Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 17:15

General

  • Target

    4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe

  • Size

    2.9MB

  • MD5

    4e0f5f12d55728e3056fc3f9efacc75f

  • SHA1

    cc73069286a96ce0892aca0e8294e3fd5fcdaeb0

  • SHA256

    bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c

  • SHA512

    d03e4d85bee3e805e2a1d964157a01b4d83a1ef216f761127efa216a4a040a968e9728f7a3149d4478d2b0d3e0e74b84558044d6887fc0691536c23a5cda36bd

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltH4cgZD5+6aYMasAYXG3W9:xEtl9mRda1MIHYPyBashXG3W9

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.exe

    Filesize

    2.9MB

    MD5

    107b390033f6bc75db2eec110514a1f1

    SHA1

    bd2033bb90b1cbc0fb689d806509c5be88b20ad9

    SHA256

    69a09ec98afb1a38f43fb5bac58d88e9ee945219c5411be609b9443f0293fb44

    SHA512

    724faf32129722ac3fc76d9820486ac3dc31ef8c4235ad6724ac45ab5f83c81c4e0c452a793c7708726528438fe8a752ea0f84dea0648a120940964e9cd33642

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    493cff44a2a9af9a34db5a8c0d055f5b

    SHA1

    dd40c543abc951245db7bbffbdbeeae2069972e6

    SHA256

    f0d3df82c8269a0c01261caaab2e24be91e192959cdde527e895555fecff3ea0

    SHA512

    f9d1b9e7cc2975ece47086f2e848d0bf465b335f3620ad4b762fb0171a9efacef86dda4a4b0a0891994be09d189efcaddfefcaa8c3a20313cdbafa32c8890124

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    f04a2d70cffd816dcd2a4ee3cd5acd22

    SHA1

    7d6745a076d11ef0495ac25e43bd03c33276ecad

    SHA256

    1dfd58e26676de675d0b2733d9b435eb563a8d321051ee81056b34a05004a9f6

    SHA512

    850d43839a82ed3a6f0a61ebacb32b7325e44d3e3072517455c67a94dad4cd185481e89ac1d74968fc25fce06f6cc876be0061f173cc7b2093f0548a2498b81b

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    2.9MB

    MD5

    4e0f5f12d55728e3056fc3f9efacc75f

    SHA1

    cc73069286a96ce0892aca0e8294e3fd5fcdaeb0

    SHA256

    bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c

    SHA512

    d03e4d85bee3e805e2a1d964157a01b4d83a1ef216f761127efa216a4a040a968e9728f7a3149d4478d2b0d3e0e74b84558044d6887fc0691536c23a5cda36bd

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    2.9MB

    MD5

    ad829f24697ab5836b3e93d3c014f7a4

    SHA1

    b95d212648b5b57abe2a84190c351def10c85132

    SHA256

    df8ae02c0de4737a69093223c13326818f8e7ef3322ab1252a7e2d40b79221f2

    SHA512

    01c110bf6662b0df58a3ef6f8db64ad4bd5165998603f5d48dc7388cce27a306b0c41ea08985d331a44f8f422044cc44d8fc9048a6a346519776630c8ac72888

  • memory/1128-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1128-224-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2840-9-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

  • memory/2840-229-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB