Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 21:28

General

  • Target

    25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe

  • Size

    2.9MB

  • MD5

    25b57ff2fe11322bcf72283bbd6ae6be

  • SHA1

    a344850c803e966e74163b66af20014b104996d4

  • SHA256

    79bc2c38683eb148a21522a5614d2cbf081a6e746e4275a2d91f30e38cda0269

  • SHA512

    f09aa0e795bb5cc0ab31707eb62daa714802e8609a280439bd336b887d81c07f2665e669f5e0ca027c91ec178abb94fb0e35c7c718b510b44a0719c9defe1779

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltH4cgZD5+6aYMasAYXG3Wv:xEtl9mRda1MIHYPyBashXG3Wv

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.exe

    Filesize

    2.9MB

    MD5

    e191948e8aca6c6667e00810499e9db8

    SHA1

    c56e9f100187886097fd9f3999bd1452fc42d3a3

    SHA256

    46f3544a835779ba6c4f2a0f95e8620925ba03bcb28cb5e4dea0d4b66b7e9c41

    SHA512

    a3d16ecaf66956f29fbdbbdcc474f1489827a88b338d576f3bbdc42ee0b78e734ea9849d1a79a3d65f6ce1de27c9a75c903b30adef3158f859b7f97952a08750

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    36a6278249291676eb4fa1e03cb93f46

    SHA1

    09477394cd7c9541dcf71abd841b44d60f26e904

    SHA256

    fe84b006195fe01b1ddf80091c80d6d6a3d2131ee65efe792018ab245a7121d7

    SHA512

    1c8c7e0c21117c2753530521b1043bd8e4b8c1a9730d6a6f7d1cd0e67beff24b0fcf0f5b80f8b1c1556fd87b5499f133c6e27c50d961be70058e009698396b04

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    2979f4d91a7af5559f68c1d4e285caf5

    SHA1

    a76f0f0211de328d809f96566c940e92298dcb21

    SHA256

    5d2394313021c87da9889cf569a272c9ba9143f98c9faccef8dc13afbc34ef87

    SHA512

    f97e329576039d98d9369e8b419316a337099ae2496372a6d999ef53ac0f910effe9f9589e0d4d0b3a12506db3b3e08f011eba098ff76939d7447799aeea3090

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    2.9MB

    MD5

    25b57ff2fe11322bcf72283bbd6ae6be

    SHA1

    a344850c803e966e74163b66af20014b104996d4

    SHA256

    79bc2c38683eb148a21522a5614d2cbf081a6e746e4275a2d91f30e38cda0269

    SHA512

    f09aa0e795bb5cc0ab31707eb62daa714802e8609a280439bd336b887d81c07f2665e669f5e0ca027c91ec178abb94fb0e35c7c718b510b44a0719c9defe1779

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    2.9MB

    MD5

    ad829f24697ab5836b3e93d3c014f7a4

    SHA1

    b95d212648b5b57abe2a84190c351def10c85132

    SHA256

    df8ae02c0de4737a69093223c13326818f8e7ef3322ab1252a7e2d40b79221f2

    SHA512

    01c110bf6662b0df58a3ef6f8db64ad4bd5165998603f5d48dc7388cce27a306b0c41ea08985d331a44f8f422044cc44d8fc9048a6a346519776630c8ac72888

  • memory/2092-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

  • memory/2728-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

  • memory/2728-224-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB