Analysis

  • max time kernel
    145s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 17:33

General

  • Target

    4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe

  • Size

    919KB

  • MD5

    4e21121a61f231b5288f3f795bf80987

  • SHA1

    1aaea300f162b85c4034d24aaba40d823e7832cc

  • SHA256

    49e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8

  • SHA512

    8ddb522f6606b73b8bf1fbfbd9bb41d295aee2e94883bdd1fb369de20377abac99891d65fc38bf151205abd5062d7ca1876b3f13a66dc0539d45515bd647694c

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltH4cgZD5+6aYMasAYXG3W5o:xEtl9mRda1MIHYPyBashXG3W5o

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.exe

    Filesize

    920KB

    MD5

    643d9d17c4fee2961762a0e971d3dab4

    SHA1

    c9bdd312c544de660de34a5cb6dfcca70b00df58

    SHA256

    0a452cef7ee0bcdb4a12d1edfb42e46e57a2d2469e5c153dae634a07363c2c21

    SHA512

    b14a6db2ffd1d3146b0f21b413feeefb1615bf0dc69cc90feea5975a702a06cda74b2c1a021101ffbb9b64334975e06748dabc59bf802e5a306f4e749cbf6ca8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    c0413d8a0d64df19e11ca4aec83e18fc

    SHA1

    2c4eadc535476b3fb21ef578932c30ef476625d0

    SHA256

    5802dce9f16d7677e040c4532ea301b5424946a74ccd4115270b7951d351fa7b

    SHA512

    23044706e7d9c59859dd552e4a89ba8630d018ab12a72d61b96d744022ecba6ac6bc4ea54dd99c1936c8965fcacd6e6197ee55fb5a37e591ccd81c15b8596848

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    dfb3a368682f8d1288e39be46f7d71d8

    SHA1

    d57cb1ee0f930fc39b3c7dafeeb21527046c26e9

    SHA256

    97911c62fd77511155e9385531fb2c8752255e126b8a79cbec4a47b8272b7960

    SHA512

    f6bcf1d11763e3868d509cc81dafad2b8f7eb177f12b76eea79eb085b476382799dd6027637484debc08476b26f9f0a5389cef109e4860d3162894f0f58bb8f1

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    919KB

    MD5

    4e21121a61f231b5288f3f795bf80987

    SHA1

    1aaea300f162b85c4034d24aaba40d823e7832cc

    SHA256

    49e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8

    SHA512

    8ddb522f6606b73b8bf1fbfbd9bb41d295aee2e94883bdd1fb369de20377abac99891d65fc38bf151205abd5062d7ca1876b3f13a66dc0539d45515bd647694c

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    915KB

    MD5

    d366f09b45829980a4389f3803b2f1fa

    SHA1

    89e72610077a582083a2c9ebdf30115f04924ae1

    SHA256

    ff979c46e355a4596575abc136c245a8f5931faef96771825ae50312a9186fe3

    SHA512

    f53438ebfef858fbba99fea8035fba35d5eb5635840552dc62382adc5a851c2d82d768ef08f5653b697e02ae2515ff29002698e3b36186e44ad898b8823da5e0

  • memory/2380-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2380-67-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2892-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2892-74-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB