c846b97d12981e19e8d967324bf81de6fda976e126c1f713041c46cfde2b6012

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
Size

1.1MB
MD5

ea7416daa25afd4c7f8657e9b47bd370
SHA1

86f7d052dc24d8958d0322e34804f918fed834ee
SHA256

c846b97d12981e19e8d967324bf81de6fda976e126c1f713041c46cfde2b6012
SHA512

8d5d817c05ddcf430f05dc2d962f3084130fee90e57fe14faeec79d9c90f6f298d20d758f14d942f4246f48689a8db473d04a1f7fd8b85aae6cedc65490fe249
SSDEEP

24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvZ:oEs1hv

Score

10^/10

discovery persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2432	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1852	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
1852	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\P:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\A:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\X:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\N:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\H:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\J:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\L:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\M:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\K:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\R:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\U:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\T:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\V:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\G:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\S:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\E:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\O:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\W:	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2432	1852	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe	28
PID 1852 wrote to memory of 2432	1852	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe	28
PID 1852 wrote to memory of 2432	1852	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe	28
PID 1852 wrote to memory of 2432	1852	ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea7416daa25afd4c7f8657e9b47bd370_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.exe

Filesize
1.1MB

MD5
be70be46e127f78b97bfb70786f7bb7b

SHA1
acaaab6035072d85013c03911c30a3034bd4840c

SHA256
86555b6028212be37b8e328c2660e296f4ad2a8a0c0bb5a7eb77eaa4b097f0d0

SHA512
1e4d32fe34fe95cf2e4304545078afd2a42fc7356701faf653b6990e61e1d9cc99e7408dd0d22ba1bfb2c8fb75952c65900558e73b911d2d2e3139c64ba64e29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2d36335e0b6768c9ff842f4831940daa

SHA1
efeecc5ab5205dd4e92ce2576da442e1de047609

SHA256
614b114751ecc15e57d74bb411f1b20426e7b095e7d37c4ee2e02cc74f46557a

SHA512
9acc1a4cdab3aa25f391877a2a0b91f0a3257e9f3767ff0a140c958fe856d88e8193c443f44c95c2ff2b186ca2654c2278ff0ca5c9ccfe26d8e5a4004a3b0cef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
2a02e29364afa449b1c82680335e852c

SHA1
8c4c07943184152b22d2bdbacd84a162bd39edf7

SHA256
a572f767f865f6af141f46e53fe021e57ca7d9d119173a8e841ad8f5d4c4a823

SHA512
27a53fd1b53405d230a8e5e9d67f26c99abf15d139d19b385a0ea59ce84671848d81d17edb4cd43b17f98f22d73a9462cf2f4807c497fc457f4f5cee729fa59d

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
957KB

MD5
129dfca94187120f825c592892e52f6c

SHA1
8dff7e86e0d128c2339f7dbdedab8f5609e34dab

SHA256
78f41d1ba212c04adfcf990c352036dc5f46a27779236b85d85c54b4398d6ce5

SHA512
b5db05cde57313476eaa21bd7876120db643d5866ab7c83d9b1c19a416c77e27451da318960a533a7874ac18128323e8b22bd8cb31d5be0de1c10319f32c0d82

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.1MB

MD5
ea7416daa25afd4c7f8657e9b47bd370

SHA1
86f7d052dc24d8958d0322e34804f918fed834ee

SHA256
c846b97d12981e19e8d967324bf81de6fda976e126c1f713041c46cfde2b6012

SHA512
8d5d817c05ddcf430f05dc2d962f3084130fee90e57fe14faeec79d9c90f6f298d20d758f14d942f4246f48689a8db473d04a1f7fd8b85aae6cedc65490fe249

Download Submit
memory/1852-315-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-325-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-361-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-155-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-351-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-345-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-233-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-335-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-243-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-10-0x0000000000310000-0x0000000000387000-memory.dmp

Filesize
476KB

Download
memory/1852-253-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-265-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-305-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1852-275-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-293-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-281-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-326-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-234-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-294-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-266-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-306-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-254-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-316-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-244-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-276-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-336-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-286-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-346-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-12-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-228-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-356-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2432-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2432-362-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads