Analysis

  • max time kernel
    145s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 17:58

General

  • Target

    4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe

  • Size

    3.0MB

  • MD5

    4e3bc33d73f4d1b456edd175c4e1992b

  • SHA1

    48d3fd59564c5352080c2c3799e03581610b1978

  • SHA256

    723ef5c8665cc631c3dc5215aabdb0b379c6c4b0b247a36ddfd4954174024818

  • SHA512

    7690e3b5f1f36d6a01eca0759cc8e94771a1d71b200f89fd19173902c0a5aaef3d261bfda819ca648b6503fa84fd790f42a4a863990b0ee693c81aafba939a74

  • SSDEEP

    12288:gp4pNfz3ymJnJ8QCFkxCaQTOl2GVqyKXe/8JN+K:aEtl9mRda1VIyo9t

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.exe

    Filesize

    3.0MB

    MD5

    bd97d3d006bb26acf309266ad631b633

    SHA1

    d750b8b387ebb3a391db45575a428c7b147ec0d3

    SHA256

    8b3be8668b6b196c577557c24010de1f2e7d1b1e7d5dbe896809f78114086762

    SHA512

    692ffaf8b79f949066cccff5aeda504f74ce95ce6cf41636fc18d0c03b894a44c6a02b38448559255a1de90bba6bc4bf9df1200c9816ebb87a784eeb6eee90a9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    7d288d089e88794f871771feb622790a

    SHA1

    c13eb13d794813e31c1f958c21d3dc80fc71012a

    SHA256

    d1067ed8767fa33676d740571f2e2faf5235a067846d99e0c722d2b35c47fcbc

    SHA512

    420377f9e5833202c7936b79fc15924638c359cc1f3a9876bf717398849abce57b3cc603cd283ee87bbb67b322d77e69075e7ac646d222f232f2ea282226d943

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    ffee3a04db1b0dfc10aba9a5a38100f9

    SHA1

    c32183808e4f40b6a4220f1a427d37859cf34678

    SHA256

    631703d391a4db30cb0cb7fc7d5b53a33b7298bad0cca67a60201367c5bcbef1

    SHA512

    b5bc902d8f70e6cd1aca8dde55418529384915f178b26dad4667dde4977e2ece00cd321bf4b89af801be6a7ba96c0398288f14f1164b0f623c6fd38ad79b7cc6

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    3.0MB

    MD5

    4e3bc33d73f4d1b456edd175c4e1992b

    SHA1

    48d3fd59564c5352080c2c3799e03581610b1978

    SHA256

    723ef5c8665cc631c3dc5215aabdb0b379c6c4b0b247a36ddfd4954174024818

    SHA512

    7690e3b5f1f36d6a01eca0759cc8e94771a1d71b200f89fd19173902c0a5aaef3d261bfda819ca648b6503fa84fd790f42a4a863990b0ee693c81aafba939a74

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    1.0MB

    MD5

    7e4e24ffea295894b9a761a4357978eb

    SHA1

    3902b765eb7224e56cc9dc0c555a6c650534d967

    SHA256

    6539f6d8a284a0225ef83189bf6bd85d930fb033836fd95e743e992767b6ea79

    SHA512

    df1bc9ce2903457b241f41456a9a534162c38ea5a4308c095e3fabe480fbecca7c45c3f24953f67d2593097ec1a7fb3a0eb4c5b6ccb6a6cc347cffaf9cb59b26

  • memory/2316-12-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

  • memory/2316-14-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2316-230-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

  • memory/2876-9-0x0000000001DF0000-0x0000000001E69000-memory.dmp

    Filesize

    484KB

  • memory/2876-52-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

  • memory/2876-0-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

  • memory/2876-74-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

  • memory/2876-10-0x0000000001DF0000-0x0000000001E69000-memory.dmp

    Filesize

    484KB

  • memory/2876-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB