Analysis
-
max time kernel
145s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 17:33
Static task
static1
Behavioral task
behavioral1
Sample
4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe
-
Size
919KB
-
MD5
4e21121a61f231b5288f3f795bf80987
-
SHA1
1aaea300f162b85c4034d24aaba40d823e7832cc
-
SHA256
49e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8
-
SHA512
8ddb522f6606b73b8bf1fbfbd9bb41d295aee2e94883bdd1fb369de20377abac99891d65fc38bf151205abd5062d7ca1876b3f13a66dc0539d45515bd647694c
-
SSDEEP
12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltH4cgZD5+6aYMasAYXG3W5o:xEtl9mRda1MIHYPyBashXG3W5o
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Executes dropped EXE 1 IoCs
pid Process 2892 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2380 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe 2380 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\K: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\S: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\L: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\Q: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\I: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\T: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\G: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\M: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\V: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\Z: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\B: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\U: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\O: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\R: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\W: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\Y: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\A: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\H: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\N: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\X: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\J: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\P: 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2892 2380 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2892 2380 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2892 2380 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2892 2380 4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
920KB
MD5643d9d17c4fee2961762a0e971d3dab4
SHA1c9bdd312c544de660de34a5cb6dfcca70b00df58
SHA2560a452cef7ee0bcdb4a12d1edfb42e46e57a2d2469e5c153dae634a07363c2c21
SHA512b14a6db2ffd1d3146b0f21b413feeefb1615bf0dc69cc90feea5975a702a06cda74b2c1a021101ffbb9b64334975e06748dabc59bf802e5a306f4e749cbf6ca8
-
Filesize
1KB
MD5c0413d8a0d64df19e11ca4aec83e18fc
SHA12c4eadc535476b3fb21ef578932c30ef476625d0
SHA2565802dce9f16d7677e040c4532ea301b5424946a74ccd4115270b7951d351fa7b
SHA51223044706e7d9c59859dd552e4a89ba8630d018ab12a72d61b96d744022ecba6ac6bc4ea54dd99c1936c8965fcacd6e6197ee55fb5a37e591ccd81c15b8596848
-
Filesize
950B
MD5dfb3a368682f8d1288e39be46f7d71d8
SHA1d57cb1ee0f930fc39b3c7dafeeb21527046c26e9
SHA25697911c62fd77511155e9385531fb2c8752255e126b8a79cbec4a47b8272b7960
SHA512f6bcf1d11763e3868d509cc81dafad2b8f7eb177f12b76eea79eb085b476382799dd6027637484debc08476b26f9f0a5389cef109e4860d3162894f0f58bb8f1
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
919KB
MD54e21121a61f231b5288f3f795bf80987
SHA11aaea300f162b85c4034d24aaba40d823e7832cc
SHA25649e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8
SHA5128ddb522f6606b73b8bf1fbfbd9bb41d295aee2e94883bdd1fb369de20377abac99891d65fc38bf151205abd5062d7ca1876b3f13a66dc0539d45515bd647694c
-
Filesize
915KB
MD5d366f09b45829980a4389f3803b2f1fa
SHA189e72610077a582083a2c9ebdf30115f04924ae1
SHA256ff979c46e355a4596575abc136c245a8f5931faef96771825ae50312a9186fe3
SHA512f53438ebfef858fbba99fea8035fba35d5eb5635840552dc62382adc5a851c2d82d768ef08f5653b697e02ae2515ff29002698e3b36186e44ad898b8823da5e0