Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

ee672d1898...18.exe

windows7-x64

10

ee672d1898...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 20:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee672d18981e368f5e7e168864f92f15_JaffaCakes118.exe

  • Size

    895KB

  • MD5

    ee672d18981e368f5e7e168864f92f15

  • SHA1

    bbd137e7f8d90992fbe3098ad3680058371334b6

  • SHA256

    226dccb2b48a26f5e1059e1c6da369986991f1532f625d5de7759a09b9d6fd3c

  • SHA512

    88be053e64078e61098892ba1de0815bb0b3cca1a7207bdd8f8c998504aa0a69093d55e37e671939dc7df76f27951304f4f94970b9beb3b0efbd4878130d2089

  • SSDEEP

    24576:ZMMpXS0hN0V0HoSMMMpXS0hN0V0HoSTSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFe:Kwi0L0qlFwi0L0qlGx

Score
10/10
aspackv2discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee672d18981e368f5e7e168864f92f15_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee672d18981e368f5e7e168864f92f15_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe
    Filesize

    867KB

    MD5

    d61768d7249536fec498204c87583c7f

    SHA1

    5e6715a57ff7fcd45de19169ec53c728af5f2af9

    SHA256

    b86429c87ffce2dda477ea0f62daf4594fdf7cf0e3da980a281caff46e4ba185

    SHA512

    fa86bee1503cc0567d1dc0f35abafeb864f9e5503d3ee7a5f466cb791f667113adef779ddc69e97590cba0429e78c38b03d8cbcce9fd7df9ba9dfb069076adf0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    d8732d32132b48b06dbf1f0e4c661973

    SHA1

    316597467ac05408b9ec3f280b2895c0d17d8727

    SHA256

    97a029c5fb947d72c1dcd4678f456a772956a2471608ffdda26595e5510131b3

    SHA512

    c96984bf80d858b39cb44a52d7a1acddf5b61fe99338365b6c6c86553822eae8b1205ad29cec9b540079d477c19149fff8b4601771d85342ea69c0ad23329116

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    866KB

    MD5

    c378c77f977bf63d6a1b6d6ea8247bd3

    SHA1

    73053ce4027e3f530979e4f23f82e547520bd442

    SHA256

    610250bec271b8072d9f6b6a1373f413022dcb5b687336d73f5f3559b4d1139d

    SHA512

    92da359260afe58a6455c50428e30248f9a6c2ed81c1d385898bb65a5f010fba1035e69d454a77106b741856f6f2bc40590b7686b324ae8ec6c80b446ddf6362

    Download Submit

  • memory/2080-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-17-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-240-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-248-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-230-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-236-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-10-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-243-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-246-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-233-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-251-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-255-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-258-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-261-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-264-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-267-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2856-269-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.