efc09d8803270ccc2f233b3dd7c1648e589b05d27df428482da49892f7f868a6

Resubmissions

04/10/2024, 05:24

241004-f356ba1apg 10

03/10/2024, 15:52

241003-ta4cxatckm 10

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/10/2024, 05:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
Size

8.8MB
MD5

0f77d1cbcd4f7a463f9d534faaecfde7
SHA1

b93cd34dafaa156aa8da2de6ae2ebadfa417117d
SHA256

efc09d8803270ccc2f233b3dd7c1648e589b05d27df428482da49892f7f868a6
SHA512

13f722c56f67f99f7d3f79f21b87ae80fffbba371758fe9b35db324ef12491b7bb2fd12c06193b91a4ba5c762b089186b5ef1387292acf1f0671d29f31e17668
SSDEEP

98304:iE20IMzKpXOMGQxIMzKpXOMGQwTpKXl50:in0I2lyxI2lywTSe

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3892	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Y:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\H:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\K:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\P:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\T:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\V:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\W:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\X:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\I:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\L:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\M:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\O:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\U:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\Z:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\B:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\R:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\E:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\J:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\Q:	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 3892	428	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe	78
PID 428 wrote to memory of 3892	428	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe	78
PID 428 wrote to memory of 3892	428	0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe	78

C:\Users\Admin\AppData\Local\Temp\0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f77d1cbcd4f7a463f9d534faaecfde7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3007475212-2160282277-2943627620-1000\desktop.ini.exe

Filesize
8.8MB

MD5
f581b38da4b0b304ab9f0623e6e0f884

SHA1
5fbd930119394830eaa06cc8785dafdc60dd1de2

SHA256
0e3a80f27964820374bc5d925449310aa6c8d4abe9d55818260045d589c97134

SHA512
ed527b5339d9302e6e6f40dc28340dec959925de4c196bdcf14fc3f96b5fef9c64066ab53c265a51fab39760c92be0a18956b16adc58a53d2c16d93fd009d44b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
267ff6946ba3695b3de265d4dacbd9d8

SHA1
8745c2234641668acddec67957afc0cf3d16c615

SHA256
2cfc31def3490501caae7e1ecbfd936946694a3b396d41b1865a6f8e41f330f3

SHA512
08a5941d6497b301ecabb17693cfc906dfc36b30c19e978a63c19a90a618f5b67f72fd880f379243c05a8086a9e084d28cfbfa8c390239c6141f1c7f6d9229de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8aa94f9f63a79638f577f5fbdca3cf0b

SHA1
15a49fd2c118f0bde58d56effccb7a4b08cc8121

SHA256
a30b4ac49370dc62d53d5cd2fb74b1cc30cfb5ea80534db2c2eb71b492aa8acd

SHA512
bf5ecd4a564361bd26b644c7dd3f5d6638e3b661e7d00af41fab12c708df35f37a4e452e067bc09d52bacc693a0dcc7dfe734d4a94fb03a12a4c9900c278f6c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a30c5979b85c11880854137ff0874157

SHA1
87d1f14143176c4a1d7dcf072b33232b0c582f0e

SHA256
50de400df9a44bb696557e2e674cef189dc630c8fb76491dc87cff4dca029db4

SHA512
d9f04dc0f2bee61abe10d4a286b6aad73f2f95224305896caa78c5b9937d7dca356d95b25e6d60dcbdd88998b80ecb06d4d8a2b1f05fbbd8fbf3a08ae3e77e60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6156a27917e9c66d8f486b311a8330ba

SHA1
1d5ae67b9d635de83bb1065d360123e530fa344f

SHA256
da4165d59fa912435885746a66e0a28eb9161ea8cbaaa7c569ca8a6b8f2d3523

SHA512
f242a8ed230cb7cf82edc44dd5a83fe74572217aed00059946c52ffac293f446a02d2e014fa26a4581c35b3013a9818a1b932c5b6919e646335219d51b871288

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3369427cd29446a079b4fc7260d49171

SHA1
5a3c1573fda5510130583795348cbc2e2bf36234

SHA256
adae6e24f08884fc9a9995f7f1faa63fb5b9b30e25526b0779ea9f4536aff74e

SHA512
bc7fd2e2e084fc6c660d120ce9fc34e2185495c0471dfcf961a3c097dc42f06ab2d01f3fbac7e51c35ba685e9197f7d6a20551c5eea135775462821d84ded99e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b801ca214cffd2efd83d3e37be86a313

SHA1
98c7412dd60516f1410a0e2a1fc5884ee52044ab

SHA256
dd2d8cb7ae56eb117e07de8103e9186366bac651972c57788210bf624fbb994b

SHA512
0c18fd8962fc8b111083a912e3c0d1d97f83f9dbb66d163b60e82bd30790a94686c73cf4d843f81f08ee039c8383790e778220c64237def4d7b9790efb9cfcd4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
8.8MB

MD5
7c8d02e2c5184c43c8f915104bb0a244

SHA1
1eb7d73d6e9e26e8a11899616da2f801642991d6

SHA256
e513246918f727d62b288ada0dabcced6fe72e4675537ca7906f253dccab7b4e

SHA512
ba328ab6d855a2237cb38ca7f101d8a101b29a3d55552edc08208378baf1ec3495e24e8acfa67af3497f0dab6b4baf4bc58fda2bf468c273bf4c80631ea3b828

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3007475212-2160282277-2943627620-1000\desktop.ini.exe

Filesize
8.8MB

MD5
6f2b5eec87246921b103cba9156694ba

SHA1
a857dfc5857ab356f52c5192bdff9ddd0919a3ca

SHA256
7f11d83ed41283d205cc12d7647930e09c6271784196f696b8ae79ddc027fb7b

SHA512
2e9b24a096c137d7af7627aefdc9126851d8843d6334ea2b3d3174b98878fe097ed0f9dc34032dcc4fcb2d1b7e1fa75558db979e4d4fb93b270a4c217f545d89

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
8.8MB

MD5
0f77d1cbcd4f7a463f9d534faaecfde7

SHA1
b93cd34dafaa156aa8da2de6ae2ebadfa417117d

SHA256
efc09d8803270ccc2f233b3dd7c1648e589b05d27df428482da49892f7f868a6

SHA512
13f722c56f67f99f7d3f79f21b87ae80fffbba371758fe9b35db324ef12491b7bb2fd12c06193b91a4ba5c762b089186b5ef1387292acf1f0671d29f31e17668

Download Submit
memory/428-45-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/428-0-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3892-50-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/3892-5-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads