Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
e58fe7f6afccca5083bb1a0a47fee71d
-
SHA1
894ec727c20fea7c21ae45f7ae836700af510c72
-
SHA256
8f87e56e12dc78afb8895bb823e3edfd0fe757c3a0c88bc5e18bc5125e687fea
-
SHA512
5bbf931a57aebdb4402175598d85151373b2af46584de5522b0b77df8973944603632b9ee8e8a3d65c2c98c277fa75b28a0069c6fb5d95820f4527cf2a98e38f
-
SSDEEP
24576:8Etl9mRda1hSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvZ:PEs1c4+2NHm1P
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1732 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2180 e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe 2180 e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\U: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\Y: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\X: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\I: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\K: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\E: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\G: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\H: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\J: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\M: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\Z: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\A: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\B: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\O: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\S: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\Q: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\W: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\N: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\P: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\L: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\V: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\R: e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened (read-only) \??\V: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2180 wrote to memory of 1732 2180 e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe 28 PID 2180 wrote to memory of 1732 2180 e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe 28 PID 2180 wrote to memory of 1732 2180 e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe 28 PID 2180 wrote to memory of 1732 2180 e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD506b2dbb96d9c538cd4d4d93009491df6
SHA10df09d9f08cd9eb5a5a2187f989b0b4f5685caba
SHA256c6b23a10e45f2b17f84e1568a6a35da97ee6e8a0199037bcf8eadf2e3ed04458
SHA51295cb872bb474193d86d34c9b49a8c2686f2ed9713348271dbd014db2356752608e1774a3914dd70779688c7d9b3bef8111b8fa8de4587073f00264d011d2d704
-
Filesize
954B
MD5e47347c0a7f40885957c2d92692eb6e8
SHA17170bed81f68cbf1557679c3e467178732b5834d
SHA2561641e0db4ad20162a68694906f86227b8ba4ad16de11716f920c0b78f8c74a05
SHA512a161d950692ac4a238bf11301372268b42e9c4291976e9a8113edd07ad5cd0d763fab858415e19203ec470b1923c4cc9d75c93b53f60962647679caf6c08591f
-
Filesize
1KB
MD52cbdea9f731954239f30819517e9dad9
SHA1478d8166cb6d823db525f180aa0d2b2c14d9f6fb
SHA2566861c643a17e9190f34d82872553edc68357aeceaddb08869d4a28085fc30449
SHA512263dbd0e1e382c12c3e449b427d62347fc965ebb37469521c99a954be40e6d1e86ffa2b6602bfdf3a23b1b877475db75585adad65a359cf35170c4988846c0cb
-
Filesize
1KB
MD58866f92011710f1d1ecc57fe13f8a923
SHA1ee933a8d8e24ec3cc9321a0fdb519b693de4b0b8
SHA256211796442d07c7bbafd049b8dbf458c663f3fe10631db2ac34c77bc05dddd40e
SHA5126c71812cefaafff28151a1718baf13730f990c2997bcf1618ac26bb7b01070c3127fab05047fad9d9ad65e15688f31788f3cd3ade2245a4b4b1c0187be593d7a
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
1.0MB
MD5e58fe7f6afccca5083bb1a0a47fee71d
SHA1894ec727c20fea7c21ae45f7ae836700af510c72
SHA2568f87e56e12dc78afb8895bb823e3edfd0fe757c3a0c88bc5e18bc5125e687fea
SHA5125bbf931a57aebdb4402175598d85151373b2af46584de5522b0b77df8973944603632b9ee8e8a3d65c2c98c277fa75b28a0069c6fb5d95820f4527cf2a98e38f
-
Filesize
804KB
MD5d210d7910d11f1a1aee853b084735f73
SHA10027bd0b6eb64a04910a03540e0510273b9bd6e6
SHA25613184bf257d572c80116c6242fff72ab1bf8ab3288024edf5e2e8e496bb26df7
SHA51209780e520df519528d5c5fca3f2a2960da7f33e41aafadc91ad7a8e6de2bd1df5d3599e1e8b22903dab6c5a20bbe9a728a0f35d8a0ccc79f29199f157c307ffb