Overview

overview

10

Static

static

3

ee98af6625...18.exe

windows7-x64

10

ee98af6625...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee98af6625db71981750d105c4950849_JaffaCakes118.exe

  • Size

    991KB

  • MD5

    ee98af6625db71981750d105c4950849

  • SHA1

    a5a8d37ca219a08020c42c13b3fd0c615904e2e1

  • SHA256

    ec4cd1b7ee4220b41cc739fdeafe4abef736b63942de482c2dac35bd5de7864d

  • SHA512

    371e94baed164e451140c9c4f5c8774f85e387a1975c1fbfab509e126c74daa7b286e82a9da5d04ada78e8a148dac24c1d3b8b2f7db58caeed18f941fecb0de2

  • SSDEEP

    24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJv7:oEs1h5

Score
10/10
discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee98af6625db71981750d105c4950849_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee98af6625db71981750d105c4950849_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:488
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.exe
    Filesize

    992KB

    MD5

    92ca76dead9e0aae53b0cec169a244c1

    SHA1

    aedfcc823b1d71cf363b0140f542526cb9ec809b

    SHA256

    82f20cb641b5e742037053ffce2448be9e2e53f05a658b094cecdbf83b6a79f9

    SHA512

    016a4c44d0d3c2e287b8dadb0ffaf34311a9ef6f01caeca5d7bd2952b8cacdb32d8fe1c1e5f711222e3fd519aa509244130361e4dee5213f080556b70439e252

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    344bf28bdbfc39c6aa0cff28932e024a

    SHA1

    7c95267a750014a71a55cf0deb957cde7e0c5cf0

    SHA256

    d3d0b64dda42b015fa1886919f6c5c643a6e87c7d9841a9fcd93efcfb33c798c

    SHA512

    3032ebcd272a9176c3eba1f38ba7c6593a9176ccc758915d7fbb3020921c822a670dc7d2cc1ee6a04aaecc85332743f6cc70c6bc256ff444b4e4627a260f0d41

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    c911f4258414af1be59fdcde0badefe2

    SHA1

    9e66792ce1fef42df881968df5baf94acce9b341

    SHA256

    4f4ddef4752d6b45c419e8860a2c0b38bb599e19a7b51c55cd1ecff6eec32d2d

    SHA512

    4d387d20166adf8e3308c98664736a3455893c59e38d06e2268ba0f41aefed7941e3e4e1e433a916f0f6f19ce9eae408663d337298d350d61e03d6ea69ca1888

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    991KB

    MD5

    ee98af6625db71981750d105c4950849

    SHA1

    a5a8d37ca219a08020c42c13b3fd0c615904e2e1

    SHA256

    ec4cd1b7ee4220b41cc739fdeafe4abef736b63942de482c2dac35bd5de7864d

    SHA512

    371e94baed164e451140c9c4f5c8774f85e387a1975c1fbfab509e126c74daa7b286e82a9da5d04ada78e8a148dac24c1d3b8b2f7db58caeed18f941fecb0de2

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    799KB

    MD5

    e2de31549040b35262c3b68df86844fa

    SHA1

    1ea286ea4667f8e73d8283018bf472becb72f670

    SHA256

    d0b41076dafa32efc3ee6cd8030ab08370560530ca42626ac1fe6041455e8600

    SHA512

    ae4ac099aac995ca38f910aa89789060e516f18187bbf8bd586c7e18df9c0c06c0f9bb92a24728adc3bce5b61ffb592dda7ba26ecacdf013d7cc43708459e1d9

    Download Submit

  • memory/488-331-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-243-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-365-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-57-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-74-0x0000000000480000-0x00000000004F7000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-343-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-295-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-97-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-355-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-10-0x0000000000480000-0x00000000004F7000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-325-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-0-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-253-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-261-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-315-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-273-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-305-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/488-285-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-254-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-286-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-296-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-274-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-306-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-266-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-316-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-244-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-326-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-98-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-332-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-75-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-344-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-13-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2588-356-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-11-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2588-366-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download