Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 09:57
Behavioral task
behavioral1
Sample
296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe
-
Size
492KB
-
MD5
296f056e253c378ff1be1af2b304b8fc
-
SHA1
655f1860efae8d7b0d0c5120e90fc8905f67339b
-
SHA256
311184ea9b8d4b0eeefa2bbb164a3e3f4dcd8b629981293eb65c2a9bc72ceadc
-
SHA512
dac7448d3fa6be0e5a0ae5735c327d84cec386c1d2ff337f953c33d28336787a25acdd6375267a820de5bac77d1699c977e61c77c2ea8cf27575cf9a52428cba
-
SSDEEP
12288:ZMMpXKb0hNGh1kG0HWnAMU866VU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFHX:ZMMpXS0hN0V0HoSySGB2uJ2s4otqFCJB
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000c00000001275b-2.dat aspack_v212_v242 behavioral1/files/0x0007000000015e6d-42.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-58.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2640 HelpMe.exe -
Loads dropped DLL 31 IoCs
pid Process 2348 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe 2348 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe 2640 HelpMe.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\L: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\Y: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\G: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\N: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\X: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\S: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\J: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\P: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\R: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\Q: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\B: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\E: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\O: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\A: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\V: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\I: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\K: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\M: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\Z: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\H: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\U: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened (read-only) \??\W: 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\notepad.exe.exe HelpMe.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2640 HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2640 2348 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe 29 PID 2348 wrote to memory of 2640 2348 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe 29 PID 2348 wrote to memory of 2640 2348 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe 29 PID 2348 wrote to memory of 2640 2348 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
493KB
MD5ee1b98e4463f255e1ccfbb7faf80c0bc
SHA1b2bc184f1dca5c7bc8e8c88d1e956b3ef8451f8e
SHA2562b6a7dea4977a1cd2606915a93e27ec1d871022e04e355c4ecb64f1d18c3e69f
SHA512d17afd67305b62c11caf05fc6f8a20f22d578680837d89ec532ba078949ec56d0e2ede4cbf99917c04122f479f0dadf6820a401586490b75bebbd8e51a00d91f
-
Filesize
1KB
MD5be8bb046c436509d5c3485259e0a78f5
SHA102b8a1e6ca99658a487e203f40650b461701ecd1
SHA256ad6c01b9e4801f2c9a06fdeedd4ccef87ada5ee186c306af0e15af10bbac983c
SHA512eb4baaad69f919e8e6ba9c01bdb15e7c5e802f45f6e7fe7f0b028d055ad0a7d385efc260a8bb46ac48e61c2d645c4e302035524723f90d080d56b377fc79f2aa
-
Filesize
950B
MD5c1ae2f6c227ef3c439b34d7f5605b0c7
SHA149722411a4ca78c4fb50b690cac16af34255dec4
SHA256eb18bce2544dc3465ef08fa31481f68cfbaff31270a1e6257496dc2faf2a8be1
SHA51273a1a91057aca8ce606ba7bf72b1ae8edffff504c8a76d9e01ad57c503fe3bb147602918ba85ef4642e1f43a45a469253d0da9b10e26b421afdcb74a454b7fa0
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
492KB
MD5296f056e253c378ff1be1af2b304b8fc
SHA1655f1860efae8d7b0d0c5120e90fc8905f67339b
SHA256311184ea9b8d4b0eeefa2bbb164a3e3f4dcd8b629981293eb65c2a9bc72ceadc
SHA512dac7448d3fa6be0e5a0ae5735c327d84cec386c1d2ff337f953c33d28336787a25acdd6375267a820de5bac77d1699c977e61c77c2ea8cf27575cf9a52428cba
-
Filesize
300KB
MD5fbdf1e8566377fd12bfb63cd81663159
SHA13eacd988672213cabd8046ce5155aa433cc073fd
SHA25635e81ce70cb043f7692529030f89b1bc341778202546212212950ed7ce030400
SHA512f90a1f001ef025148a24670733199e7edcbe3da4badf31bc5fd975831b824e9eddef4eca9e695cf72d63e702e1a2fbb63f5abc9d92f71046373344224725f65c