Overview

overview

10

Static

static

3

ced9855d63...18.exe

windows7-x64

10

ced9855d63...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 06:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ced9855d63c8221536824a48aed82f48_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    ced9855d63c8221536824a48aed82f48

  • SHA1

    c69c29cda1a6607e43ea3849c7a47f9eb3c9ba81

  • SHA256

    93f388bc6763f46f0e5f7c15039c2e5f582ab80ebca8fcfe46229366fe0e78bc

  • SHA512

    1619afcbabe613bb422894d9a5cdb4e0f45e7336a5e0c39929e857216bae85cda09484c2a5dbfe2b45e974e76aeae448b65a936f3da16c2a879a762065369ec2

  • SSDEEP

    24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvt:oEs1h3

Score
10/10
discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ced9855d63c8221536824a48aed82f48_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ced9855d63c8221536824a48aed82f48_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2428

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.exe
          Filesize

          1.4MB

          MD5

          f403fe5915085dc572bc6e1ea503e0b2

          SHA1

          4f9b2040d4e0ee29dcccafdb30a08595ebf7b1c3

          SHA256

          cf552a057ff930389656b75eee9254980f209e4d1fdb90da96b19f05f1451aba

          SHA512

          3834e5cb3d343dbf10584e5c89d232f175135d0e17b3be57b58ebaef4f84b1de14716bd888511a64f9f5673dc862394ff48c25e7056c4583a8e09016a619b157

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          a401d9991a82fe482b799b3440deda06

          SHA1

          47797ed4259b9d164f36a8986f6c9732bf008e4b

          SHA256

          040f033d747e8fa0a818728c3dadefe2b4c373b4d8b20de5eb0e7d7cf113ac80

          SHA512

          02be3560abdd5ac8834cb030910d86e90cf952a399f48eed5fb3709c3c4ea55624b2109a28999fcb763a0763ef13d478ac305daec20d4b28d89d3c940beab2a4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          954B

          MD5

          4667767656d23f86506e49610a3f5f9d

          SHA1

          b7e6e0bec06e4793634c9b519582d31d9f0c5643

          SHA256

          d8c56662e7638b3369c8db0ce69ea3a33c8f3e6f2afe6a1a5e8d9ed72595e9e3

          SHA512

          1598b49df5a25003db003215f3b3d2b2309132784b2e7ee5675ae229d6f511789bc98eea78e964778e073cdbf8567abdb6ec71b94c5bc32f3a1964c09b42f1c4

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • F:\AutoRun.exe
          Filesize

          1.4MB

          MD5

          ced9855d63c8221536824a48aed82f48

          SHA1

          c69c29cda1a6607e43ea3849c7a47f9eb3c9ba81

          SHA256

          93f388bc6763f46f0e5f7c15039c2e5f582ab80ebca8fcfe46229366fe0e78bc

          SHA512

          1619afcbabe613bb422894d9a5cdb4e0f45e7336a5e0c39929e857216bae85cda09484c2a5dbfe2b45e974e76aeae448b65a936f3da16c2a879a762065369ec2

          Download Submit

        • \Windows\SysWOW64\HelpMe.exe
          Filesize

          1.4MB

          MD5

          cb8a8cf4311371f7cb39a98dd7935f8a

          SHA1

          d1bf6e16954a6d4754bb43abcc8629af92a6253c

          SHA256

          137d0701cd0daa737ec89a84216bfa8a10e8381ff361c2fcec1279e00abe5363

          SHA512

          764b4dc7305e8807c21158d8f665a808ff6b93fd82f41e62b89f28faa2df90684df030ee1c0c6c76d309c46f1f8d8201485ea4d682d9280e8f90a1bafbedc2ab

          Download Submit

        • memory/1352-267-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-337-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-9-0x0000000000480000-0x00000000004F7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-67-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-218-0x0000000000480000-0x00000000004F7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-365-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-353-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-234-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-343-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-285-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-327-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-245-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-1-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1352-255-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-317-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-0-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-307-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-277-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1352-295-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-246-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-286-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-278-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-296-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-268-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-308-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-256-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-318-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-12-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2428-328-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-235-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-338-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-236-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2428-348-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-11-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-354-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-366-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2428-229-0x0000000000400000-0x0000000000477000-memory.dmp

          Filesize

          476KB

          Download