Overview

overview

10

Static

static

3

0f77d1cbcd...18.exe

windows7-x64

10

0f77d1cbcd...18.exe

windows10-2004-x64

10

Resubmissions

04-10-2024 05:24

241004-f356ba1apg 10

03-10-2024 15:52

241003-ta4cxatckm 10

Analysis

  • max time kernel
    146s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe

  • Size

    8.8MB

  • MD5

    0f77d1cbcd4f7a463f9d534faaecfde7

  • SHA1

    b93cd34dafaa156aa8da2de6ae2ebadfa417117d

  • SHA256

    efc09d8803270ccc2f233b3dd7c1648e589b05d27df428482da49892f7f868a6

  • SHA512

    13f722c56f67f99f7d3f79f21b87ae80fffbba371758fe9b35db324ef12491b7bb2fd12c06193b91a4ba5c762b089186b5ef1387292acf1f0671d29f31e17668

  • SSDEEP

    98304:iE20IMzKpXOMGQxIMzKpXOMGQwTpKXl50:in0I2lyxI2lywTSe

Score
10/10
discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.exe
    Filesize

    8.8MB

    MD5

    9875722ef39fb7b3c9ec3cc681135cd1

    SHA1

    14aff15eae5a393827a47faa4a34f038d6ebb21d

    SHA256

    b76a520d8663b527d4317165e23151398414055a8c1511b9b33d6c5d5abf4bb7

    SHA512

    149fa9f6543a760e62b79f42b3ec70b6c40f7a791725bd82ad34ccf798a439bb3dab2308e8a78ebe0d9778be30e38b3fc12682a8980edd021431e49452040fce

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    33a0d33744815f98b793fb4f57c702ac

    SHA1

    74b7cd331eed34dad6b098b3ec19e7f915dc0c89

    SHA256

    94e70d47d6bfac03819ceef81aef293d31da8283fc554e94af0d014ea3b75136

    SHA512

    b17facd285f0ad47fa9b423fea075f4c6eaa1eb774ad3f2bd41a45d55b02fd8a8d5c1ee3e849c8cbcaa924570eaa64637b3a1cad5dc5ea8b9b2f865ef37b6b2a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    2379484d6a1abd119071a5e45a0975cb

    SHA1

    60b087e930bcb0d4314411003c524970431969eb

    SHA256

    a5ef7f61754141fca5c683bf80ebf155b0064fb0209512e0142c6ff2baab371d

    SHA512

    28cf01dc1ca7b56891fab9567a989972e91204b0fce57246316e486601ad434548b05031216874ceba357cf3af10ed9b836eab2217ba57859383f859b278a9f0

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    8.8MB

    MD5

    0f77d1cbcd4f7a463f9d534faaecfde7

    SHA1

    b93cd34dafaa156aa8da2de6ae2ebadfa417117d

    SHA256

    efc09d8803270ccc2f233b3dd7c1648e589b05d27df428482da49892f7f868a6

    SHA512

    13f722c56f67f99f7d3f79f21b87ae80fffbba371758fe9b35db324ef12491b7bb2fd12c06193b91a4ba5c762b089186b5ef1387292acf1f0671d29f31e17668

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    8.8MB

    MD5

    7c8d02e2c5184c43c8f915104bb0a244

    SHA1

    1eb7d73d6e9e26e8a11899616da2f801642991d6

    SHA256

    e513246918f727d62b288ada0dabcced6fe72e4675537ca7906f253dccab7b4e

    SHA512

    ba328ab6d855a2237cb38ca7f101d8a101b29a3d55552edc08208378baf1ec3495e24e8acfa67af3497f0dab6b4baf4bc58fda2bf468c273bf4c80631ea3b828

    Download Submit

  • memory/2700-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2700-70-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2752-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2752-75-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download