Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 18:19

General

  • Target

    e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    e58fe7f6afccca5083bb1a0a47fee71d

  • SHA1

    894ec727c20fea7c21ae45f7ae836700af510c72

  • SHA256

    8f87e56e12dc78afb8895bb823e3edfd0fe757c3a0c88bc5e18bc5125e687fea

  • SHA512

    5bbf931a57aebdb4402175598d85151373b2af46584de5522b0b77df8973944603632b9ee8e8a3d65c2c98c277fa75b28a0069c6fb5d95820f4527cf2a98e38f

  • SSDEEP

    24576:8Etl9mRda1hSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvZ:PEs1c4+2NHm1P

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini.exe

    Filesize

    1.0MB

    MD5

    06b2dbb96d9c538cd4d4d93009491df6

    SHA1

    0df09d9f08cd9eb5a5a2187f989b0b4f5685caba

    SHA256

    c6b23a10e45f2b17f84e1568a6a35da97ee6e8a0199037bcf8eadf2e3ed04458

    SHA512

    95cb872bb474193d86d34c9b49a8c2686f2ed9713348271dbd014db2356752608e1774a3914dd70779688c7d9b3bef8111b8fa8de4587073f00264d011d2d704

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    e47347c0a7f40885957c2d92692eb6e8

    SHA1

    7170bed81f68cbf1557679c3e467178732b5834d

    SHA256

    1641e0db4ad20162a68694906f86227b8ba4ad16de11716f920c0b78f8c74a05

    SHA512

    a161d950692ac4a238bf11301372268b42e9c4291976e9a8113edd07ad5cd0d763fab858415e19203ec470b1923c4cc9d75c93b53f60962647679caf6c08591f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    2cbdea9f731954239f30819517e9dad9

    SHA1

    478d8166cb6d823db525f180aa0d2b2c14d9f6fb

    SHA256

    6861c643a17e9190f34d82872553edc68357aeceaddb08869d4a28085fc30449

    SHA512

    263dbd0e1e382c12c3e449b427d62347fc965ebb37469521c99a954be40e6d1e86ffa2b6602bfdf3a23b1b877475db75585adad65a359cf35170c4988846c0cb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    8866f92011710f1d1ecc57fe13f8a923

    SHA1

    ee933a8d8e24ec3cc9321a0fdb519b693de4b0b8

    SHA256

    211796442d07c7bbafd049b8dbf458c663f3fe10631db2ac34c77bc05dddd40e

    SHA512

    6c71812cefaafff28151a1718baf13730f990c2997bcf1618ac26bb7b01070c3127fab05047fad9d9ad65e15688f31788f3cd3ade2245a4b4b1c0187be593d7a

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    1.0MB

    MD5

    e58fe7f6afccca5083bb1a0a47fee71d

    SHA1

    894ec727c20fea7c21ae45f7ae836700af510c72

    SHA256

    8f87e56e12dc78afb8895bb823e3edfd0fe757c3a0c88bc5e18bc5125e687fea

    SHA512

    5bbf931a57aebdb4402175598d85151373b2af46584de5522b0b77df8973944603632b9ee8e8a3d65c2c98c277fa75b28a0069c6fb5d95820f4527cf2a98e38f

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    804KB

    MD5

    d210d7910d11f1a1aee853b084735f73

    SHA1

    0027bd0b6eb64a04910a03540e0510273b9bd6e6

    SHA256

    13184bf257d572c80116c6242fff72ab1bf8ab3288024edf5e2e8e496bb26df7

    SHA512

    09780e520df519528d5c5fca3f2a2960da7f33e41aafadc91ad7a8e6de2bd1df5d3599e1e8b22903dab6c5a20bbe9a728a0f35d8a0ccc79f29199f157c307ffb

  • memory/1732-9-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2180-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2180-82-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB