Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 23:05
Behavioral task
behavioral1
Sample
64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe
-
Size
510KB
-
MD5
64866d78e76a8f8011819c82feba730f
-
SHA1
31459152d39b4b5d2997f1eb30c702ddf8e374c4
-
SHA256
b35d13c902151869430199a330b0a6aa44e26cc436138eccb6a36f6ce74767ca
-
SHA512
219cbb3008ba12f67aadebc25308cdb7aa32a75a467a8fc3c294e36dbb849f57b62d26f8620023565a614c065356e2006dee92b1f8ec480848a1dd5a2cae8422
-
SSDEEP
6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRh32XVOMMpc1dqm15OJT:5MMpXKb0hNGh1kG0HWnALbicQna1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000b00000001225e-2.dat aspack_v212_v242 behavioral1/files/0x000700000001921d-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-46.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 HelpMe.exe -
Loads dropped DLL 31 IoCs
pid Process 1712 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe 1712 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe 2064 HelpMe.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\I: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\P: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\Q: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\Y: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\A: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\H: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\M: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\E: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\W: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\X: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\Z: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\L: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\K: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\N: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\O: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\U: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\J: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\S: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\V: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\R: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\G: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\T: 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2064 1712 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2064 1712 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2064 1712 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2064 1712 64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
511KB
MD58fbdf8fb5bb23e1b1725e76740d7d265
SHA17a773e08a95676c7db249c39843f599f42f85698
SHA256dd9ebaacf52e112a7ae9c304e4b6ee3d2e9b5053166fba4459479eba169e7b2a
SHA5122a3ed393c8c95c7a4ea31267abea055a28a4c0149cfd1e3ed7b9a31159d3bc1b0c6b79f322317fe05efcac1c107b56fd540ae5b5ecef89e15d36a25ff74edaf9
-
Filesize
1KB
MD5fa4cbbe36a4ad9f88ef1d30c8f5ba8cc
SHA110f6a7f72d03a3d95b3fde437fe2cda810ea8ac4
SHA256ae78f3afd3a2df2b266fd8148860c351d6a1ad23022c0129350d09c34baed4db
SHA512026e6b1d42f3342836b5f31c0396debcefa4b0a7b6d34129915606efa560f4c628905bd2c745523ca5757b3b5d4d8c2f904c4d231798d591e0d239deea1d348d
-
Filesize
950B
MD512f8aa50ee0ca8bd5d23890debacf535
SHA154116eb38f8b014f8afd41be63334d34a3540198
SHA2563fbb71976bd32a1861bf08dedbc96fa10ac87a119b49442667ceed72f0ab0ff2
SHA5128204ff53527bcb393cd63fd0224cdb296898739712335b41b0833007d8edf930b0dacbf822052fca23864f83de58334ddf532f80251f0fe997ad338d82dde4d2
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
510KB
MD564866d78e76a8f8011819c82feba730f
SHA131459152d39b4b5d2997f1eb30c702ddf8e374c4
SHA256b35d13c902151869430199a330b0a6aa44e26cc436138eccb6a36f6ce74767ca
SHA512219cbb3008ba12f67aadebc25308cdb7aa32a75a467a8fc3c294e36dbb849f57b62d26f8620023565a614c065356e2006dee92b1f8ec480848a1dd5a2cae8422
-
Filesize
487KB
MD5c3e731d02b7a354d41f29d7b33176d2b
SHA1f806bf4866b43e376d75a121194ba3650a856502
SHA256709444a4f27181daa2113fb3adadaf01355aa68249fb08e32b81c09e06e52720
SHA5125026f205ed0c845303d34bb9aa847647995f531b18ee3522cd8798694643bea5a38e16a902dd4e29c6a2c2d8ab583631da6431ccb5b1e5d279a8c32f59bdb0c6