Overview

overview

10

Static

static

3

541ab389d0...18.exe

windows7-x64

10

541ab389d0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 22:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    541ab389d05230818b87d537585980af_JaffaCakes118.exe

  • Size

    955KB

  • MD5

    541ab389d05230818b87d537585980af

  • SHA1

    d66b0b6a8d7e92c6c5bd5913eaa955f07a49727a

  • SHA256

    1eb8c3c0ae21d2df81f5775aed6b35bf289d3ce7a5367161220687ec74b662fc

  • SHA512

    1d3e483985245607ae56793a963d66a3db25aed04d629597309f79a2b6b0daeecd59228abcec5f8010f7d1c91425c31954ec25bd7b5867d90eaf42284bf351c7

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltHk:xEtl9mRda1MIHk

Score
10/10
discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\541ab389d05230818b87d537585980af_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\541ab389d05230818b87d537585980af_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2388

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.exe
          Filesize

          955KB

          MD5

          6b909b1c7f52ba1750df1c345c81d0f4

          SHA1

          c188ee92cebdadb472424c6ea5ce98e85805939b

          SHA256

          4862eec42bc83ccf41adcd0d793986be9a1e16f5a0f5e3044ae3b8e1de0436b5

          SHA512

          f03bfa71a2a32f6a6a020cbbb26a6fce136e48f03e7e3cf990bd4d10f1392545ae7fa7398204dd9f58577c19a19dcaf05e26656980d2bdfb00cc59b3f23cba2c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          d8b68fc7b88c1e9da22d13eefcb8ccfe

          SHA1

          0d773f7eecfec99d4d3424b83fb793f5b8a07f11

          SHA256

          834721f35b7b11a296c8506752e3d8b889262e58c3fc0ac45ae54de1ed0e455a

          SHA512

          a467a8b12088d2a0aeb34295580d2960d887a9ebcd1c6b74c3f001253464cd4916a0e4d51a932d485eb43abdf7b2e9d16772f7142bf3a33a2776969c48a88785

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          950B

          MD5

          df4a1fcbfcac9441d4f1b570adff69e3

          SHA1

          f2bbd751c7579e0b2f00f17356ea3d69a1cebe6b

          SHA256

          3285a5a8bd6b013352b4a30c5d6330b98df449d36eeccc0ff8999d6f3049fb84

          SHA512

          9a7abac39eda136a0ea0a9f2462921ef12ba6f1facea2eff5fce05074992f78bc5a97811534fa58f6bd4cf0fc6d9dc509744408b71c4e3a96f8c0ef7c28be5b2

          Download Submit

        • C:\Windows\SysWOW64\HelpMe.exe
          Filesize

          953KB

          MD5

          dd15a872279dfe328a4228d5dd110192

          SHA1

          a61178f16ed1484558fc1b15c62abd7162ea8d36

          SHA256

          22d8df9d2e93842fa3ccea12fdec16701ef4e1978e90ba95cdac164d55db660b

          SHA512

          85ca80a3903cc7c50035964170d3035f3291fef19574a70f90e0d230bce70be2d0e44e3678883981d966567c5b2c99bf3c8f6b47f4730a4017a4a5de919b3562

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • F:\AutoRun.exe
          Filesize

          955KB

          MD5

          541ab389d05230818b87d537585980af

          SHA1

          d66b0b6a8d7e92c6c5bd5913eaa955f07a49727a

          SHA256

          1eb8c3c0ae21d2df81f5775aed6b35bf289d3ce7a5367161220687ec74b662fc

          SHA512

          1d3e483985245607ae56793a963d66a3db25aed04d629597309f79a2b6b0daeecd59228abcec5f8010f7d1c91425c31954ec25bd7b5867d90eaf42284bf351c7

          Download Submit

        • memory/1860-0-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2388-10-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download