Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

2ef7ab99a6...18.exe

windows7-x64

10

2ef7ab99a6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe

  • Size

    7.8MB

  • MD5

    2ef7ab99a6f493e6057f8e2cd3038b98

  • SHA1

    46a74eac26a3fe8ba7da7c7ba5f5f8482effab03

  • SHA256

    ebc2297d17d62e0ca3d7ff0265e79ab1802b3dd37485485f04a896c7277fd95e

  • SHA512

    23d01d06c43d63aea624bfd1ef1a4db6710bed29bf913b0415e88a6328f9581ff291da9a173c4b146d0652e7479ec0987b4f30d9b7c0f58abf1c48e6f42b9107

  • SSDEEP

    98304:Ji0ti/LR5W6oIMzKpXOai0ti/LR5W6oIMzKpXOk:802boI2lj02boI2lk

Score
10/10
aspackv2discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.exe
    Filesize

    7.8MB

    MD5

    2acb575138b6851d2ceb2cf402e8ffc0

    SHA1

    58ecb9380290bfc8ca4642be50d71bfa82088264

    SHA256

    8c270f66f329006f2c788c02c9a78474f5dc3db698afc7545f6f79ce1bcf5efc

    SHA512

    b8962683bcd529e41c0dea01fa1794356949fcbb611137ec6182b24a969b61abffc9488b5f821352dd1c474f91a5bda40d5956ec0350e91c61fef53c3136862e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    aeff18a1a0ad63129b68a2261814aea3

    SHA1

    8a23ca3d17bc2b79629ab8328bd884f57d86d135

    SHA256

    9e65c3210ceb4349966f44c0d5f567bdae4a3d6c76165ab481148ba6e24d468f

    SHA512

    a15283f735abf8bf02cff3ae94663afa6b1fecfa45865b9a4a6d46f29706d90ea46443117a25ebc598b91f583fbba3d6529120b8a49ab993f51cdec89eb8c258

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    61ec4db5d51bee2479626da422c5470f

    SHA1

    ece88f9f4dc87713aece3b11e4581579ff6d388e

    SHA256

    de0dd7b7ad8171aa3e3423cc1412e082cd6bb4b2c2dc430af2280872fc116f5f

    SHA512

    69f9b980e98702944a58f7916554b4ca5c4726a85a0a26c7c10be98bf579b5a37e73cb182a175d7e5ecb93ec4aa2d2fce1b95632a9b85fd64901dd77b2971978

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    7.8MB

    MD5

    2ef7ab99a6f493e6057f8e2cd3038b98

    SHA1

    46a74eac26a3fe8ba7da7c7ba5f5f8482effab03

    SHA256

    ebc2297d17d62e0ca3d7ff0265e79ab1802b3dd37485485f04a896c7277fd95e

    SHA512

    23d01d06c43d63aea624bfd1ef1a4db6710bed29bf913b0415e88a6328f9581ff291da9a173c4b146d0652e7479ec0987b4f30d9b7c0f58abf1c48e6f42b9107

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    5.8MB

    MD5

    4139196f29b96e1205491cf1412aa1cc

    SHA1

    f88e119fbc723ce29135f4a2f598e4257a99dd2d

    SHA256

    5ae297ad945e61bdc53677e81fb433e98f8ea605ddf7400646956332cd537845

    SHA512

    d7adcb91745b435860ac0b3c3b5f4b0e5b4d29b4e5e0a6eae6f0c27bb245a1e1e2948a128ae71c184b347ac109543fc488b69f424d0087a6efa96003854a9caa

    Download Submit

  • memory/2768-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download