Overview

overview

10

Static

static

7

ee672d1898...18.exe

windows7-x64

10

ee672d1898...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 20:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee672d18981e368f5e7e168864f92f15_JaffaCakes118.exe

  • Size

    895KB

  • MD5

    ee672d18981e368f5e7e168864f92f15

  • SHA1

    bbd137e7f8d90992fbe3098ad3680058371334b6

  • SHA256

    226dccb2b48a26f5e1059e1c6da369986991f1532f625d5de7759a09b9d6fd3c

  • SHA512

    88be053e64078e61098892ba1de0815bb0b3cca1a7207bdd8f8c998504aa0a69093d55e37e671939dc7df76f27951304f4f94970b9beb3b0efbd4878130d2089

  • SSDEEP

    24576:ZMMpXS0hN0V0HoSMMMpXS0hN0V0HoSTSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFe:Kwi0L0qlFwi0L0qlGx

Score
10/10
aspackv2discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee672d18981e368f5e7e168864f92f15_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee672d18981e368f5e7e168864f92f15_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe
    Filesize

    867KB

    MD5

    d61768d7249536fec498204c87583c7f

    SHA1

    5e6715a57ff7fcd45de19169ec53c728af5f2af9

    SHA256

    b86429c87ffce2dda477ea0f62daf4594fdf7cf0e3da980a281caff46e4ba185

    SHA512

    fa86bee1503cc0567d1dc0f35abafeb864f9e5503d3ee7a5f466cb791f667113adef779ddc69e97590cba0429e78c38b03d8cbcce9fd7df9ba9dfb069076adf0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    d8732d32132b48b06dbf1f0e4c661973

    SHA1

    316597467ac05408b9ec3f280b2895c0d17d8727

    SHA256

    97a029c5fb947d72c1dcd4678f456a772956a2471608ffdda26595e5510131b3

    SHA512

    c96984bf80d858b39cb44a52d7a1acddf5b61fe99338365b6c6c86553822eae8b1205ad29cec9b540079d477c19149fff8b4601771d85342ea69c0ad23329116

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    866KB

    MD5

    c378c77f977bf63d6a1b6d6ea8247bd3

    SHA1

    73053ce4027e3f530979e4f23f82e547520bd442

    SHA256

    610250bec271b8072d9f6b6a1373f413022dcb5b687336d73f5f3559b4d1139d

    SHA512

    92da359260afe58a6455c50428e30248f9a6c2ed81c1d385898bb65a5f010fba1035e69d454a77106b741856f6f2bc40590b7686b324ae8ec6c80b446ddf6362

    Download Submit

  • memory/2080-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-17-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-240-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-248-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-230-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-236-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-10-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-243-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-246-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-233-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-251-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-255-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-258-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-261-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-264-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-267-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-269-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download