Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 22:43
Static task
static1
Behavioral task
behavioral1
Sample
64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe
-
Size
6.2MB
-
MD5
64713b6d231e03e1321e8afd9ef7cddc
-
SHA1
80999778729814821415559fa3bf4a0b06211750
-
SHA256
3a838d77489e2e60c77d1bf82a0d7a82a02ed1ba9c1bf1441cbe8c64eb348de5
-
SHA512
c0f4cc345744b4031e154cc739cbf007cab4f5648b199d0bbc1bc39a8ecd6a0126ab795ce14cbcb950ca6dafc68ab11559e10fe194b29375c5b4a13e100bb2c1
-
SSDEEP
24576:TEtl9mRda1XySGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJs:oEs1Xne
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2272 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 1744 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe 1744 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\K: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\N: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\O: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\Q: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\T: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\A: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\L: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\M: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\S: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\J: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\V: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\Y: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\I: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\P: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\B: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\X: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\G: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\H: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\R: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\U: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\W: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\Z: 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2272 1744 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe 28 PID 1744 wrote to memory of 2272 1744 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe 28 PID 1744 wrote to memory of 2272 1744 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe 28 PID 1744 wrote to memory of 2272 1744 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD50c02a5c1323e3b3e9076a9c152dc8ec6
SHA119fa7c54d79908607934b2548e7e4cce57c52203
SHA2561529592d5156ff50a8d2f727ac9c528678d02101de2511c6a9f0d96813210765
SHA5120a1f727183c458dfeaa6cf4ea1f89c3196a93f283d5fc88649796f3560373daad139db90bcdd1f87aa0e8a38f0393304a866b9867517291530a5f448fc054194
-
Filesize
1KB
MD56913fb3d3d7058476a4231f5c0c5a1a9
SHA10f5b575135d48b310e7ce7bfa68f8a92d59ef50c
SHA2568d00e563309933112377de586c02b4c6a759b5327e33f21bcf47fd3eb619959b
SHA512aa3fd081f33983fbe34370c41949e564a79296ff9ef888ed621ff0c948f852386b8c86c56180a5f67f44dea621d3a7b73f23952f93a6f3b683cb36a007c3c91a
-
Filesize
950B
MD5b09a8906642e399315154b5f62873a47
SHA171fde4cc4e5e7e572695296d626ed5d49e7a59e3
SHA256dd4f798333514c9850527d5efba9c4109e6624c916481945dd5edac515c15aad
SHA5124b8d8db295272b385ad7150a076543e0a5a312b86a7e085f6f084d79b0f52cf329fdfeb4d48aa1a353f633861482b3d0372143c78a1433ff5e625b890665e39c
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
6.2MB
MD564713b6d231e03e1321e8afd9ef7cddc
SHA180999778729814821415559fa3bf4a0b06211750
SHA2563a838d77489e2e60c77d1bf82a0d7a82a02ed1ba9c1bf1441cbe8c64eb348de5
SHA512c0f4cc345744b4031e154cc739cbf007cab4f5648b199d0bbc1bc39a8ecd6a0126ab795ce14cbcb950ca6dafc68ab11559e10fe194b29375c5b4a13e100bb2c1
-
Filesize
4.8MB
MD53bf6297fe0be5002a90e7c00a4aa83a7
SHA1b485aed1d38feb864d4f15ffa1a469ff9ad83860
SHA256994c585272c68e5bdb15aeb2390ac6e6c16dd98ce04ecc3fec4f0e28dd076022
SHA512def5ef0b60cdedc83d75b890a0352b8421e5cdc94d07e9c3bf3e256e4f2934dd357c003935246ce4a07252677d502f6b8f80addc8995ff024918e55f53209fd1