Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f7ee68b97b...18.exe

windows7-x64

10

f7ee68b97b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7ee68b97bd38a8183e9ad6f6492b4a0_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    f7ee68b97bd38a8183e9ad6f6492b4a0

  • SHA1

    46aa2be1a5066468eb44f4dcbbb8dfa5cd403bd5

  • SHA256

    5b0441e323f6038785b1fb7e98799f083d4ab1f333c18c7085fdf50f77c09e3a

  • SHA512

    0d465ea27b4f87ff108604a465628d957e7e82eb01b2631008870f73b424dd884002bed39ae813ef35fdf32b1c2f0ad2983c095625295ea27ab2356fedaef66b

  • SSDEEP

    24576:8Etl9mRda1hSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvt:PEs1ckyrnF

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7ee68b97bd38a8183e9ad6f6492b4a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7ee68b97bd38a8183e9ad6f6492b4a0_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini.exe
    Filesize

    1.8MB

    MD5

    40583bc2b51ec503ae8b8e9e98ad8bba

    SHA1

    2bbb3189b068c04ac867f254a37446c7d75a25c4

    SHA256

    9f899a058769313982082255f6ee48761fb69391245e77fcb5c283fe7dce36c6

    SHA512

    55cf5372ae1ec662b557e3cdc512c67f705abe9ad7d6186d727884848aabe465d7ce17305869c96182b8240918f1beedf0963f81ed69b17650fa75ee9703ee85

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    441e70dbf5aac9a56177c3a0ad0b2f8b

    SHA1

    b98847b63ef6d99a3d989514d5b9139cf012871c

    SHA256

    9539ed54d06784bb4fdc036be70bc0672eff2892532cad89719e67c530445100

    SHA512

    edbb622388d82062fb0b324eb489df0519b9580910d6f5e20c3541159350c51152dc067fb595cc17f1a4998c708503ca79755067e1bbf9334801cacaa6319913

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    70f2d66699200deeadaa7febe2e97d2a

    SHA1

    12b14329cddf97b1e7cd8cb5358667d88cc348f9

    SHA256

    f2df2df8bcce7338c2ee1a2a8f46d717df6ef05390e35212a155cdefd0a5385b

    SHA512

    57557c1c644ff138268e416a13e993b9bc6566dd760f3925fabe8494fe41397bffcf752fa15d9d331cc6e4562dabcee3da082d74aa2803d1d3b582f5ff36ca82

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    1.8MB

    MD5

    f7ee68b97bd38a8183e9ad6f6492b4a0

    SHA1

    46aa2be1a5066468eb44f4dcbbb8dfa5cd403bd5

    SHA256

    5b0441e323f6038785b1fb7e98799f083d4ab1f333c18c7085fdf50f77c09e3a

    SHA512

    0d465ea27b4f87ff108604a465628d957e7e82eb01b2631008870f73b424dd884002bed39ae813ef35fdf32b1c2f0ad2983c095625295ea27ab2356fedaef66b

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    1.0MB

    MD5

    e8c7e0ab6a42c3440ab70c426105e52e

    SHA1

    9dd8596b8d9323d5801fd159315f3d32020ae78c

    SHA256

    e5ffae00f7e5666afbd8c7efc22599b45de70ee9984f4f06dbfaedc118b486d3

    SHA512

    cb98b8b9ee01b99b1c1775ef8aa5c46af0eba44ba304c989fe148c5a90381d1ef9ae81aca76a1d307f7386922da0b5ccebecf3c8a93e6d6011c0a82ae96fa551

    Download Submit

  • memory/1804-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-236-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2376-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2376-237-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download