Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/10/2024, 21:40
Static task
static1
Behavioral task
behavioral1
Sample
25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe
-
Size
9.1MB
-
MD5
25d7c9ba82bd909ce4224177a87424c4
-
SHA1
cdbe6272122b68ec2d666c3068733b3f17c1941f
-
SHA256
a9b94093b5b8d953f43259f470b79a56b0582fd856e56905f831d5d94719ac93
-
SHA512
0b2f205f048f7c4e691ded300176fbdf40b1413f998bc85eb1fa1d5d239d8c55a92dd65965350f0ca1ab9ae5cbfea81a0ffb24a3df715ba5f5a86b2d2012cfa5
-
SSDEEP
98304:PE2cJIMzKpXOMGQ+IM/E2cJIMzKpIkMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMu:PnwI2ly+IunwI24I2ly8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2844 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2780 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe 2780 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\T: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\X: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\E: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\H: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\U: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\I: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\P: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\B: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\J: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\R: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\S: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\O: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\M: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\G: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\K: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\Q: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\Y: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\L: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\N: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\V: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\W: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\Z: 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2844 2780 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe 31 PID 2780 wrote to memory of 2844 2780 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe 31 PID 2780 wrote to memory of 2844 2780 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe 31 PID 2780 wrote to memory of 2844 2780 25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD52c0f67f4cfcaa333a5903f9013cd683b
SHA1373a1d4a9688bc99047cf361998381b90a534111
SHA256a3705c2d7f62ec850dd1566598b8c6816d93575648dd11a91b94da706f6eb75c
SHA5122c08f549e4ffa6ef9ef00a717c4143b6ede30531c151a0ae908e58d48e4f040533cc2f52efa45f67066e09341c3dc0aeec7cc519a386a97f782e9e3229fa4d24
-
Filesize
1KB
MD5b0745c4f06c5867c49c7a4597ab5636c
SHA108acb7568603103112bcff97645c55f7250e5bc4
SHA256863600b96e5d4a5a49eff2d5a299d7d3b760c1368003fba0e41c2a1d5bf8d501
SHA5123b7826290d5a37887200f963e97e82b735cbb890c9e563b8970d04e3022a2220c06adbf033b0e4ba37661cc61d6d46d44a491bcb2302223b4070835fa25f4adf
-
Filesize
950B
MD5ecc2498e24381f5579565ada901b4eeb
SHA10fad75195ba36cdb013f8ee567b50d9e3099784b
SHA256d473ed199676eaf1273bae51df47ad5beb5b7b75965c6b32dcf01a512493e923
SHA5126a1a828003759a45070f454565f88bbfdd064b3a2ead42b3b821eecb617ead1f10af3cd1a784b27028c906be331a32e94bdfdde4a050953945a991e139a3366b
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
9.1MB
MD525d7c9ba82bd909ce4224177a87424c4
SHA1cdbe6272122b68ec2d666c3068733b3f17c1941f
SHA256a9b94093b5b8d953f43259f470b79a56b0582fd856e56905f831d5d94719ac93
SHA5120b2f205f048f7c4e691ded300176fbdf40b1413f998bc85eb1fa1d5d239d8c55a92dd65965350f0ca1ab9ae5cbfea81a0ffb24a3df715ba5f5a86b2d2012cfa5
-
Filesize
9.1MB
MD560f16d896ad91156912e4728018296eb
SHA18687666190cbd4d514c8b9c1b7a09512f4e15256
SHA2566fb66817731c4e03f3a56db0197c1c841931fe90b26ec9691ec4ddd5092a30a2
SHA5125ece96921df6529d84db4fb44b4e10ac160003a176ca0429176a8af8b8f63b39a268e13e2ceb00b35f754892030be873b3a63be30c1158b05ba0de8c610c88f6