Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe
-
Size
826KB
-
MD5
2a033f914ebbb0c8df9bb9effdf72f57
-
SHA1
2c488218f8cf04b73db42c854bc348c0a994de7a
-
SHA256
8539991f73b64de58635102b1b5fb2c0b740e867d3d9d62ebb711ab610c296fe
-
SHA512
9459e42417278f4ec66f18f880e20835d6f58a4655ef1d38c5b63746a3ae2333d14a7ba269f77fa608cfc597a711fb389e22943a2cbe3f92021f79c22e53d4d0
-
SSDEEP
24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvX:oEs1h5
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2000 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2044 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe 2044 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\B: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\N: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\Q: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\T: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\U: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\W: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\Y: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\K: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\I: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\J: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\P: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\O: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\R: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\G: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\H: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\M: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\X: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\E: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\L: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\A: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\S: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\V: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\Z: 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2000 2044 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe 28 PID 2044 wrote to memory of 2000 2044 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe 28 PID 2044 wrote to memory of 2000 2044 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe 28 PID 2044 wrote to memory of 2000 2044 2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2a033f914ebbb0c8df9bb9effdf72f57_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
826KB
MD50686a2ba10f9cf44b29e297f623de09e
SHA1044d298c1c967209c13c2bd809afe529048aa3c9
SHA256d9a2da4ac2d4f657134d98ea9ceb09e036ea35c127a9600bd8e96f196ef49ba6
SHA512011a0c66a9699da534d4d20a1c2dbda652e56fad74613572a549da4061cdf14c8941c05201ecdbed20b2308c8a00cb12286467f4aa64180e2c31bd2839a3677b
-
Filesize
1KB
MD5b39b4f0e69c4be7944792e7d91a5c25e
SHA1f18f7af7e2ca6325e3a71e51ba51d73442d5be95
SHA256e5e2678f778a4507ab72c15468c24d1e2ffa0560a3736c6cb2bfee4c36d1d93c
SHA512b75047d66bf6bed8856aaa6763eba3cfb04ed3241f4c3dca92c217ac656aabd4b0a19923f691567c1c65cd8311df813d9ad5e5bfcd09afe8d894a3dd9aef1b51
-
Filesize
954B
MD53424ee4c72dd0c3ac57cc1e1a137b9e9
SHA1690747d6d20fdae77720b034ba391c81ea37c798
SHA256c9734f2b60d9a94294a2c9bcd3b1570e9f4b341ac08178de223646864833cb5b
SHA512e89133931c85d7ffc1acb26e812867eaf365169663e5d4b7591f23c2bafa2c949abf186eb8db4a46b8b007c35ee999d2123e51e2f07cc83e0a1c446e437b0768
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
826KB
MD52a033f914ebbb0c8df9bb9effdf72f57
SHA12c488218f8cf04b73db42c854bc348c0a994de7a
SHA2568539991f73b64de58635102b1b5fb2c0b740e867d3d9d62ebb711ab610c296fe
SHA5129459e42417278f4ec66f18f880e20835d6f58a4655ef1d38c5b63746a3ae2333d14a7ba269f77fa608cfc597a711fb389e22943a2cbe3f92021f79c22e53d4d0
-
Filesize
755KB
MD55b5f85db4882bc9b3a35fb423ff093b5
SHA1985373c2fee7ed239ae558bc36a786b0c283a697
SHA2562a89066f207c0618a441733b70cd6ec7ef572414e968952c17294f3afb15e901
SHA51247efac657e39801f669c8558b3c89b188d2401de533c0aacac2aa008905c460b59fcbb9efcbbfe303cf5cb267df6510d83bc98db0955c4e2df623691bf7d1c45