ebc2297d17d62e0ca3d7ff0265e79ab1802b3dd37485485f04a896c7277fd95e

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 09:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
Size

7.8MB
MD5

2ef7ab99a6f493e6057f8e2cd3038b98
SHA1

46a74eac26a3fe8ba7da7c7ba5f5f8482effab03
SHA256

ebc2297d17d62e0ca3d7ff0265e79ab1802b3dd37485485f04a896c7277fd95e
SHA512

23d01d06c43d63aea624bfd1ef1a4db6710bed29bf913b0415e88a6328f9581ff291da9a173c4b146d0652e7479ec0987b4f30d9b7c0f58abf1c48e6f42b9107
SSDEEP

98304:Ji0ti/LR5W6oIMzKpXOai0ti/LR5W6oIMzKpXOk:802boI2lj02boI2lk

Score

10^/10

aspackv2 discovery persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b000000012257-2.dat	aspack_v212_v242
behavioral1/files/0x00060000000174d5-39.dat	aspack_v212_v242
behavioral1/files/0x0001000000000026-65.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3020	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
2768	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\X:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\Y:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\W:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\K:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\L:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\U:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\Z:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\B:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\H:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\J:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\O:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\P:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\N:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\Q:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\E:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\M:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\S:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\V:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\I:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\T:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 3020	2768	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe	30
PID 2768 wrote to memory of 3020	2768	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe	30
PID 2768 wrote to memory of 3020	2768	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe	30
PID 2768 wrote to memory of 3020	2768	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.exe

Filesize
7.8MB

MD5
2acb575138b6851d2ceb2cf402e8ffc0

SHA1
58ecb9380290bfc8ca4642be50d71bfa82088264

SHA256
8c270f66f329006f2c788c02c9a78474f5dc3db698afc7545f6f79ce1bcf5efc

SHA512
b8962683bcd529e41c0dea01fa1794356949fcbb611137ec6182b24a969b61abffc9488b5f821352dd1c474f91a5bda40d5956ec0350e91c61fef53c3136862e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
aeff18a1a0ad63129b68a2261814aea3

SHA1
8a23ca3d17bc2b79629ab8328bd884f57d86d135

SHA256
9e65c3210ceb4349966f44c0d5f567bdae4a3d6c76165ab481148ba6e24d468f

SHA512
a15283f735abf8bf02cff3ae94663afa6b1fecfa45865b9a4a6d46f29706d90ea46443117a25ebc598b91f583fbba3d6529120b8a49ab993f51cdec89eb8c258

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
61ec4db5d51bee2479626da422c5470f

SHA1
ece88f9f4dc87713aece3b11e4581579ff6d388e

SHA256
de0dd7b7ad8171aa3e3423cc1412e082cd6bb4b2c2dc430af2280872fc116f5f

SHA512
69f9b980e98702944a58f7916554b4ca5c4726a85a0a26c7c10be98bf579b5a37e73cb182a175d7e5ecb93ec4aa2d2fce1b95632a9b85fd64901dd77b2971978

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.8MB

MD5
2ef7ab99a6f493e6057f8e2cd3038b98

SHA1
46a74eac26a3fe8ba7da7c7ba5f5f8482effab03

SHA256
ebc2297d17d62e0ca3d7ff0265e79ab1802b3dd37485485f04a896c7277fd95e

SHA512
23d01d06c43d63aea624bfd1ef1a4db6710bed29bf913b0415e88a6328f9581ff291da9a173c4b146d0652e7479ec0987b4f30d9b7c0f58abf1c48e6f42b9107

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
5.8MB

MD5
4139196f29b96e1205491cf1412aa1cc

SHA1
f88e119fbc723ce29135f4a2f598e4257a99dd2d

SHA256
5ae297ad945e61bdc53677e81fb433e98f8ea605ddf7400646956332cd537845

SHA512
d7adcb91745b435860ac0b3c3b5f4b0e5b4d29b4e5e0a6eae6f0c27bb245a1e1e2948a128ae71c184b347ac109543fc488b69f424d0087a6efa96003854a9caa

Download Submit
memory/2768-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3020-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads