Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 04:13
Static task
static1
Behavioral task
behavioral1
Sample
556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe
-
Size
9.2MB
-
MD5
556b72b555e97224f5e49f2e74ad3e10
-
SHA1
3685319836e955eb42628ffd046b1324aa1edd68
-
SHA256
fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f
-
SHA512
5ce9fcced30d056b8c198047a9a8013d1cbfe7eeeb5de5d85fabee2f53a4c3afdeb395d115ad90ad4c243e4f86d14cdadc6b597cd7755fdba8fd5bf99fee2694
-
SSDEEP
98304:4E2yIMzKpXOMBkMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMV4:4nyI2lLI2ly6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exeHelpMe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
Processes:
556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exeHelpMe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
HelpMe.exepid process 2696 HelpMe.exe -
Loads dropped DLL 2 IoCs
Processes:
556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exepid process 1692 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe 1692 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
HelpMe.exe556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exedescription ioc process File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\X: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\Y: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\Z: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\O: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\S: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\U: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\K: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\T: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\V: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\B: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\G: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\H: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\I: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\N: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\L: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\R: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\A: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\E: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\J: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\M: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\P: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\Q: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\W: 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exeHelpMe.exedescription ioc process File opened for modification F:\AUTORUN.INF 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
Processes:
HelpMe.exe556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\HelpMe.exe 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exeHelpMe.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exedescription pid process target process PID 1692 wrote to memory of 2696 1692 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe HelpMe.exe PID 1692 wrote to memory of 2696 1692 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe HelpMe.exe PID 1692 wrote to memory of 2696 1692 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe HelpMe.exe PID 1692 wrote to memory of 2696 1692 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe HelpMe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.2MB
MD57cba5708968da10c9c097d843031b2d8
SHA1bedf27dabd9e6e52c0227f010234b2f4bbc4b3d3
SHA25601bb752c744ffbe8c301ab5783b08e29a3e661f8c0ebe877e3495c69f9d57a9e
SHA512fc308364b8087dacf57b8f61c93ea16a9c79c43a50ea16f9d52cc849bb688b7a862c8e5731db9ae2d3ef0c7110c82591a07433cf670c5e7ee6871ad4fe2094cb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD55974bb9591cce4aa3aa0b5ce2158d7c1
SHA19d8df8644ed9334fd581ba338427f33113170675
SHA256b55db9e965882f8b65559453955d21154ee860c6195030bf0eb53ca519f54ee2
SHA512c850af0307a4f94a81a5cc8d1250db1410f7081723fe51decdf648c276d1478a9e29c1ece2e4755d7f137490060c5f54e0bfdf6aeaf3380934944e8510730c4d
-
Filesize
950B
MD525a2a790ee2b0504b0b500c0b17ca9af
SHA11ee8e74923f49362c6cc5deb9261d7b49104f6ea
SHA256f548460c1ca14199cc367255d03f30d0b748929930d2bba42e21894be233232e
SHA5125988f585d20bfea8ac9bdb77862171a5d7fea746d060377e67a61a0a7c5bb667d4eec141346df602ca0597b29a99eefa2776b7e7d58918b1a487b9eb760fcae0
-
Filesize
9.2MB
MD56bdfea67ebd2b403f9edb0e3e01e56ea
SHA19fb59f0fc0b4b1cf77dec0b7be2ecde67fa795b2
SHA25606071060b1a3e3ea38a4589709d1489487844f0aa5dbc070561f57c0da103ff2
SHA512dc1193e310973635cb320979f48bbd89da4a5c464c91d33db331abffbcd9aceee93120346f4521e098e5a506cd1cfdc681f9e6aab83e71aec26f6446f464e3d3
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
9.2MB
MD5556b72b555e97224f5e49f2e74ad3e10
SHA13685319836e955eb42628ffd046b1324aa1edd68
SHA256fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f
SHA5125ce9fcced30d056b8c198047a9a8013d1cbfe7eeeb5de5d85fabee2f53a4c3afdeb395d115ad90ad4c243e4f86d14cdadc6b597cd7755fdba8fd5bf99fee2694