Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-2h1wravfqp
Target 5f03a75487908cb6837a220a4b052740_JaffaCakes118
SHA256 ccde612b87a4590d7691e3be0045f83308d688bd7977dd1a5a6b17a25e304e38
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccde612b87a4590d7691e3be0045f83308d688bd7977dd1a5a6b17a25e304e38

Threat Level: Known bad

The file 5f03a75487908cb6837a220a4b052740_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 22:35

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 22:35

Reported

2024-10-19 22:38

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/760-0-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 4212fc1244ac4da0602e53f8c236bba0
SHA1 af0bc872fd4900a59455cc60599d56721fcd7d18
SHA256 f9da259d122ec54e8d8342d7b6c8919c3b6648fcddd3c6619eabebd607999d38
SHA512 0b2486fca28efda1950f6dc3f7f625bd1b1585b4162f67bd2647413a1dcd74ec4a3370d7897c79ad45dbc7ca320ec8704a8f2c5aa6beb3e1ce7e0720fd288301

memory/5060-5-0x0000000000630000-0x0000000000631000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.exe

MD5 b4a326b61d64c8886c454c33d6c004d3
SHA1 8623dfd7638149ad4c720900f2af3c739535d911
SHA256 2f7787d1f5c8a5922e6824be58f3920d430bc0890b1a826b6bdf150a3c35bfda
SHA512 4e67d82c6d284aa364ddf8934d03b2346049a0d386cf58daffd927cd8a124bfd7888bf00d1b03337ce41e3b047d0a90b191482f4bfa1e023981b449fac8b5abd

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.exe

MD5 c77ade4cd913add512556d95177e727c
SHA1 e4bcb31eaa6e169053ac6be51f250150b38798a7
SHA256 9d9750623d60a4e51ed822fc30d616922c0fe32e355fc7d1b8a904405a2b8c87
SHA512 214f3f32c098d6799cdd3f2c38f789c092ffba5108332f6c2ebea45b1e761dd38ce3e5eb3096a29e22849b130ba40a687e14a5b1b783e0d65c11f8ce01f1d6de

F:\AutoRun.exe

MD5 5f03a75487908cb6837a220a4b052740
SHA1 e37d87b0a418839369ceb31287f9d21053317117
SHA256 ccde612b87a4590d7691e3be0045f83308d688bd7977dd1a5a6b17a25e304e38
SHA512 13fc308b9ffa6bce038dc4a578e5cae38a4626b8f7c71a5e2ae658c92417a04bc7b3c1d937231e1aa3e5737fbf3362f2833c85576cedfb88a8e9bde05b7ad6a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/760-45-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4e3ad9943faee8abcc66ec0acfa1b37c
SHA1 92d59d0cea08fa8550edfe7eb88df82fb5f01928
SHA256 863d25b4452384b8225f5afcdfa42173f41f4e84ecc9a27bede48f99529a4017
SHA512 f9ab5f3d1fca70353ab6234cf523b4e5a30c01cabd3f3ce99a7ebf9a09869052d41f7bd9bcc17895f73678b0c1ae3a1250210e6c7d67c4bfffd873eaf4dbdfe6

memory/5060-51-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0a811faf6564c99ff7e66171f48ae03
SHA1 0935b474a50a1e5d3bc385cd30c641d2e47c1be7
SHA256 7ec305d146efbd7746679399b229979dc3fc3684d43c4a06d18e43a26a38ea71
SHA512 84955f6417eb8bdd31c6c835b96558cea2eeea4f919c494ac1088094ded36951c04419faf3cad480ada436d288ace104af94ccbb5e47220b5eafef32ef7ddf7d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 454bf8b2314408183aa4d54933bd8fe0
SHA1 211c62e30f6590437576c7a7b638b94e3998359a
SHA256 120449094d1eeed77a05929070c88e9ec73fea6fe98db1ad0bf06f9fc2f2d515
SHA512 d099643c67869cc54b920d896687d3ca1bc3488996b817f6c37dfe3e2d09a63a12769d76d1f65c9546c3ba918304b845e6296918e26dcb3e6809766adec2ba63

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9ee25b371081773bf36e3c7351ee4e69
SHA1 1332e984c1d83721a4c6e773e96283797fbc97ea
SHA256 2115fbd9235b6e91e77a71acf1ca97662dde4ea7651b7f67ac56744a4bb1fa09
SHA512 cb131d1ccee279e55e86eba44f96f5672922a05aac520c61cf57eaa9ac67e0f5564ef21551cc760638d6971408f7257602490f3f6b337b32ddc6a2d6d8bdddd8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dcefabe99b5753b4f551c88ef4f51b7f
SHA1 e030bdc0f9a73a14562644024ccf52a38135ba5e
SHA256 c7128112a5bb052ab9d47362c7e69fbfd463e70ce17d299e59fe6ad1e38bebbc
SHA512 c034b3a75660d63091f4a7114a9ee072226951bce837eb10b32e2c6cbafb133bb932e6d63e200736728870b63e4e7918aca3a9ec673646304412ae71b00a0a37

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ae1a948ae0c26dbbada932beae8165a
SHA1 b942ff23c483f50a6f731efa0a2e6d1bec21b79a
SHA256 8da28537b7a4a1fff1cbdfeb21d890b8392ff15d0f016d63e532de6e792a573c
SHA512 99358b2317b2475d5b8a02f26b6f2fb6960e3a36136fe15cd63970f3943065a048dc3d2340bf232fbb8f6e34336d0239243e32bdb7a24abbccefcab5fda5846f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 084d0e06a92a61324cd4a0eb0bf21b54
SHA1 86e7372e6d8068878b9a0a87fdbdb6fe607f64b5
SHA256 69e990ff2c1e09ae444938815df01d3dc1c360fdfee96dd91083d4cceb81e98c
SHA512 2cfbd49f8a98dddf304d22013496212a0c135e592c4984d6e76ac555d794bc875d2f16a538e4fcc85893027ac7483d71371144c3317921ce7c0d2a290d800c1d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb26b642daa8f07f9d3a002b5b5af0fd
SHA1 b4395b7a6ead64e5efea92d4001ad32c415c1b1e
SHA256 6ef52c09a460fd009171f567d7befca5eb4d1f476aa88938fd094c1bf0b0cf25
SHA512 4ccd3cbf38e1f02b11579b41d68959a6d25b316bd19c8bacca37c2fba55fb7bef8b5fec0483ffd504bfaac0d5f5a21aa288d55df2c01fc6eeaa2c247dd9b563f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1b4ee2ef671a4480b6283b71739f6419
SHA1 7b9d2de9a8de320c4045feed94be46b4c32ba295
SHA256 6ea5696107164fdc1ef331dee3db596388f7c13f2ce55bbbe1afc5f42fbfbbb6
SHA512 f5a8c57ffa03e21bd4bd21127ca5ea0e5674c4d7fc97bab6b210ffe0f24f2b6506f8adb54d88d51571e592005380d18ab0cae8bc662fafcc85862b147f986cee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 06ed1762b242c7d24ed34866a38c6667
SHA1 603c5ef5f2f4d909e1078b6ffb79d7897356d191
SHA256 904c6821e3723f96a70c997daf8c6e38e882cf8c5daa430afc33138aa3786a96
SHA512 ece029c0d0d369a446d77cc9bf5f58a583957cd263c37012e314af4bef4fb1d2a1b4614370a773cf8879133ed7867d2b7b887cf44706b2c9fcb7897d2f01445b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3f29287ef9fc909d80a6f26e3ff08b35
SHA1 58746ebaf8cd8d17fbc2f0920521b2443e81efff
SHA256 76cd0f3ad8a1e9fbb2b0587508d88f0b0f68b5db6b97ce5b39cd901a14db4373
SHA512 82eeac806d5090d6ac44bb883ed10680f875ae7e0cd31db97f8a800d11d2ab054571e3dbe0e70b16723274bf8b87a77360e6df6a0017ad7f2b83d55c400eb89f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 66b11a3ef8da0e2a0784105c2810ba8e
SHA1 ce5d6e1000c784c7e3cb88e9e3859072d651e88c
SHA256 4a0595333f42bc8f4ec038bec6214af93892c98015a278d5b0d385b740b58ad1
SHA512 55ad1dbd376a496ec356a926eb54c06ad19a775aff23e36facc28392fdbc744cc0374613fdb3134e9a2bbf8c6874a9d441d79c6f8205640996988e95313df9c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c254fb315d223287000c2df71278d8b1
SHA1 fae0ff949491197086fb20293bdf55fd50b4b1f1
SHA256 c2e756ca97657e8ac0835b5b23deb2e281e5743f791e42be18ff78d9f6464469
SHA512 645a9e15fa12ed4ef188c5bc3b97d6ee7e90efc4c128121041af0a5f05e4c3eed01c9f3f164e35ae25d4630d05fe058501642842bffec4b11247911dbdf5db00

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dfc6773d614ec4789ed16ee7aec7644c
SHA1 a27708bc9433c7f2c763779cfd81a779593c178a
SHA256 7ff18cad78fe068a38244a55020a91882a839d28a7fa2b02193e4dccd949e113
SHA512 ff22a8c59879cdeca1abd186a02ae3fd4cf7cea6116d0016423cb42abe91ad899503c4e7f2dc850f6d4e16d27f0dc671db518bce13e0567eff175ef18cbb7e6f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a3b4cde65a7430a887b95dd31fbc3db
SHA1 6aa0593edbaa9f9a8b12974c42625b58d5a1d25a
SHA256 2177691dcd28fb33ccc940d0aa6a41c2346faf67f1774ca0c2725b5e811007f4
SHA512 0001e15fe9c7662cb207d494183bdca1fc58ab1e82c1f34f97bad981d154cf1054a76e4d3bb5eeb9aa804653495f7b5c722c2e776c70edc540adc35fc200b83b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 20acb80d693d37d77fe8204c3f04cb84
SHA1 91e4e21fa24c31051da6acd25a9d0156cf1af48d
SHA256 cb6132e9e7dc5414a053b4ba5bc0e92ee7fd267fe2afed133cfd32ef64cbc782
SHA512 8088aa6bf97931a0ff7cc320ed788e0bdb7cc4393609fa47af39e1400a5918cf3a8591bb6789e5d15321741e49f2846ef24d1deaae06f6f501984982118d6ff0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 417545e6acfc252871383275f306b57c
SHA1 e876438c3ef495e5b8e96695fe9f2cbe5cf8da47
SHA256 5fafcf700c0fa3e6efd594911b32ef689196026e622e1041f052f8eb2b009ef3
SHA512 26406c883f64a22a4a183315240e8f1ff67e6a9f0a07f0156776a482c6e074c083cd5cf06be57b8edf0e8a16af1301c795b0ec21cbfa8ccd54be3c9e08f241a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f4f315f32a12a0406943b3d2543b2f3
SHA1 bd104596841baa665c679d4fcdac69299d608009
SHA256 11fb0bfcc33e9ddba19f5c2342328de70c122dd7409e689ed72c736627fda816
SHA512 40af9379b40efbf596a50279ab990e9b3d570a22878c362fc331b7d8ae118c4a6328dcce608fe94e76477fdb70e4185cfc8f25f5016d1bcd96b261a0d7eee5d4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2756dd1b2537f4cb0eb8802f6c407ff1
SHA1 8203a703b291480b8476eb0329180e936e90878e
SHA256 557fd302ff4cf00f97304c886e6742bf50c4b657961ab823f93b3b6028f3602e
SHA512 e562f064703cf1d7d49b8ba612ba534da955a1a469e7f25bf9cd11fde8135fe165f4924effb48450087005d73e1ca49fbb1e4000dd2d9503e2ead7d6ebb7c13a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 30caa13d5cd1702bad81f26262f6ebd1
SHA1 5fcd90f6fea726e3397606f9e0d06fdb276f343e
SHA256 7cbdb06af07d2d4f85be1f723c8846cf4612bfcfbf050ef3765fe7abe3920d05
SHA512 6025ccc80e842a552a7cbbb72fa01185298ca70698bd43fc89f68c300b3b30b415ead85e9265176395e358138dd066f75c5e506ff22ef793cf34b7f4d639ce8b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 34df3c44347ac54ebaf244295612c2b7
SHA1 25e05013d255c2d29ffed03e5223b74095c300b5
SHA256 b85b89f8f496641d4a6fcb0f19f26edfe3ae4fe3e52ac831ae71d2a8946e4a57
SHA512 6d31680fd5f7872ce57c234a70c528186152cccbda87c75d4d8747fb0f5660119f855d5153b78f3c6adb49edf1679f36b5cbefbd90261b1c60859ef3bc726b5c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bcc625dabe3b02061a94a877061b0508
SHA1 64192b7398bc0d437d36ad1e2a505109679b27db
SHA256 e003d46c5d683abb27b4407f3e96b41c41bafa43a30d56293d2421c1c9cfed05
SHA512 d67ca6aa156faf7699bd2dc9a214f46a25bf95a666a96a82d48a821b5583e4c1d973979dd644e2eba6fa542fe2e31e3ee1df69b5c6b54b109b5e31236ca0798d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 271cd1f182806bf5ed22be9be2d1f92d
SHA1 187cbebc79aab39351e003176942ec277b56abbf
SHA256 8c094b98acfcedc5c918d51f02a7e08d171b75fa83afa9f62f04abb807aa0bc6
SHA512 2f42728a4b0daf3aca2a91243686e11ee1d3b89db9b9e0c5979f95856b30f3a0becaab981a7f6abbdf3219adb6b31e73a0fcc53c05030d41be7fcad5e5775415

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6a6a6990edfc2ffaf865b91a39d7e832
SHA1 9103022555b267c805a68b7a1aabc21718e026aa
SHA256 badabf2217d49c1312610bf9834f4134dc450a79783a7bc1a60222502914e594
SHA512 11c7b18f4b00091c34662a18beb8af61f13a060367e7ea4ed1b49a073da3b44b75b214dcf25248223a75aa4c8319f948474e1a3f04561ebcbd12d3ee34c8eac4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3debfaab25a740f31344495cc1358c84
SHA1 b18bcc3d60f44835818412d1def210f40cc3db28
SHA256 cbb27174faca173cbc5a3499cbe5906a566324f828ada540c1d5b57f0eaec2fc
SHA512 574fdab071cd51ed7efb6f74cec6092bb879658e6ce642a0cd626c325248f785ac5a86951cd56c153793b6a76013efc8aa22723f3916732f6a481cc3b3e1d66f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 51ab48c95a377e7161f0b6ce532ce32f
SHA1 d4475bbe98306f602a86fd00e282c570c38100aa
SHA256 e10d7773f9d66cbd3bdcbf4dcdeef24d6e51df3d98ea5d9b810d3a216ce7606e
SHA512 05084fbd5fd7dafa8565929194d6e5a4febd4f1155d2f44d02dfdcf39a64b7d907a675cbb30f91020a034b79f61b886ed96dca2a32a55889721fbe58b441e3be

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 049cd0ee1f6bba0a4aecfd2dd7f58b0b
SHA1 c61fbb208186fddff77a3375508bf2059b8c2240
SHA256 54b8de3bc5c6ac87701fbf50b5ffbc6eed6f9ce9d132f731e2add0634053a83a
SHA512 c461396dddfa225a81cd63645fa56d9346d3b8f4f18f3f6edce8fe766642b80b1953694c831f9d5a0f26b8be41be3b40e623895f1eddeac2edca695a0fbd1c2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8c7514e897744ee47b136310341575c5
SHA1 b320f5d1a0be0cd89168204fe0aaafe17dd953c7
SHA256 dab8baaee8946573fe88e4652295f7c51827c12a1db442d55a95cfed644229c5
SHA512 1b05bcbdc5a6c88e54580755a0d95306fb7b2f9b0141712d352ed5eb0c06640e23e90041806206a2f8b2fe90ef716be563d9bb0ed1eb252042c4f147af83bc83

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 81b30137b77a981a4a48eaa63e748f6c
SHA1 d269b5812c9de068ec0570876d8720888392eb03
SHA256 e22ebcbf2815958f546b1a025b0300704454c7a2be16cbd1e1cbe98bb1dc686c
SHA512 82db994cf921e5686ddb070aaacf4990dc76a968af8dbdd725e31e2c579696cf08e2ad61ee3ae60ffc9e7689186415898cfd33f0d51b2cd3015013d7c177c5fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bcc49bdc7ede09483e2deda4726b562b
SHA1 4e536e7277d870ad9858764972e8d2e1ea7b0a2b
SHA256 cdf9396381179b3bf7e1b9a1aec6d2c97c99046d4a3818f4aee6946b87c349ad
SHA512 b64e59c94d8abdbead80d6be5643ef60cb9bcb40636e6e7fb615f88ac5a06a97244eef08fea0595a8d5e7f78cc7ae59b60d940c00fdf7f711ce339627d322c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 077b0e7fe57a4e6772092dfcb943b3e0
SHA1 9cb81c9d9eff2f313d095d9d3d62ad7f2518defd
SHA256 b674d9dab2b8a6d4015ffa0f56a3f06b427e8f8baea8c47f2eb7341a586fac4b
SHA512 00f29ddb5d69db8bda3144973b66289d952372d9de07f12a471976f4f921828f0721bb3b393bd3135ce5ee2c9db46a17b6a52e9f2a7abcbd16c550385823140c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 79a0dfef0ed2dab5d92b7d5b081bda13
SHA1 e370c5e0397ebf9f6a14c9e6c4c155e03ae37806
SHA256 845a67b8bb95b0183ae3a44d3300e98338276ba8b0d012a465a50b14bad347d3
SHA512 4de846e83840e728c1ced49a32682b5e516d3fbf2de20c7d04154437dc0398e3abf7848cd1c4539cb6becc0595b1a4eb731cee612fbcb9862a292aef4902cf03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 52fe441c4b08799d6a21a4d8f08f0aa5
SHA1 1a125349a7a91ad944a7350adbb3c85101dac7ea
SHA256 823107be62dbe2612a1caa33e863e4f9d4fb7d305f1430b90f171f1b2d5f059c
SHA512 a8cb4feddf6ed96931bcde8e1b7151f982404e4b0d6fe05b2443bb88bc73eafa9e29913da672ab0dbf013d18ae486d939f72cb503dfdacc4c7ce95f73f92e894

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a2cf4b33ceaa87ede9fbc8cb65094802
SHA1 f00daa28779378d69f1b41ddb3f6a40c855f4cd7
SHA256 a78e316dd14bedb1cdf28c48ca96881882d40fbaa4cf4313ac3bb3088ee25678
SHA512 383f9e559090bd2c430f531e3e01cc01f1097b09aafad3047d6f01f68f8cb7696ae93882abd2539674f0735e9a864a923b2e57366a578f3e403b392d13d36949

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b6bd9e51a5b5dd952288417d299983ac
SHA1 9a664156895a93adb37207529b89cfb220df6028
SHA256 43d4f480a90ed74d3bbfbc447b4d2bce25c1ba6dafac0d6e8111c1ce6199d095
SHA512 67daf2b05ccecb9686a8fd13f231b43e369ba65cc236e89effb866e901007ec2b8ad0501f11142823eb98f0b2994c74ebb1eae2973c8df38faba04385edd9e2f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac883134bdf44a9109ae4c3b2b04aa55
SHA1 d17835edcb13a71c53e9e2be2d3b51a8266a7eb3
SHA256 420d9c53fce20a77de29cdbae3f858048a54553c41eeb41b9efe254275380d63
SHA512 0e11a429bfddf9c3950d847bd65371581e35a76b0ab1a8a09d9c5ef163a7abd2a999cb7152de098d520d205557e367db278741b1811bb4dea085c484c9e739f2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dea319b73be4e0738bbdfe99f6877864
SHA1 ff5645cb0b8191d0655b128995f292fdf5e25ffe
SHA256 f2401cbf2c63940799e8c41fbb2b8e42195a132423ec01dd57bf297b56efc0e6
SHA512 82b2ba744b9c5ef7bd44b0881fc9191c6e3b62b47714b337bdcb40c51baf1404839c6601b731ff083ed0331dbe90f14bd5298ff1b06a8be7a5827dea7d57b1c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ac726b7e8cac7931d23a2158352ad8d
SHA1 2b9afa24e19c9a1723bcd93e3f6d65fe50e15088
SHA256 e60479e2f69b3b42d5c008d1065125706d71dd04ee6c6c4f86bb8fac29d947d1
SHA512 494423ab67e0271419e87e1186113217c7f8f1d95b437a630b58fabff83d3b23294c8b62d645d6fbad388931cb2895c22c6193a49575ccf769f28378a6743dad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 210e9207d4c93903d00db751ebf6d80d
SHA1 917caa2125f6cb54da1736b948dcb65b8aef97d5
SHA256 899dc032e524578c77bc931633a503e727069c0d32594d078ce8eb035263448e
SHA512 c819bdd7e59a3c4fe766a1c11c81fdf75109da70c623276a50deea7ac14af478c575ebaa426e57bab26f97ceaf1eb88909d36ae07c0a381e261934c0330ef02b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5b04d89f8e5210fc9494dd98707b6eb3
SHA1 8581e969919648c0c507f59b143e6ee3f1a50b81
SHA256 3eb52cbea5b88b7f3b471f53cbac7eb57d837e34a3c179ae8457bcb35c9de494
SHA512 f261377938e89463bc0c8516b25090f1320f5f3901ed8457761cfcf6bdbd04f5de8a4161d4e86690bad497b391871fd4bee97e18f77d73c02c0415fba3e7bab0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1784547d07e71f92e30f5cf076750c09
SHA1 a65a98d09f031abed0fdfbb2c91bbec2e1fb75ec
SHA256 b48519e49361dcb775d97b7f8b63c692a23e7166c4f3190ed411f261a5c3e3d0
SHA512 edbc04bb05e1b78d3c29efe4b7eb28e067f4ef7814504d67951eed2aff831e174d27efbb248a01b974b50591e040efde3d5ffee8c01c1fc8ce1cde1438622d4f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b0e31e06a073fe573fada483aa15ebd
SHA1 3ce67298515cc4aa766d48ba048f82805b10f8c0
SHA256 50f97f4728b364e3a73e3e6867c3b203dc80e93292c0dcde3a87c9063f7970f7
SHA512 91a75ec37d97d60ffd1072b6ff0441184fb9be2029523519cc3bdd564c6657478a47be8b9b125e6cf8ea6cf353ec32ac07c997be79f20ea88ff83f2a33d7e681

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e54580c53e60b76cdcb3fdeb501577af
SHA1 c7a5502da517cdfb37bf063db3af7f469c9aee9b
SHA256 18eb1f0875c98ac1eb50b25f19f0021b6bcb6ad66280ea0ec92b9a4fe3e76d26
SHA512 f567275fe76bcb8fc4130cb43e0b9fd27f7dd62ab490f5804e59fc0250310efa7b914d619e8bfeb69e70ef578328ef84feaef6c8981837a06b8a57463b6beb87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc7017e896b505cdba7f844e7e4f830c
SHA1 e9c61803d696b8727790b563ec06fa8906cb4e0c
SHA256 dfe4b4846f0a6d3bdc1776425586683878757a3a25d1deff2573ce17d6170add
SHA512 5f577c95c7d94fbf7f1c9901d733fbdd4e5ae20ff6cce4e9ba63aacf7b924399b3b0ba1df1e266a64e4989b826308d281f0efbe38e228d59888be55b159c4efa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cb5f6f2fd0984c96e7fa7e14fb8692b1
SHA1 fb84bf23f4513558e81b9bc1a255fca77490f1e7
SHA256 986af3b815765d5d982994678573dbfd899bab7277cfbbf86d17d460caf29ab7
SHA512 486845790ac351a0950212b4a1ebcec68b06871866b83b8354bf882b21f6cb89a3fc3ccc1b03b591c08d3930b2918ef092b6858a7ddb4cd17d2c9febe016dd8e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b7f97ba6e1f45b4d426d3772b67aa1a6
SHA1 409ebb20ad9842d95edad2034dc48373b1217737
SHA256 dec11aa18e4f34eaf1c1a36e81ff5c665152f5ced090fc24e87bc875db8b0641
SHA512 1b9322e40a636573935a97782943bae650bb76d19c1fe64b3e76b0982582a2dfe5cf3899c64ddd4eb5214d36e595fa547d78c270dead042b3ffa2f37b9221052

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 197d3de24f3fd01ec5f6b2e640bb6bd8
SHA1 79c738a168871159894259a34f12908914ba22a0
SHA256 4b7a93220d2337a0c0838614dea1c15238b946092fd78ff79d22cec985eaa4b7
SHA512 19f37d5b7618fae17f92ab6a5da9e75c05e9e51428d9486902ce921a3761d9847c76a3238a0cbe309a27a0af94c4d01d21fb396a14513ea3ea93a1613a8d20d1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 26ee570e624289520d6643c17b566df9
SHA1 cfe3fc33ed3b9aaad70cf00c1ecba718e8a4e1af
SHA256 af36fbe3c493648c32d94ee88008d50c7b9c98927cbf31d9e8278de7f03bc071
SHA512 ac19a6acc3776ebe3932fd18f2a065c36426b6a6462ab48903f0f86634728719cbad95964fb2c29bff1df3a532362358b72323126ee9baf7a869bc7bc48170c5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 450a1a2bd24305e1ef29b35892aa6e58
SHA1 3825e8e7bdf6c1b01d5d4b71eaf4e0695552b938
SHA256 d7f8dd23b5f7ac6dd91fe8506283e7eceaad28329024fe69073fb00a0bf86e50
SHA512 bd0a6bb134b1fbb28504866bbbc8dc8b2c13b93e9145f9666f715238f609d6cce0317c3f3f8cf49c2bb765281bdd4331f6595813d4070251223cc353f0d6d3fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c6d231b555287556bc1d4d349058e98f
SHA1 f73201edb2172d58636c07e7497cfeb0292c702f
SHA256 fd296c817619696efa68572991254ab2d630896e5501f576cc58cc7a8bb6e7f0
SHA512 2d7bc31a06b65449b382eeaa21ba70ba157be36531f9728a6560df1558ac6e82230e0efe0b9a74f2a964ec5ebfa7a651dd1d9bce36847b1941bedcc14037a8a1

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 22:35

Reported

2024-10-19 22:38

Platform

win7-20240903-en

Max time kernel

145s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2516-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 4212fc1244ac4da0602e53f8c236bba0
SHA1 af0bc872fd4900a59455cc60599d56721fcd7d18
SHA256 f9da259d122ec54e8d8342d7b6c8919c3b6648fcddd3c6619eabebd607999d38
SHA512 0b2486fca28efda1950f6dc3f7f625bd1b1585b4162f67bd2647413a1dcd74ec4a3370d7897c79ad45dbc7ca320ec8704a8f2c5aa6beb3e1ce7e0720fd288301

memory/1544-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.exe

MD5 62b3d1d047faf67897549c7997fecdd9
SHA1 16ee856b6020dd5cce1eb29ab07017edd7deca8c
SHA256 e4ebfc9c8cc8e5cb4246622e0e5bdc7fb5c76cc1e056bbe0ee4fbf36345aa89b
SHA512 cf11516755ac0bbe9a0e777ae043780262ea1996c9713d1e502100df6b5cc05bb9947dfc6d37c26d291fb9d944cf0c2dc983136d5766e67fee9de1b90143daf9

F:\AutoRun.exe

MD5 5f03a75487908cb6837a220a4b052740
SHA1 e37d87b0a418839369ceb31287f9d21053317117
SHA256 ccde612b87a4590d7691e3be0045f83308d688bd7977dd1a5a6b17a25e304e38
SHA512 13fc308b9ffa6bce038dc4a578e5cae38a4626b8f7c71a5e2ae658c92417a04bc7b3c1d937231e1aa3e5737fbf3362f2833c85576cedfb88a8e9bde05b7ad6a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3ea466afc4955c3d7aa727bf0c0cd7d4
SHA1 63fafc3b37abf50d159fc47de61c890a364d2f00
SHA256 987883596e8d6ac0a5ee8cfbf6074e97e84b3ab5b19cee301c5a9a49c62d7608
SHA512 d1dbd99fdcbc5d186d5d3470a9994637f83f320119b227bc4c92531d2d7846dc72afbbaa4e69b5474d8e7bca69b01ac2e00658357755bcf67c5df5b130f3ff90

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f9d62d814f79ad0ac61d9ae14b554235
SHA1 83f74897a919b24018643ae9447bf844960b651c
SHA256 b4f53b9910fa1ac885271f83e17c2e003330a139a79821379ee00e5a4995491a
SHA512 ba3491b9a92dd6c920090c79ac1e8802d3e7b31635adbe63c2aefef7eef972dfea553ea255e06da5eac4a6f6d0d5253a1d9d709be96b7f559b9cf6ab9a1e5174

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e