Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/10/2024, 21:28
Static task
static1
Behavioral task
behavioral1
Sample
25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe
-
Size
2.9MB
-
MD5
25b57ff2fe11322bcf72283bbd6ae6be
-
SHA1
a344850c803e966e74163b66af20014b104996d4
-
SHA256
79bc2c38683eb148a21522a5614d2cbf081a6e746e4275a2d91f30e38cda0269
-
SHA512
f09aa0e795bb5cc0ab31707eb62daa714802e8609a280439bd336b887d81c07f2665e669f5e0ca027c91ec178abb94fb0e35c7c718b510b44a0719c9defe1779
-
SSDEEP
12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltH4cgZD5+6aYMasAYXG3Wv:xEtl9mRda1MIHYPyBashXG3Wv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Executes dropped EXE 1 IoCs
pid Process 2092 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2728 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe 2728 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\S: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\U: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\W: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\N: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\P: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\M: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\O: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\R: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\A: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\Y: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\Q: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\V: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\E: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\K: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\L: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\I: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\J: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\T: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\Z: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\B: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\G: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\H: 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2092 2728 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2092 2728 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2092 2728 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2092 2728 25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\25b57ff2fe11322bcf72283bbd6ae6be_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5e191948e8aca6c6667e00810499e9db8
SHA1c56e9f100187886097fd9f3999bd1452fc42d3a3
SHA25646f3544a835779ba6c4f2a0f95e8620925ba03bcb28cb5e4dea0d4b66b7e9c41
SHA512a3d16ecaf66956f29fbdbbdcc474f1489827a88b338d576f3bbdc42ee0b78e734ea9849d1a79a3d65f6ce1de27c9a75c903b30adef3158f859b7f97952a08750
-
Filesize
1KB
MD536a6278249291676eb4fa1e03cb93f46
SHA109477394cd7c9541dcf71abd841b44d60f26e904
SHA256fe84b006195fe01b1ddf80091c80d6d6a3d2131ee65efe792018ab245a7121d7
SHA5121c8c7e0c21117c2753530521b1043bd8e4b8c1a9730d6a6f7d1cd0e67beff24b0fcf0f5b80f8b1c1556fd87b5499f133c6e27c50d961be70058e009698396b04
-
Filesize
950B
MD52979f4d91a7af5559f68c1d4e285caf5
SHA1a76f0f0211de328d809f96566c940e92298dcb21
SHA2565d2394313021c87da9889cf569a272c9ba9143f98c9faccef8dc13afbc34ef87
SHA512f97e329576039d98d9369e8b419316a337099ae2496372a6d999ef53ac0f910effe9f9589e0d4d0b3a12506db3b3e08f011eba098ff76939d7447799aeea3090
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
2.9MB
MD525b57ff2fe11322bcf72283bbd6ae6be
SHA1a344850c803e966e74163b66af20014b104996d4
SHA25679bc2c38683eb148a21522a5614d2cbf081a6e746e4275a2d91f30e38cda0269
SHA512f09aa0e795bb5cc0ab31707eb62daa714802e8609a280439bd336b887d81c07f2665e669f5e0ca027c91ec178abb94fb0e35c7c718b510b44a0719c9defe1779
-
Filesize
2.9MB
MD5ad829f24697ab5836b3e93d3c014f7a4
SHA1b95d212648b5b57abe2a84190c351def10c85132
SHA256df8ae02c0de4737a69093223c13326818f8e7ef3322ab1252a7e2d40b79221f2
SHA51201c110bf6662b0df58a3ef6f8db64ad4bd5165998603f5d48dc7388cce27a306b0c41ea08985d331a44f8f422044cc44d8fc9048a6a346519776630c8ac72888