Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 02:51
Behavioral task
behavioral1
Sample
4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe
-
Size
9.1MB
-
MD5
4b1b48638ef3cbc9331c46e3b4e401f9
-
SHA1
006162b01055eec1a290b17e15da5849373ffea0
-
SHA256
c93330b32987c7050b4755fd051910c9394e1d26e7be43554b2628823753e630
-
SHA512
2c5cc5c3ef26486bfff200fffbbe5d67bba7ad819c823c1d922ee18ea3d733cabb7248565b4c3cc76e806e67cb421e5cb03b90c1b79d11a67dc1ab910bc3eace
-
SSDEEP
12288:zMMpXKb0hNGh1kG0HWNAuCsltHlYz5c/tj8sWn85bM3npxYfj63hgD1Zi:zMMpXS0hN0V0HDIHytjsWb3npi63i
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x0009000000012281-2.dat aspack_v212_v242 behavioral1/files/0x0007000000016dd0-39.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-55.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2992 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2860 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe 2860 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\H: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\U: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\Y: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\Z: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\I: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\G: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\L: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\Q: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\R: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\P: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\S: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\T: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\K: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\A: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\B: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\W: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\E: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\M: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\N: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\X: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\J: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\O: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\V: 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2992 2860 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe 30 PID 2860 wrote to memory of 2992 2860 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe 30 PID 2860 wrote to memory of 2992 2860 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe 30 PID 2860 wrote to memory of 2992 2860 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD5e9065685d242920569e6771ed5318c46
SHA108d47226a421a2b6ed3eae5913d10b51583f94da
SHA256f31cbc561dea701c262cbb0fc6348686e268fcf268f1d0b3492d7ffb45d8e357
SHA512bd66c3ffbb8f9666abb0247ea5bcccc2fbff9fc75e81b641b6d51bb5ec3c3fe961a30c3c8da0b47f04e3e3a9f674108b757984b2bb1ff77d624731ecd87226e0
-
Filesize
1KB
MD503237095b4fca817a9d2983035bf26fd
SHA1314c9fc33fc49ffca73b18cdb5a44e5dc04c6ffe
SHA256f45a177dd03d4569db9ea692025a7e6d5bd7c04cdd3b07c7c8c153c4927b06d7
SHA5124f929accd434eb4271bd7d1e837ae6b354c531251a5df3d5688d571e0235bed1b81200c37cbeb6b67c18eef5411b037dbcc88ff9b8fdb9afe2cf9f733c367581
-
Filesize
950B
MD589929f753e9cf7b90b06dfc9801db8e3
SHA105f9d7b6a360c4203f2973d28091896beee4964f
SHA256b5d8b9f3dd9364f6e156de74c1e6b2f4f1d8ae24a51a9f0a34972c02cc8e3dd5
SHA5121782debde0bd0cc4bc851ac77826c93d53dff0dca065957e6ab2e1b6bc96bf4aa332e3a5af0f2ace4275eda548615d439ffde51d854146a91440501942a4acd2
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
9.1MB
MD54b1b48638ef3cbc9331c46e3b4e401f9
SHA1006162b01055eec1a290b17e15da5849373ffea0
SHA256c93330b32987c7050b4755fd051910c9394e1d26e7be43554b2628823753e630
SHA5122c5cc5c3ef26486bfff200fffbbe5d67bba7ad819c823c1d922ee18ea3d733cabb7248565b4c3cc76e806e67cb421e5cb03b90c1b79d11a67dc1ab910bc3eace
-
Filesize
9.1MB
MD582ec1e43b7783d81104525e75301c7e6
SHA15aaa246a9ad618bfc9fd0ff157d446693a551707
SHA2564537a0ac45f0e102bd56c3b3613c2061a03a46ab8bbdb42aba37e82d90c22f4b
SHA512a849937a1e43aa6acc06c04c264b75da3cb0a33679ef4909d75a1610969aa7a5c481425dd9433c88b8dd9d6c01b1e3a2728d04629b86cc6835cff6ae3b1f1d44