Overview

overview

10

Static

static

7

16bad27cbb...18.exe

windows7-x64

10

16bad27cbb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16bad27cbb0d87dba97a7876f44c1ed3_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    16bad27cbb0d87dba97a7876f44c1ed3

  • SHA1

    40dc577978f8939df6a22f988ac33d7fb5bfd7dc

  • SHA256

    864015dc2258494fe378e7ed2ff3c013d5242de34ff595aff71e49b37d246704

  • SHA512

    cd5339a03304d41f39567dd074a1f63bdd6b215fe692b49cb85145edb12031ce3bf9e7c7043625aff98b350f077b94ec766be828ef5f91cd1c653a5508020904

  • SSDEEP

    3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJl:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWP

Score
10/10
aspackv2discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16bad27cbb0d87dba97a7876f44c1ed3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\16bad27cbb0d87dba97a7876f44c1ed3_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe
    Filesize

    184KB

    MD5

    1875100eed533056133649dc8f6d0796

    SHA1

    044f3dc8fe72b3fde35872417712584ef8bf4be5

    SHA256

    4ceb23578a7b22fbae295d93fab3db0443e12945360e93a503fb29cbbd58e380

    SHA512

    41d6a37b0672a19d053a53456afae2aed1b852ca6ea7941145faf305fd8795db4f12fd7e8126fb15e3a0a21ea0e96d76c398c8945b4f4414d42bf32024f88d83

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    e6bb783c560e2b639f2b50d6c53bb9e0

    SHA1

    4dce93744a267fa0e05393fead5eec5c32a5c44c

    SHA256

    c68101b522343d4c22ee726fc5f1af52f9782486b44e16a1e2d34e6b251133f9

    SHA512

    b9a95ec0cd0813a6887d3c41d0b5c751d4b94f95a0ab0d4913ff5cbe15789725e1b49c61810d0030ec12b0b2ddc551ba636ad862d49422a8bc3be9c0fdc0c863

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    61d893dacf83c45aaf2bf72a83608d45

    SHA1

    fb2da6fdba83100f54e67f1e598e0a19c40b88ce

    SHA256

    43123b493c6ab5f2317e378d7f6dc09c2e72adcd28ee2cafb186d6ad0d4bd614

    SHA512

    41670fe76c878eff6a45b374c0333d02b38d2b7e736dd0eed262e2e8619dbecebf2c33aa4458449ce8da55bb476fb51d76bb677b5691f2228a7b2760e7d8171c

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    183KB

    MD5

    57f260903a34bf33a2c503df61f9403a

    SHA1

    1d1d528c3f43dec5c9c7a20c8c166fcdc742e7bb

    SHA256

    49b3cd308e4da9f54b3b283225a13d962b27b5d033f8839fc7d36dc799371f10

    SHA512

    d9d226e0fb4a2e9b985be04a1ce20b3763305a8867648041157dec6216defd21ca1aee0f801e0e6955d891facb14a5d2047da5f47b4dd1e4b6a8c7131ad533fd

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    184KB

    MD5

    16bad27cbb0d87dba97a7876f44c1ed3

    SHA1

    40dc577978f8939df6a22f988ac33d7fb5bfd7dc

    SHA256

    864015dc2258494fe378e7ed2ff3c013d5242de34ff595aff71e49b37d246704

    SHA512

    cd5339a03304d41f39567dd074a1f63bdd6b215fe692b49cb85145edb12031ce3bf9e7c7043625aff98b350f077b94ec766be828ef5f91cd1c653a5508020904

    Download Submit

  • memory/2076-242-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-351-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-1-0x0000000000330000-0x0000000000331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2076-299-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-357-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-361-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-254-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-230-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-345-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-268-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-280-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-339-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-292-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-328-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2076-316-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-231-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-317-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-300-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-293-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-329-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-281-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-340-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-346-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-269-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-255-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-352-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-243-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-358-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2692-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-362-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download