Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 03:01
Behavioral task
behavioral1
Sample
600afc997d421b9ed14064b2759879de_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
600afc997d421b9ed14064b2759879de_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
600afc997d421b9ed14064b2759879de_JaffaCakes118.exe
-
Size
182KB
-
MD5
600afc997d421b9ed14064b2759879de
-
SHA1
3f83c2c1b304b7269fdd2bf6963b738ca19c74b3
-
SHA256
bf6acb4359d2cc3d8ee27fb9093bcbb478dcdb919a5a05dcf80039aa21c811bb
-
SHA512
1ff25a2ec275197e5177ab5331eb5cd3eced7f40908d33f643e292fc051885cc6d6b16d1397ed0cab7acce25d8165ef134d1b5b94aafd5b1ab30e5b2df0d353e
-
SSDEEP
3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJ9:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000e000000013ab3-2.dat aspack_v212_v242 behavioral1/files/0x0007000000016de4-42.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-59.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1684 HelpMe.exe -
Loads dropped DLL 31 IoCs
pid Process 2544 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe 2544 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe 1684 HelpMe.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\A: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\Q: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\X: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\H: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\L: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\V: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\B: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\K: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\P: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\E: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\J: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\R: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\Y: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\Z: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\I: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\M: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\S: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\T: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\G: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\N: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\O: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\U: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened (read-only) \??\W: 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\notepad.exe.exe HelpMe.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1684 HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1684 2544 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe 31 PID 2544 wrote to memory of 1684 2544 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe 31 PID 2544 wrote to memory of 1684 2544 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe 31 PID 2544 wrote to memory of 1684 2544 600afc997d421b9ed14064b2759879de_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183KB
MD55965e6a105ffb1cf34657e7cd142393e
SHA13bdc31bc78d468b338f3bee9e5fb4f91716c5a52
SHA256a826d0ab38a3297bdf87846abc6beb7fa9a80b91e15f64f74592ed8011781569
SHA51255ebc7347f1e477f9421979852ec22f81907a3c13f3a21466412bf97e974e0b2d0afdc9c343d345bcf813c1de019f157b3d4c07eb9ef014642c918e7656556f4
-
Filesize
1KB
MD52146c48d7fec3978c9a5d48a05e7bfa8
SHA16244e6a22c649012be78135c6668fa037fc21441
SHA256026206717600f8cb2c6e1be95df417628a703f3684598ee1ef84ed2464467037
SHA512723a3246672f839e6aa8737122f2154249931e584c91de831151f6b2f819de8f2de1aad68af6b33a3beff22d9f85275c5898ad768c448e6729946cbc67890fcc
-
Filesize
950B
MD504c202d5aedc1521efeac1e387323963
SHA189fdc10b0bc37ba4bb3d77a0a40779de1be6156c
SHA2568df05738ab0c1fa81b918a437d00bf1342ae0182a1dd4bd8687a6754f90ad332
SHA512b1b8620da01f8b54e4d7488485ba0565c0f2aa5e2c47f7c55fa5bca3d4b44821f49b86658ca70a25b5276712aebcb03484804ed34b00b28a32bae28205d3ff8e
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
182KB
MD5600afc997d421b9ed14064b2759879de
SHA13f83c2c1b304b7269fdd2bf6963b738ca19c74b3
SHA256bf6acb4359d2cc3d8ee27fb9093bcbb478dcdb919a5a05dcf80039aa21c811bb
SHA5121ff25a2ec275197e5177ab5331eb5cd3eced7f40908d33f643e292fc051885cc6d6b16d1397ed0cab7acce25d8165ef134d1b5b94aafd5b1ab30e5b2df0d353e
-
Filesize
182KB
MD55d112b6fdd48b412d4b24ece28eccff8
SHA10750b253cc5b881633bda691d527d39bc20fe993
SHA256884bca3eb7d1121320baae9f5f5d30a102d5a62d42ce958979318ec687af00da
SHA5121cefbfc316692bf0cb1ae4d60617c889cf76021bf2cd7299030b6fe92ba89b96204faec607f6d0ab4b73d95d8671939470672cd28e226ec728f05aa1a63556b5