Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 14:48
Static task
static1
Behavioral task
behavioral1
Sample
e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe
-
Size
756KB
-
MD5
e2c6e0fe3b1d2b33196db7c8910583db
-
SHA1
938e6ac51fb2693367694fc1777e9f2310073613
-
SHA256
1eba046e573d6710293d85856769feebed1e6a27b4285b5d3fc1bb1dc3c2744c
-
SHA512
7242201d1068bdbf079756c2b8337c782df32386fe40ba05f7787efe84f619fad068c7c5bc3d52b8ada9b1e941d9ee43fa86aebd439a068c46eaea9fd308c356
-
SSDEEP
12288:Tp4pNfz3ymJnJ8QCFkxCaQTOlOb47MMpX:tEtl9mRda1rMMpX
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2772 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 1996 e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe 1996 e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\I: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\T: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\X: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\B: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\U: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\V: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\E: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\Z: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\L: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\M: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\O: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\Q: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\G: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\K: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\N: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\R: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\S: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\J: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\Y: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\P: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\W: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\A: e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2772 1996 e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe 28 PID 1996 wrote to memory of 2772 1996 e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe 28 PID 1996 wrote to memory of 2772 1996 e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe 28 PID 1996 wrote to memory of 2772 1996 e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
757KB
MD55b1e0e077864227c31d0d7451b99482b
SHA16da651d0e473da060bbc9080c30242394286327f
SHA2565f9b29b657ee53c9658a661fceffa7c24929e2308625e594767e86cca0029673
SHA5121e3cd6ce023cd0cb9a98c3785824b578ad64292ae0f304a328d4c175b91b4dde6f7ea5bc592d1650da281f4972216db239d9fa78b999352b6c9ebad55d32e539
-
Filesize
1KB
MD5ce9550af7e6c399d4a96cb800af232aa
SHA190ce512584c334d4131833790a590497310717d7
SHA2569e334a843ad659e10ab4c5d85fe6b91447a6e7c99c88af4224783f73260644da
SHA51252c2c15fd8bdfbe0816b34d98d70f13abad9f2f0f851bb96128767f617e16c8b577499e1192e1ffd3e27fc9e3903837435eba3799374cf0f9d9064f913242145
-
Filesize
954B
MD58cc067ff565d6ee65056d7282fab5373
SHA1af23b6ed89b9bdbbc62df7f19802288cd55b80e2
SHA2565a911fe6efd383c7de3a15a1e89dd2168f42f0231a5231dd354f9920955a2290
SHA5122f427321c55abe27bae9e9ff32b420e8e3812f795cecb32633d708fcddcab0ec862c219c5db4868e486d5ab9875a86c99705e13a0b77f5fbc30852e81f71702a
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
756KB
MD5e2c6e0fe3b1d2b33196db7c8910583db
SHA1938e6ac51fb2693367694fc1777e9f2310073613
SHA2561eba046e573d6710293d85856769feebed1e6a27b4285b5d3fc1bb1dc3c2744c
SHA5127242201d1068bdbf079756c2b8337c782df32386fe40ba05f7787efe84f619fad068c7c5bc3d52b8ada9b1e941d9ee43fa86aebd439a068c46eaea9fd308c356
-
Filesize
756KB
MD5e54120ffa7565821f4ba0f91f0b68c76
SHA1eaaa2f1fbdc5d1c6b6e7cd0f056393be18fc35e0
SHA256ac0f3b521822a9e47ffa1150074d3ed5b9ee3c44d3aacb512bbe1ae22e84f696
SHA512f4029c137e3ea7af3208ad4cd1e5a66e8b47b1f5a15ab5a0aefd087898e0b6c8a70662513248b63ec183aa2e2bdc754549ee944ae215e63eaa1f601f08f77ad6