6e092a6c4547c9378fc82f1861dd9652f57765a147539021

    SHA512

    53d08d377959d47fbe236b51bc991635360d3bf843d8ae214f06ea7f71074e4be6414736ad9659a0022ae76e56622fb8dafb05a74211f3f9729e5fd022e84a4d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    4ffae8099a48b39cf951d5e278c3be99

    SHA1

    565f8ee631a411151a38a8c0ebb5eca0a93a4912

    SHA256

    f35a33878d434cf675f452120809f160a7c3741bf0863c237c937e59f0d9d02d

    SHA512

    9f74ab9c9623978a798bb38666de093800db8a0418cb1c517eba2aa6a423fc8c7a6c2405f60f6a05688667cef9eca90a184f6a193bafb330abf1c7350c70b3a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    64dba21c99a1eb99ec8dbc603cbb8fca

    SHA1

    97dff90aeb3e3542720269503597aeb942eec7f6

    SHA256

    2055cdb4b739b1c66c7d8695c3df7048ad7fab2ee92f6c0fee877e2e324307a0

    SHA512

    a341b9e3b1a9a502338b85718acc44d8975f1b67079b88b14be5dc4c34d0bad2a8b9704903fa8d3d6aeedb618db1cfc0d118833c19b19c033ba58d57f2369ed0

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    818KB

    MD5

    c83ff2cf7429c5d2db5ffc3b6c726513

    SHA1

    32ff2329f2008b19c412d3ff1713d6e21d214089

    SHA256

    34f3b58d67b44aade2d2cf60f95bfd99bf63e4ef182422d146caaf5bc0d7df54

    SHA512

    9084757a71f3fb4860c3f54d705bbb041f1264758707aee155543f333d968f1069845287137b4b413b7195edae9496f43bce4fb5db1e8afe1425687b5f78d951

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    758KB

    MD5

    d2febb0390ad878b8dc51203ccb4ab22

    SHA1

    cd9a33afab8ff3301cba08719f07e45367482e5c

    SHA256

    33b54e1d22649cade49744e15bca9f56b1afd088764eb224e10f330560a443fc

    SHA512

    ed83cd0816ce8660709254f61b9f05b4de25816d1d92c6e9d27dbade3b85b7d5801116fa745de8907af31145c8b608e3abdcac876c976fe1c393cb05f7ace55b

    Download Submit

  • memory/2176-230-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-241-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-353-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-291-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-231-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-9-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-343-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-359-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-333-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-251-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-263-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-323-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-313-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-273-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-303-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2176-283-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-262-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-290-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-302-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-278-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-312-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-272-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-322-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-332-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-250-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-342-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-240-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-348-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-229-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-358-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3068-224-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download