Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0bea8d3669...18.exe

windows7-x64

10

0bea8d3669...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bea8d3669e855e32547b40dafba6fb2_JaffaCakes118.exe

  • Size

    435KB

  • MD5

    0bea8d3669e855e32547b40dafba6fb2

  • SHA1

    82e7e06a3005489895ec9580c7d466bb7beb35dd

  • SHA256

    dbc40ebfee3142451c4f99972cc67e9d2b112419cea76cd4e547bc67928a79c4

  • SHA512

    33d8851ff99937c92efe8ff248953fe22b42d101afacf223e174376ba065e7f9d4cb61f99cb34adaed1f64029f843df381bcf41f17dbfbb98737ec6f20dec393

  • SSDEEP

    6144:k82p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBilz:Cp4pNfz3ymJnJ8QCFkxCaQTOl2z

Score
10/10
discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bea8d3669e855e32547b40dafba6fb2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0bea8d3669e855e32547b40dafba6fb2_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe
    Filesize

    436KB

    MD5

    fd9706ceda5c02288f86517d4ea21dd0

    SHA1

    a019d64920e61012bf7dc8804e8ac2716462c239

    SHA256

    4f81babe0b572ef94dc73afdc987045e228067eb826beb860594ab04cfc94a70

    SHA512

    5d2d455b830876e7b0b48b01a7ea5fe2a7644f1abb5febb5a82117c321175d91ac8c77179a798acc628cc632c9cffaf17967e01bdf8f63f80bbcee24233285c8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    12e02981d263bec1cbf18946c1dce196

    SHA1

    9b687950ec6e29438071e2c4be310c92855f96cd

    SHA256

    f523b8e056ab2b1c6338be3e1f52c956e282c646a137780cf553bd2ca08848f4

    SHA512

    2c6aff3d907976baa8a6b0f8886baf0f5c0f4f343dcc7ae7bcbc15d7892c093526bb2933ab7bfc727eb7db75f5397a0e18dee5da6731c3fdff56cb3e70bd956b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    ca998ac34b3f870be1bfce1a281c782d

    SHA1

    478238ff8d0cbbbedc0ea344f8585bfd964e8d79

    SHA256

    f6f660a4aae428c13fc650478ebb7e9bc483d084ae9289e19d7d22cb2a6a961a

    SHA512

    46e081d4d48a6e546540d70b06e48cf65ec6ad8072a4a5822b526a729836f7f5982fc3a6979c1b537e58a5e5c7730029a169d20dbd9fbfdce68559217497dfa8

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    435KB

    MD5

    0bea8d3669e855e32547b40dafba6fb2

    SHA1

    82e7e06a3005489895ec9580c7d466bb7beb35dd

    SHA256

    dbc40ebfee3142451c4f99972cc67e9d2b112419cea76cd4e547bc67928a79c4

    SHA512

    33d8851ff99937c92efe8ff248953fe22b42d101afacf223e174376ba065e7f9d4cb61f99cb34adaed1f64029f843df381bcf41f17dbfbb98737ec6f20dec393

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    435KB

    MD5

    73165a3b64fea356419ebebf93e78687

    SHA1

    bdec62cf2d946543a7649262dfdbfb595402615e

    SHA256

    7d46374fbc379a7e4d878b80f6f97fd1e9f46539f6d21e8c6b89dc650ad06a08

    SHA512

    f2ed454fe06253c6804cd49929bd15ef32d4e6ae8d529b2a0fa2fc409b179c36e161c16091f0cdab951e1ba0892847ac5affe04ddf7b8839bcd77dbb58568f0d

    Download Submit

  • memory/1080-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2200-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download