Analysis
-
max time kernel
145s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 17:58
Static task
static1
Behavioral task
behavioral1
Sample
4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe
-
Size
3.0MB
-
MD5
4e3bc33d73f4d1b456edd175c4e1992b
-
SHA1
48d3fd59564c5352080c2c3799e03581610b1978
-
SHA256
723ef5c8665cc631c3dc5215aabdb0b379c6c4b0b247a36ddfd4954174024818
-
SHA512
7690e3b5f1f36d6a01eca0759cc8e94771a1d71b200f89fd19173902c0a5aaef3d261bfda819ca648b6503fa84fd790f42a4a863990b0ee693c81aafba939a74
-
SSDEEP
12288:gp4pNfz3ymJnJ8QCFkxCaQTOl2GVqyKXe/8JN+K:aEtl9mRda1VIyo9t
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2316 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2876 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe 2876 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\S: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\B: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\N: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\U: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\W: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\L: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\X: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\Y: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\E: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\G: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\H: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\P: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\Q: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\T: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\Z: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\A: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\K: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\M: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\J: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\R: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\V: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\I: 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2316 2876 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe 29 PID 2876 wrote to memory of 2316 2876 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe 29 PID 2876 wrote to memory of 2316 2876 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe 29 PID 2876 wrote to memory of 2316 2876 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5bd97d3d006bb26acf309266ad631b633
SHA1d750b8b387ebb3a391db45575a428c7b147ec0d3
SHA2568b3be8668b6b196c577557c24010de1f2e7d1b1e7d5dbe896809f78114086762
SHA512692ffaf8b79f949066cccff5aeda504f74ce95ce6cf41636fc18d0c03b894a44c6a02b38448559255a1de90bba6bc4bf9df1200c9816ebb87a784eeb6eee90a9
-
Filesize
1KB
MD57d288d089e88794f871771feb622790a
SHA1c13eb13d794813e31c1f958c21d3dc80fc71012a
SHA256d1067ed8767fa33676d740571f2e2faf5235a067846d99e0c722d2b35c47fcbc
SHA512420377f9e5833202c7936b79fc15924638c359cc1f3a9876bf717398849abce57b3cc603cd283ee87bbb67b322d77e69075e7ac646d222f232f2ea282226d943
-
Filesize
954B
MD5ffee3a04db1b0dfc10aba9a5a38100f9
SHA1c32183808e4f40b6a4220f1a427d37859cf34678
SHA256631703d391a4db30cb0cb7fc7d5b53a33b7298bad0cca67a60201367c5bcbef1
SHA512b5bc902d8f70e6cd1aca8dde55418529384915f178b26dad4667dde4977e2ece00cd321bf4b89af801be6a7ba96c0398288f14f1164b0f623c6fd38ad79b7cc6
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
3.0MB
MD54e3bc33d73f4d1b456edd175c4e1992b
SHA148d3fd59564c5352080c2c3799e03581610b1978
SHA256723ef5c8665cc631c3dc5215aabdb0b379c6c4b0b247a36ddfd4954174024818
SHA5127690e3b5f1f36d6a01eca0759cc8e94771a1d71b200f89fd19173902c0a5aaef3d261bfda819ca648b6503fa84fd790f42a4a863990b0ee693c81aafba939a74
-
Filesize
1.0MB
MD57e4e24ffea295894b9a761a4357978eb
SHA13902b765eb7224e56cc9dc0c555a6c650534d967
SHA2566539f6d8a284a0225ef83189bf6bd85d930fb033836fd95e743e992767b6ea79
SHA512df1bc9ce2903457b241f41456a9a534162c38ea5a4308c095e3fabe480fbecca7c45c3f24953f67d2593097ec1a7fb3a0eb4c5b6ccb6a6cc347cffaf9cb59b26