Overview

overview

10

Static

static

7

436f7eb5c0...18.exe

windows7-x64

10

436f7eb5c0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    436f7eb5c07a0951dda1c73b46092c9b_JaffaCakes118.exe

  • Size

    10.0MB

  • MD5

    436f7eb5c07a0951dda1c73b46092c9b

  • SHA1

    2f93ea5cb1900753a2411526299822fcd14288f1

  • SHA256

    9ab65884625468f01401f7b8a297f9156310dfb75b0e79190310b1bfb1ea2923

  • SHA512

    4f4eded20cf5f0f2cc64339ff322900a588747cb914adf9d518e314f91ff0fe318e6b0ae1f0173ceeced640d00848aa4ac874bfcec381412b490ab0b5048ed3a

  • SSDEEP

    98304:1i0li0khMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJM9:40I0kxI2lyE

Score
10/10
aspackv2discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\436f7eb5c07a0951dda1c73b46092c9b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\436f7eb5c07a0951dda1c73b46092c9b_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.exe
    Filesize

    10.0MB

    MD5

    b434852d1b258de8385095ef39ec5f9a

    SHA1

    b6b039f103b24b6cf053f4af80a9b912b390f25a

    SHA256

    b8d4b22e5d5393569d46a1c822c17e5eb2d801e91a5d226f06af3eee2a7631b2

    SHA512

    69d01e9f8dbea25f7d5f3953bc96786fa948af624264d513d4febe82c646edf31aa21c6ba087e14aa89dd6ad50510f6e75b7781a24163fd9c3e0b58fd4ebc34c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    968eacdcf13ca89ce069bc51cde804ab

    SHA1

    a3d06d78494d3aa7d3d33b8210d25132a6d4ee3a

    SHA256

    a836a68a11bcbd6127db2d4de6b63aa4df0e602fb76537868a2bec8d16044545

    SHA512

    2bcc0dc3a37a75aa2d2da8d75a330139313eb6dd5d1715c22aca3290f3b808e977179f51ab3ef94419ff93cb3e5bc2493c6cec203b4ed817b984273c9c382ae9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    cc16f2faf45b1100cae58a30c99c7c83

    SHA1

    c417f08a90064375e5ce949cd0e1db359c77fb61

    SHA256

    3f1da088be494bcd20a9cda728a4d7295619f143eaad09c6724b184dcabcc87a

    SHA512

    4d0a45452ad627674b5062ac5dee0c923c19f2667233d29916b02a50169fe54e6147b648dcdc28955fc343246189afb10e47341cbf478635d478b7d863b0e83a

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    10.0MB

    MD5

    436f7eb5c07a0951dda1c73b46092c9b

    SHA1

    2f93ea5cb1900753a2411526299822fcd14288f1

    SHA256

    9ab65884625468f01401f7b8a297f9156310dfb75b0e79190310b1bfb1ea2923

    SHA512

    4f4eded20cf5f0f2cc64339ff322900a588747cb914adf9d518e314f91ff0fe318e6b0ae1f0173ceeced640d00848aa4ac874bfcec381412b490ab0b5048ed3a

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    10.0MB

    MD5

    ba821acb8cbf18f1908279df5d09b1f3

    SHA1

    12f15bfcbe844d3fa044d75b984b50b8d5eca80c

    SHA256

    9fe1a82791d2343cabe61293f9b3d3c2e533f22760ac28455fdf89111b073645

    SHA512

    9b20e9862f2efe5a3d5751d02f195a9ad3638d66b01505601387ff167b5d8952603d6cea64e1d93460c81d1914d8ad7977892a2a21b5921934ce08a0b7cfa122

    Download Submit

  • memory/1880-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2232-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download