Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2024, 23:05

General

  • Target

    64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe

  • Size

    510KB

  • MD5

    64866d78e76a8f8011819c82feba730f

  • SHA1

    31459152d39b4b5d2997f1eb30c702ddf8e374c4

  • SHA256

    b35d13c902151869430199a330b0a6aa44e26cc436138eccb6a36f6ce74767ca

  • SHA512

    219cbb3008ba12f67aadebc25308cdb7aa32a75a467a8fc3c294e36dbb849f57b62d26f8620023565a614c065356e2006dee92b1f8ec480848a1dd5a2cae8422

  • SSDEEP

    6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRh32XVOMMpc1dqm15OJT:5MMpXKb0hNGh1kG0HWnALbicQna1

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.exe

    Filesize

    511KB

    MD5

    8fbdf8fb5bb23e1b1725e76740d7d265

    SHA1

    7a773e08a95676c7db249c39843f599f42f85698

    SHA256

    dd9ebaacf52e112a7ae9c304e4b6ee3d2e9b5053166fba4459479eba169e7b2a

    SHA512

    2a3ed393c8c95c7a4ea31267abea055a28a4c0149cfd1e3ed7b9a31159d3bc1b0c6b79f322317fe05efcac1c107b56fd540ae5b5ecef89e15d36a25ff74edaf9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    fa4cbbe36a4ad9f88ef1d30c8f5ba8cc

    SHA1

    10f6a7f72d03a3d95b3fde437fe2cda810ea8ac4

    SHA256

    ae78f3afd3a2df2b266fd8148860c351d6a1ad23022c0129350d09c34baed4db

    SHA512

    026e6b1d42f3342836b5f31c0396debcefa4b0a7b6d34129915606efa560f4c628905bd2c745523ca5757b3b5d4d8c2f904c4d231798d591e0d239deea1d348d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    12f8aa50ee0ca8bd5d23890debacf535

    SHA1

    54116eb38f8b014f8afd41be63334d34a3540198

    SHA256

    3fbb71976bd32a1861bf08dedbc96fa10ac87a119b49442667ceed72f0ab0ff2

    SHA512

    8204ff53527bcb393cd63fd0224cdb296898739712335b41b0833007d8edf930b0dacbf822052fca23864f83de58334ddf532f80251f0fe997ad338d82dde4d2

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    510KB

    MD5

    64866d78e76a8f8011819c82feba730f

    SHA1

    31459152d39b4b5d2997f1eb30c702ddf8e374c4

    SHA256

    b35d13c902151869430199a330b0a6aa44e26cc436138eccb6a36f6ce74767ca

    SHA512

    219cbb3008ba12f67aadebc25308cdb7aa32a75a467a8fc3c294e36dbb849f57b62d26f8620023565a614c065356e2006dee92b1f8ec480848a1dd5a2cae8422

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    487KB

    MD5

    c3e731d02b7a354d41f29d7b33176d2b

    SHA1

    f806bf4866b43e376d75a121194ba3650a856502

    SHA256

    709444a4f27181daa2113fb3adadaf01355aa68249fb08e32b81c09e06e52720

    SHA512

    5026f205ed0c845303d34bb9aa847647995f531b18ee3522cd8798694643bea5a38e16a902dd4e29c6a2c2d8ab583631da6431ccb5b1e5d279a8c32f59bdb0c6

  • memory/1712-0-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

  • memory/2064-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB