Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 04:20
Behavioral task
behavioral1
Sample
2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
2847aee524dcddbf33fade6a4dd12a45
-
SHA1
e7e94fd76b1cd0dd40b40a7d14ea64db0e2ad016
-
SHA256
2d0c69c0abbb080a635a97af58cfd710abf3eadf83dae363c7dcc62204b62171
-
SHA512
7fa875101ee474b0a6ebd10cd3a886d30f9eaa61877fd629d8c187b5c5570b5a4e84ba648f12a8799d63f91d8e81a6ab2c9c6e2c38c1b0d2152332670820c173
-
SSDEEP
24576:ZMMpXS0hN0V0HoSMMMpXS0hN0V0HoSTSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFS:Kwi0L0qlFwi0L0qlGP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000a0000000122ec-2.dat aspack_v212_v242 behavioral1/files/0x0008000000016255-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-52.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Executes dropped EXE 1 IoCs
pid Process 2424 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2224 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe 2224 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\N: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\R: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\S: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\T: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\I: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\V: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\A: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\Z: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\J: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\O: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\X: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\H: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\Q: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\E: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\K: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\U: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\B: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\G: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\W: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\Y: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\L: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\P: 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened (read-only) \??\K: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2424 2224 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe 28 PID 2224 wrote to memory of 2424 2224 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe 28 PID 2224 wrote to memory of 2424 2224 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe 28 PID 2224 wrote to memory of 2424 2224 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD533767234ef1abb1457b3315404660060
SHA1b4c385193fecbbd25a16af30d6723bab7ec7f724
SHA256e6e28241a3ee81e6158d8ee91da25f745bf7b129d181a072c6056281b2d818fe
SHA5125936d9f4338df4f322715da575277282fa18689e743ad070decf16c5ac2e33636ccdce8424108644f2eec9081c478b48b78d40f8d6e9fecce50964acbf050467
-
Filesize
950B
MD503e2eb2d605daeedacefd535bd1ac92b
SHA1479ad53884e98743a48ae666c3c21a4bdc4303a4
SHA2566b02346ab1d92be0f40dabc83e33e4083cd4e8263605b7c6aa7e32cb546ff0a0
SHA5128714545af006f20bb87b228f563701e60421a9a9eed2ccaa67c08f026eca0f76862df7f7ae6de4338d31398f0aed3451dc0a77811dc879d8924f8fb65ed4792a
-
Filesize
1KB
MD5955357b23420209166d274bed34e9bd3
SHA18964763ce795041fca1dd28c95dd7777e1211a1a
SHA2562b05ae219ff453cd4c56645757cd8255cdb385204c761a98ad97e3bc0b62ef43
SHA5127141b6e3a90f94e9cb744a975e1032a40ad4fc0722b93050f1ff5f3654a54a7ce28cc24ad64270d33978521bcf9809a01666dba2ed8bc212c00cd475f1bff2f5
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
1.0MB
MD52847aee524dcddbf33fade6a4dd12a45
SHA1e7e94fd76b1cd0dd40b40a7d14ea64db0e2ad016
SHA2562d0c69c0abbb080a635a97af58cfd710abf3eadf83dae363c7dcc62204b62171
SHA5127fa875101ee474b0a6ebd10cd3a886d30f9eaa61877fd629d8c187b5c5570b5a4e84ba648f12a8799d63f91d8e81a6ab2c9c6e2c38c1b0d2152332670820c173
-
Filesize
866KB
MD5c378c77f977bf63d6a1b6d6ea8247bd3
SHA173053ce4027e3f530979e4f23f82e547520bd442
SHA256610250bec271b8072d9f6b6a1373f413022dcb5b687336d73f5f3559b4d1139d
SHA51292da359260afe58a6455c50428e30248f9a6c2ed81c1d385898bb65a5f010fba1035e69d454a77106b741856f6f2bc40590b7686b324ae8ec6c80b446ddf6362