73a7f75b1e3381531eb5a75b3e623ee3c46f019332852b26401b0c7e3f8809dc

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
Size

7.1MB
MD5

b4f166e8b2ca1ab9f7cc326718b18fd8
SHA1

206fe3a4cae7faf319321a943f7edc840b727fad
SHA256

73a7f75b1e3381531eb5a75b3e623ee3c46f019332852b26401b0c7e3f8809dc
SHA512

c70da1527fe4325e6cc42757a86bafb0bbe2a1868201924159df0d3cba08d18ab9b3c446d2b5ffbfd97931f5ffa26298c90f112e407cc3652c4624a598118c3c
SSDEEP

24576:aEtl9mRda1VIUSu7KB8NIyXbacAfUSunEp+XRGEUvkXw6z4Etl9mRda1J:xEs12pHB8NIMI8SfpwotkzvEs1J

Score

10^/10

discovery persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
2768	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\L:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\E:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\I:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\Q:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\X:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\B:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\G:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\S:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\W:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\O:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\V:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\H:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\J:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\P:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\M:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\N:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\Z:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\K:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\R:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\T:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\Y:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2856	2768	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2856	2768	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2856	2768	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2856	2768	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.exe

Filesize
7.1MB

MD5
cc6af049cd0e09bee9b96f5575d79f5c

SHA1
6b9091220ad44384af80ee8af36fc975ab1483b9

SHA256
446ff79f8600cc4332e63ea9bf32aaf3be226d5dfb21627fb1eed60f0130670e

SHA512
8059a9456e2f7045295df2a0bd3b8a3ece5dced1d218653de6eff7230c86ce70d19dd7847bb8e4f94901c34f8c5451089b841c409c82e4024faf9756d9170596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
983ce85bdab394944e2139bd9d9cdcdd

SHA1
d726895058aa0082d0701f961f6847dff484c050

SHA256
3bdd3698161ad1fbbb8a2c3fe12229380ee3e89c06692ee60034fca898deecb2

SHA512
0c51cb132aca1f4a635d7d2b3b36150057ce16d452642cd084fe905dc09ca42661d29f17466085060355901b2e82e088c46a22064b19189209fc331e3203b43f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
196d1d2331f25a268e7d917f59e01286

SHA1
191a303953ec6609af85909e1f2422ce906605e9

SHA256
d507d292158fb5c51ca055da925278aabad07732e1f79ac49d1195c75e80dd5c

SHA512
94e47d8bfe385a2d9935c4c12639d3d769c4cb66c6c52bc9da83cb51f70bfa793f6251a8d66fae9ea039e941d535b046645c8882f49d03be81708de6cbba6034

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.1MB

MD5
b4f166e8b2ca1ab9f7cc326718b18fd8

SHA1
206fe3a4cae7faf319321a943f7edc840b727fad

SHA256
73a7f75b1e3381531eb5a75b3e623ee3c46f019332852b26401b0c7e3f8809dc

SHA512
c70da1527fe4325e6cc42757a86bafb0bbe2a1868201924159df0d3cba08d18ab9b3c446d2b5ffbfd97931f5ffa26298c90f112e407cc3652c4624a598118c3c

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
5.1MB

MD5
b6b35f14be265e6af082fbe45a219bdc

SHA1
0d6e1e8fe0dd8de52f1b0b2bb43b5078c4f3d43e

SHA256
08e99794376781d81046f1e3836cd362fdbc99f5434c33e60198beb464c1d71c

SHA512
0287ca6a3c63a5896c1dff46f540d7577ae544d7c48b48e383fdc1b1184ab27425607c23314d9c9c68cc89726bd19492b1c76142aa29289dce160a71703a1767

Download Submit
memory/2768-10-0x0000000001DE0000-0x0000000001E59000-memory.dmp

Filesize
484KB

Download
memory/2768-9-0x0000000001DE0000-0x0000000001E59000-memory.dmp

Filesize
484KB

Download
memory/2768-52-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2768-0-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2768-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2856-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2856-12-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2856-216-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads