Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 17:15
Static task
static1
Behavioral task
behavioral1
Sample
4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe
-
Size
2.9MB
-
MD5
4e0f5f12d55728e3056fc3f9efacc75f
-
SHA1
cc73069286a96ce0892aca0e8294e3fd5fcdaeb0
-
SHA256
bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c
-
SHA512
d03e4d85bee3e805e2a1d964157a01b4d83a1ef216f761127efa216a4a040a968e9728f7a3149d4478d2b0d3e0e74b84558044d6887fc0691536c23a5cda36bd
-
SSDEEP
12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltH4cgZD5+6aYMasAYXG3W9:xEtl9mRda1MIHYPyBashXG3W9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2840 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 1128 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe 1128 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\J: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\K: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\V: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\W: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\L: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\Q: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\U: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\N: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\O: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\R: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\G: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\I: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\M: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\B: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\X: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\E: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\P: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\T: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\H: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\S: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\Z: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\A: 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1128 wrote to memory of 2840 1128 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe 31 PID 1128 wrote to memory of 2840 1128 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe 31 PID 1128 wrote to memory of 2840 1128 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe 31 PID 1128 wrote to memory of 2840 1128 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5107b390033f6bc75db2eec110514a1f1
SHA1bd2033bb90b1cbc0fb689d806509c5be88b20ad9
SHA25669a09ec98afb1a38f43fb5bac58d88e9ee945219c5411be609b9443f0293fb44
SHA512724faf32129722ac3fc76d9820486ac3dc31ef8c4235ad6724ac45ab5f83c81c4e0c452a793c7708726528438fe8a752ea0f84dea0648a120940964e9cd33642
-
Filesize
1KB
MD5493cff44a2a9af9a34db5a8c0d055f5b
SHA1dd40c543abc951245db7bbffbdbeeae2069972e6
SHA256f0d3df82c8269a0c01261caaab2e24be91e192959cdde527e895555fecff3ea0
SHA512f9d1b9e7cc2975ece47086f2e848d0bf465b335f3620ad4b762fb0171a9efacef86dda4a4b0a0891994be09d189efcaddfefcaa8c3a20313cdbafa32c8890124
-
Filesize
950B
MD5f04a2d70cffd816dcd2a4ee3cd5acd22
SHA17d6745a076d11ef0495ac25e43bd03c33276ecad
SHA2561dfd58e26676de675d0b2733d9b435eb563a8d321051ee81056b34a05004a9f6
SHA512850d43839a82ed3a6f0a61ebacb32b7325e44d3e3072517455c67a94dad4cd185481e89ac1d74968fc25fce06f6cc876be0061f173cc7b2093f0548a2498b81b
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
2.9MB
MD54e0f5f12d55728e3056fc3f9efacc75f
SHA1cc73069286a96ce0892aca0e8294e3fd5fcdaeb0
SHA256bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c
SHA512d03e4d85bee3e805e2a1d964157a01b4d83a1ef216f761127efa216a4a040a968e9728f7a3149d4478d2b0d3e0e74b84558044d6887fc0691536c23a5cda36bd
-
Filesize
2.9MB
MD5ad829f24697ab5836b3e93d3c014f7a4
SHA1b95d212648b5b57abe2a84190c351def10c85132
SHA256df8ae02c0de4737a69093223c13326818f8e7ef3322ab1252a7e2d40b79221f2
SHA51201c110bf6662b0df58a3ef6f8db64ad4bd5165998603f5d48dc7388cce27a306b0c41ea08985d331a44f8f422044cc44d8fc9048a6a346519776630c8ac72888