Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 04:13

General

  • Target

    556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe

  • Size

    9.2MB

  • MD5

    556b72b555e97224f5e49f2e74ad3e10

  • SHA1

    3685319836e955eb42628ffd046b1324aa1edd68

  • SHA256

    fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f

  • SHA512

    5ce9fcced30d056b8c198047a9a8013d1cbfe7eeeb5de5d85fabee2f53a4c3afdeb395d115ad90ad4c243e4f86d14cdadc6b597cd7755fdba8fd5bf99fee2694

  • SSDEEP

    98304:4E2yIMzKpXOMBkMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMV4:4nyI2lLI2ly6

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.exe

    Filesize

    9.2MB

    MD5

    7cba5708968da10c9c097d843031b2d8

    SHA1

    bedf27dabd9e6e52c0227f010234b2f4bbc4b3d3

    SHA256

    01bb752c744ffbe8c301ab5783b08e29a3e661f8c0ebe877e3495c69f9d57a9e

    SHA512

    fc308364b8087dacf57b8f61c93ea16a9c79c43a50ea16f9d52cc849bb688b7a862c8e5731db9ae2d3ef0c7110c82591a07433cf670c5e7ee6871ad4fe2094cb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    5974bb9591cce4aa3aa0b5ce2158d7c1

    SHA1

    9d8df8644ed9334fd581ba338427f33113170675

    SHA256

    b55db9e965882f8b65559453955d21154ee860c6195030bf0eb53ca519f54ee2

    SHA512

    c850af0307a4f94a81a5cc8d1250db1410f7081723fe51decdf648c276d1478a9e29c1ece2e4755d7f137490060c5f54e0bfdf6aeaf3380934944e8510730c4d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    25a2a790ee2b0504b0b500c0b17ca9af

    SHA1

    1ee8e74923f49362c6cc5deb9261d7b49104f6ea

    SHA256

    f548460c1ca14199cc367255d03f30d0b748929930d2bba42e21894be233232e

    SHA512

    5988f585d20bfea8ac9bdb77862171a5d7fea746d060377e67a61a0a7c5bb667d4eec141346df602ca0597b29a99eefa2776b7e7d58918b1a487b9eb760fcae0

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    9.2MB

    MD5

    6bdfea67ebd2b403f9edb0e3e01e56ea

    SHA1

    9fb59f0fc0b4b1cf77dec0b7be2ecde67fa795b2

    SHA256

    06071060b1a3e3ea38a4589709d1489487844f0aa5dbc070561f57c0da103ff2

    SHA512

    dc1193e310973635cb320979f48bbd89da4a5c464c91d33db331abffbcd9aceee93120346f4521e098e5a506cd1cfdc681f9e6aab83e71aec26f6446f464e3d3

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    9.2MB

    MD5

    556b72b555e97224f5e49f2e74ad3e10

    SHA1

    3685319836e955eb42628ffd046b1324aa1edd68

    SHA256

    fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f

    SHA512

    5ce9fcced30d056b8c198047a9a8013d1cbfe7eeeb5de5d85fabee2f53a4c3afdeb395d115ad90ad4c243e4f86d14cdadc6b597cd7755fdba8fd5bf99fee2694

  • memory/1692-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2696-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2696-228-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB