Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 00:19

General

  • Target

    b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe

  • Size

    7.3MB

  • MD5

    b59ca4732457793b33ccdeb9def9384d

  • SHA1

    040e46799a87935827347ab12587176c2328bff6

  • SHA256

    a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a

  • SHA512

    5858b5afa3b385d0449999e6743d523be0fa63f12649cd2fe17f6092076f72f55dff31be95d9b7aa02e1cd58d4a7c5530a6d1fb7d571b69e6d6168de2cf044e0

  • SSDEEP

    24576:zMMpXS0hN0V0HDIH53npi6IMMpXS0hN0V0HDIH53npi69:gwi0L0qK5XpiWwi0L0qK5Xpis

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.exe

    Filesize

    7.3MB

    MD5

    e0b11765780545f2cf29f7b36d1610ec

    SHA1

    f671c17c05920e83166aaaff8019343398d8bd0d

    SHA256

    d17c6917e65cac5cef0e96ba36ec08447383337bcdb9a779fc960bdd4ff5802a

    SHA512

    98bd1e61777c6c99612c3e73d2d1ace4ace80de4ad5437fddc669c8d3242b71647ffe5fadae1c8428f5a9562950dce143a2bddb175b7311d2b05238164d6d0ba

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    457d44ee4081826ac2a081a49f780c84

    SHA1

    62d90b96570097eb74ce2cd0783c656647bd66d0

    SHA256

    813f9152825073675cde739071e98fc70acb859650863ab8a4e4f709ab83afff

    SHA512

    d08c0ae607df9b841d602ee4ef51bfc5b4629924ef625f2e704c3fcd1e9b4ef8c83fb305a5776f1557a35dcc317cfe2bd3bec0677cb4be7f73ee7402a649c550

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    ac854b74118173ec102d46c0b0d6c11e

    SHA1

    c161776de204ef813086d89b2d9870fee853a169

    SHA256

    3034e08c8560fe2ba4f380e235abcba0f8d5553c0a4be22b241581daba1c455c

    SHA512

    a9f57c87e0f0a4645f03f43ea194233ada33fb064a03cfd92cc472fe34ccbb2553fb76587b8395c6294cb35681862b655867cce0d7045224a87ee6d602e70387

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    7.3MB

    MD5

    b59ca4732457793b33ccdeb9def9384d

    SHA1

    040e46799a87935827347ab12587176c2328bff6

    SHA256

    a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a

    SHA512

    5858b5afa3b385d0449999e6743d523be0fa63f12649cd2fe17f6092076f72f55dff31be95d9b7aa02e1cd58d4a7c5530a6d1fb7d571b69e6d6168de2cf044e0

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    7.0MB

    MD5

    110370870c145397469e856dc5f3a723

    SHA1

    c02ccff7eae9615fd8a50683670c361799e315e2

    SHA256

    b8a47c7a0ea0e67c89d254dcfc40779ef23e731c7b0bfaacd8e1f36cf024fe10

    SHA512

    52ea460f219eb63636589fbcdea1e864cf7a5bfe275258b52a30d45fd97fab8c810417ed5c3f3f7fc0d8cab3b85301ab7297416f4e81695e590a75751ccda7cc

  • memory/2604-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

  • memory/2620-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB