Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 00:19
Behavioral task
behavioral1
Sample
b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
-
Size
7.3MB
-
MD5
b59ca4732457793b33ccdeb9def9384d
-
SHA1
040e46799a87935827347ab12587176c2328bff6
-
SHA256
a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a
-
SHA512
5858b5afa3b385d0449999e6743d523be0fa63f12649cd2fe17f6092076f72f55dff31be95d9b7aa02e1cd58d4a7c5530a6d1fb7d571b69e6d6168de2cf044e0
-
SSDEEP
24576:zMMpXS0hN0V0HDIH53npi6IMMpXS0hN0V0HDIH53npi69:gwi0L0qK5XpiWwi0L0qK5Xpis
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x0008000000012115-2.dat aspack_v212_v242 behavioral1/files/0x0008000000015e81-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-55.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2620 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2604 b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe 2604 b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\O: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\V: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\X: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\A: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\I: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\Q: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\S: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\W: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\E: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\G: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\H: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\N: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\Y: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\B: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\M: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\U: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\Z: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\K: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\T: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\J: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\L: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\P: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\R: b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\HelpMe.exe b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2620 2604 b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2620 2604 b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2620 2604 b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2620 2604 b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.3MB
MD5e0b11765780545f2cf29f7b36d1610ec
SHA1f671c17c05920e83166aaaff8019343398d8bd0d
SHA256d17c6917e65cac5cef0e96ba36ec08447383337bcdb9a779fc960bdd4ff5802a
SHA51298bd1e61777c6c99612c3e73d2d1ace4ace80de4ad5437fddc669c8d3242b71647ffe5fadae1c8428f5a9562950dce143a2bddb175b7311d2b05238164d6d0ba
-
Filesize
1KB
MD5457d44ee4081826ac2a081a49f780c84
SHA162d90b96570097eb74ce2cd0783c656647bd66d0
SHA256813f9152825073675cde739071e98fc70acb859650863ab8a4e4f709ab83afff
SHA512d08c0ae607df9b841d602ee4ef51bfc5b4629924ef625f2e704c3fcd1e9b4ef8c83fb305a5776f1557a35dcc317cfe2bd3bec0677cb4be7f73ee7402a649c550
-
Filesize
950B
MD5ac854b74118173ec102d46c0b0d6c11e
SHA1c161776de204ef813086d89b2d9870fee853a169
SHA2563034e08c8560fe2ba4f380e235abcba0f8d5553c0a4be22b241581daba1c455c
SHA512a9f57c87e0f0a4645f03f43ea194233ada33fb064a03cfd92cc472fe34ccbb2553fb76587b8395c6294cb35681862b655867cce0d7045224a87ee6d602e70387
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
7.3MB
MD5b59ca4732457793b33ccdeb9def9384d
SHA1040e46799a87935827347ab12587176c2328bff6
SHA256a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a
SHA5125858b5afa3b385d0449999e6743d523be0fa63f12649cd2fe17f6092076f72f55dff31be95d9b7aa02e1cd58d4a7c5530a6d1fb7d571b69e6d6168de2cf044e0
-
Filesize
7.0MB
MD5110370870c145397469e856dc5f3a723
SHA1c02ccff7eae9615fd8a50683670c361799e315e2
SHA256b8a47c7a0ea0e67c89d254dcfc40779ef23e731c7b0bfaacd8e1f36cf024fe10
SHA51252ea460f219eb63636589fbcdea1e864cf7a5bfe275258b52a30d45fd97fab8c810417ed5c3f3f7fc0d8cab3b85301ab7297416f4e81695e590a75751ccda7cc