Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 21:40

General

  • Target

    25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe

  • Size

    9.1MB

  • MD5

    25d7c9ba82bd909ce4224177a87424c4

  • SHA1

    cdbe6272122b68ec2d666c3068733b3f17c1941f

  • SHA256

    a9b94093b5b8d953f43259f470b79a56b0582fd856e56905f831d5d94719ac93

  • SHA512

    0b2f205f048f7c4e691ded300176fbdf40b1413f998bc85eb1fa1d5d239d8c55a92dd65965350f0ca1ab9ae5cbfea81a0ffb24a3df715ba5f5a86b2d2012cfa5

  • SSDEEP

    98304:PE2cJIMzKpXOMGQ+IM/E2cJIMzKpIkMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMu:PnwI2ly+IunwI24I2ly8

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\25d7c9ba82bd909ce4224177a87424c4_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.exe

    Filesize

    9.1MB

    MD5

    2c0f67f4cfcaa333a5903f9013cd683b

    SHA1

    373a1d4a9688bc99047cf361998381b90a534111

    SHA256

    a3705c2d7f62ec850dd1566598b8c6816d93575648dd11a91b94da706f6eb75c

    SHA512

    2c08f549e4ffa6ef9ef00a717c4143b6ede30531c151a0ae908e58d48e4f040533cc2f52efa45f67066e09341c3dc0aeec7cc519a386a97f782e9e3229fa4d24

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    b0745c4f06c5867c49c7a4597ab5636c

    SHA1

    08acb7568603103112bcff97645c55f7250e5bc4

    SHA256

    863600b96e5d4a5a49eff2d5a299d7d3b760c1368003fba0e41c2a1d5bf8d501

    SHA512

    3b7826290d5a37887200f963e97e82b735cbb890c9e563b8970d04e3022a2220c06adbf033b0e4ba37661cc61d6d46d44a491bcb2302223b4070835fa25f4adf

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    ecc2498e24381f5579565ada901b4eeb

    SHA1

    0fad75195ba36cdb013f8ee567b50d9e3099784b

    SHA256

    d473ed199676eaf1273bae51df47ad5beb5b7b75965c6b32dcf01a512493e923

    SHA512

    6a1a828003759a45070f454565f88bbfdd064b3a2ead42b3b821eecb617ead1f10af3cd1a784b27028c906be331a32e94bdfdde4a050953945a991e139a3366b

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    9.1MB

    MD5

    25d7c9ba82bd909ce4224177a87424c4

    SHA1

    cdbe6272122b68ec2d666c3068733b3f17c1941f

    SHA256

    a9b94093b5b8d953f43259f470b79a56b0582fd856e56905f831d5d94719ac93

    SHA512

    0b2f205f048f7c4e691ded300176fbdf40b1413f998bc85eb1fa1d5d239d8c55a92dd65965350f0ca1ab9ae5cbfea81a0ffb24a3df715ba5f5a86b2d2012cfa5

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    9.1MB

    MD5

    60f16d896ad91156912e4728018296eb

    SHA1

    8687666190cbd4d514c8b9c1b7a09512f4e15256

    SHA256

    6fb66817731c4e03f3a56db0197c1c841931fe90b26ec9691ec4ddd5092a30a2

    SHA512

    5ece96921df6529d84db4fb44b4e10ac160003a176ca0429176a8af8b8f63b39a268e13e2ceb00b35f754892030be873b3a63be30c1158b05ba0de8c610c88f6

  • memory/2780-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2844-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2844-228-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB