Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/05/2024, 12:07
Behavioral task
behavioral1
Sample
6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe
-
Size
677KB
-
MD5
6ae36280ba9af6694960de5bb55aad9a
-
SHA1
24ae746e94b195dbef2079f89db9346e2695b14e
-
SHA256
05c4f0504bac495cc9ec6b30355c01bb3574dcf24ebf5f73ce2bd68316b0d492
-
SHA512
56b71d8cd15b1cad6f56f6d237b5ce2eb3dabc12b591524da4fa9bde1a80dd5376bd4c162645debc9ec2ed1dac5e470a6af3042a2649362f3c8cb532f9870bc2
-
SSDEEP
12288:ZMMpXKb0hNGh1kG0HWnAHU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtle:ZMMpXS0hN0V0HzSGB2uJ2s4otqFCJrW9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000d00000001231a-2.dat aspack_v212_v242 behavioral1/files/0x000800000001416f-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-54.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1656 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 1796 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe 1796 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\U: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\Z: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\M: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\S: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\A: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\E: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\W: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\B: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\N: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\Q: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\R: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\V: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\L: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\K: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\X: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\Y: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\G: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\O: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\I: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\J: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\T: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\H: 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\HelpMe.exe 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1796 wrote to memory of 1656 1796 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe 28 PID 1796 wrote to memory of 1656 1796 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe 28 PID 1796 wrote to memory of 1656 1796 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe 28 PID 1796 wrote to memory of 1656 1796 6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ae36280ba9af6694960de5bb55aad9a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
678KB
MD58972633821b623ece6027f4db644f8da
SHA15df249e844dbc79d860a1cacb3953c2a7d283c37
SHA2563ee30fe78f19d1d3f6950c099a057e0bce79ca500ff12a5a52c3cb4804479c00
SHA5123e7c3a906528718d488b6a3ce97a59faadbe1e5fe87f6705ba4ace3e32b68d33fd0381181c07606528be47670fa6e2eba379158806a20e9c4dbebf4c9d69eda3
-
Filesize
1KB
MD51dc66bb80f920419baf93b661148faa6
SHA146e02cf469c1eb5e873d795ca6c1b50ef98bc265
SHA256232c8e0b309e6b1bcbf8aba2a5efc83614f943b5089cbb046ed3657486344a67
SHA512a038ec266afc13de7f48076501659cb082df6a70f07d609f869a623712cfd216381ffe7f7a70de3d6e2b5371e97045b5057e95f5b60d2d153d752c914b885ef3
-
Filesize
954B
MD5d77cdfe16446d4d5afbda293949ac75f
SHA1eb7aae4d5c11dc20eb769a7743a73c48182579df
SHA256be32c52bf7755767925f4c37fbdd7eefdbd285983fff36fa93b4d4ed67b2ad3c
SHA512cf018169d4e56b8f1214f038e139b5e83251e11286292dfc04d76b142d75a8f876ddd8d376e5b8425428e8ee9f22065263fd417a5b6e8bea2ee4e8baae0a5356
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
677KB
MD56ae36280ba9af6694960de5bb55aad9a
SHA124ae746e94b195dbef2079f89db9346e2695b14e
SHA25605c4f0504bac495cc9ec6b30355c01bb3574dcf24ebf5f73ce2bd68316b0d492
SHA51256b71d8cd15b1cad6f56f6d237b5ce2eb3dabc12b591524da4fa9bde1a80dd5376bd4c162645debc9ec2ed1dac5e470a6af3042a2649362f3c8cb532f9870bc2
-
Filesize
660KB
MD5016169ea2344242b78031593b253b9b3
SHA17e382765b4082a0e04b0df26ea8e588668d58873
SHA25631171ba31d85fefbc894e14478029b56d2e3cc5bb9c3b63310011a568578d58c
SHA5127b10a0889de6ba892caca557f2db7b3cc83bb9109e255c012420cce0ee715eb1a0c918a7eaff5327756b5eccc6e728db146fda6d0b21c1c03f89706357bb0182