Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 04:16
Behavioral task
behavioral1
Sample
2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe
-
Size
449KB
-
MD5
2843c6a46eeb3108c0edd94dcf6bf6da
-
SHA1
bdf32ec22c66b3a95b4d72d64af9ae6403fc36b2
-
SHA256
041ff3ba97f4fd796fc6cc7148c1cedcf4ce4fbb349c6d1d8c2057b77a947238
-
SHA512
18bc760f41ff4b9093fb4020959e66c696980943ed219dff6794d0c36ebc0a461dc05485c5ce8f2ac53632344e1123e9902a5aafd58dc50f65736ad065e67057
-
SSDEEP
12288:ZMMpXKb0hNGh1kG0HWnAlU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtl8:ZMMpXS0hN0V0HZSGB2uJ2s4otqFCJrWp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000b000000013a3f-2.dat aspack_v212_v242 behavioral1/files/0x0007000000014367-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-54.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1312 HelpMe.exe -
Loads dropped DLL 31 IoCs
pid Process 2360 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe 2360 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe 1312 HelpMe.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\R: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\A: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\V: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\B: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\M: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\P: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\T: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\X: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\E: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\I: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\Q: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\W: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\S: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\H: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\K: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\L: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\Z: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\G: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\Y: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\J: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\N: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\U: 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2360 wrote to memory of 1312 2360 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe 28 PID 2360 wrote to memory of 1312 2360 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe 28 PID 2360 wrote to memory of 1312 2360 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe 28 PID 2360 wrote to memory of 1312 2360 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449KB
MD57af4aaa5060f745023e1bd2c3c85ba78
SHA1ea10eaaf3faf13c1019aeb74b2f5ef5eceac5e79
SHA256be8888114d1e8abd85286d2e405e8d93a1af1c15d268a9b46163f08e9db5df69
SHA5121023880a38a395341d6769aa8c69ed643388d84ec0c4d3dba8083714c4b1e1184ae8d9b1b57476512a09a8b6ef201a9b02a7b2e534fec8d78f0ea1967d973193
-
Filesize
1KB
MD5ce1b4fcd9bf0e3e40dc86efb390ebc12
SHA1a3bf680ace469dd91b64c34eabd960ea7e3acadb
SHA256359f5858a2cf0afded14f2f95286377d58e2efcc048c4e1e9c2058019b577661
SHA512a89e13695bce326051a30f24c6e47db7fc1432a37c9234b54a7939ef0efc563fdd28d8895669577ba4963d7391b127d25d2f317c88a9623ef972cb0a3720b37a
-
Filesize
950B
MD5fbdebe081c144f9cc3e76dbd2a72981b
SHA1977e813c1c034a8533e2021be6e342283d98d39c
SHA256953a906cc03f4dd3ecee748538c8a0c48b47bb034cea66731ec6a33869c763f2
SHA512f24ec7f2bbac1a3d22d67a20889f44c71c44afc0a09d02ecfd2ff8a7f069de2ac11deaabd7b1c1d7ccbb54f5be074f19774a21077f7cc396d6bd444acc84b701
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
449KB
MD52843c6a46eeb3108c0edd94dcf6bf6da
SHA1bdf32ec22c66b3a95b4d72d64af9ae6403fc36b2
SHA256041ff3ba97f4fd796fc6cc7148c1cedcf4ce4fbb349c6d1d8c2057b77a947238
SHA51218bc760f41ff4b9093fb4020959e66c696980943ed219dff6794d0c36ebc0a461dc05485c5ce8f2ac53632344e1123e9902a5aafd58dc50f65736ad065e67057
-
Filesize
448KB
MD5f0a44ee998a882c3e4c678aa3531ead6
SHA1a3a09f6cf6c279b9de214f66fbdd2ec83c1b712a
SHA25661c4df611a34b71da7ff55059ff188f35515ea13965caf6c02d9631999007090
SHA512db0c5dc49b3ab0b1fa95b45cafb8daccd1a8a6009c16db6c6f6186485b7bcd62f1bbcf36598644a4fc39ebdbcc016c08ff2e255c8ec5574dc3584d8d3d28d954