Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 02:51

General

  • Target

    4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe

  • Size

    9.1MB

  • MD5

    4b1b48638ef3cbc9331c46e3b4e401f9

  • SHA1

    006162b01055eec1a290b17e15da5849373ffea0

  • SHA256

    c93330b32987c7050b4755fd051910c9394e1d26e7be43554b2628823753e630

  • SHA512

    2c5cc5c3ef26486bfff200fffbbe5d67bba7ad819c823c1d922ee18ea3d733cabb7248565b4c3cc76e806e67cb421e5cb03b90c1b79d11a67dc1ab910bc3eace

  • SSDEEP

    12288:zMMpXKb0hNGh1kG0HWNAuCsltHlYz5c/tj8sWn85bM3npxYfj63hgD1Zi:zMMpXS0hN0V0HDIHytjsWb3npi63i

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.exe

    Filesize

    9.1MB

    MD5

    e9065685d242920569e6771ed5318c46

    SHA1

    08d47226a421a2b6ed3eae5913d10b51583f94da

    SHA256

    f31cbc561dea701c262cbb0fc6348686e268fcf268f1d0b3492d7ffb45d8e357

    SHA512

    bd66c3ffbb8f9666abb0247ea5bcccc2fbff9fc75e81b641b6d51bb5ec3c3fe961a30c3c8da0b47f04e3e3a9f674108b757984b2bb1ff77d624731ecd87226e0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    03237095b4fca817a9d2983035bf26fd

    SHA1

    314c9fc33fc49ffca73b18cdb5a44e5dc04c6ffe

    SHA256

    f45a177dd03d4569db9ea692025a7e6d5bd7c04cdd3b07c7c8c153c4927b06d7

    SHA512

    4f929accd434eb4271bd7d1e837ae6b354c531251a5df3d5688d571e0235bed1b81200c37cbeb6b67c18eef5411b037dbcc88ff9b8fdb9afe2cf9f733c367581

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    89929f753e9cf7b90b06dfc9801db8e3

    SHA1

    05f9d7b6a360c4203f2973d28091896beee4964f

    SHA256

    b5d8b9f3dd9364f6e156de74c1e6b2f4f1d8ae24a51a9f0a34972c02cc8e3dd5

    SHA512

    1782debde0bd0cc4bc851ac77826c93d53dff0dca065957e6ab2e1b6bc96bf4aa332e3a5af0f2ace4275eda548615d439ffde51d854146a91440501942a4acd2

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    9.1MB

    MD5

    4b1b48638ef3cbc9331c46e3b4e401f9

    SHA1

    006162b01055eec1a290b17e15da5849373ffea0

    SHA256

    c93330b32987c7050b4755fd051910c9394e1d26e7be43554b2628823753e630

    SHA512

    2c5cc5c3ef26486bfff200fffbbe5d67bba7ad819c823c1d922ee18ea3d733cabb7248565b4c3cc76e806e67cb421e5cb03b90c1b79d11a67dc1ab910bc3eace

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    9.1MB

    MD5

    82ec1e43b7783d81104525e75301c7e6

    SHA1

    5aaa246a9ad618bfc9fd0ff157d446693a551707

    SHA256

    4537a0ac45f0e102bd56c3b3613c2061a03a46ab8bbdb42aba37e82d90c22f4b

    SHA512

    a849937a1e43aa6acc06c04c264b75da3cb0a33679ef4909d75a1610969aa7a5c481425dd9433c88b8dd9d6c01b1e3a2728d04629b86cc6835cff6ae3b1f1d44

  • memory/2860-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2992-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2992-230-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB