Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 00:28

General

  • Target

    64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    64dc58bd24a3c99ba0cf6a9e968cf955

  • SHA1

    644587fec32034690c3c644ac3c1c1e0c76fd6d7

  • SHA256

    d5bd5e131104a950d83a076005a7ce9e1685ad9c00ced88f3eb43da8b6c26dab

  • SHA512

    b841edc19995ce99d483737ed48f5c6a0f3491804f7905f213564d5879d02abda8c8461d134a784098d1985e6a3cf3be341d6936bb7b1171b89373da102958e0

  • SSDEEP

    12288:5MMpXKb0hNGh1kG0HWnAL7MMpXKb0hNGh1kG0HWnAL7MQ7:5MMpXS0hN0V0H7MMpXS0hN0V0H

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.exe

    Filesize

    1.1MB

    MD5

    efbb8c39021a191804e40ac880f5e1bd

    SHA1

    757e418900ea6e4b985f469aba8e4c91bfe39129

    SHA256

    e19730ca30e77dc85a4e90fb5254fb9e3f06f75599bbc24acacd40ab21c0a0e7

    SHA512

    5cf41a059797d2c73d5fa48c834f6c9e18f2a51cad48e4d57969a30a9e80cd27b5f3cf3215f35c4f5e26190ffc52e5edbc6425ca9327178a3b97634dfd07a8e1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    ae50550166339f8be5e5e080c2f59a83

    SHA1

    94dbb5b6e73640b349a51fc5074e6614ffe227e7

    SHA256

    e89d5480428237090780ca04fb539fd5c5631847893f8e8ed915911b9a70686d

    SHA512

    18a673626ea9c25bbbc685d7a8027dbdb0bf2220bb1319ccea161d42077fc262b3091b9058d2d35191959c526ca6223af81c533b1dab07baa65bac3db97232d6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    e1f2702f1cd94a21e8d37e643ac99180

    SHA1

    d8f9b4f81a2117d6690ef74a6a39e3cc087a12a8

    SHA256

    632ed1412f345f9e6b34844b27109317a6b337981ae36b66c0d0b6efbe867fd1

    SHA512

    537ec7367acf5544cd022751b3d9a9c35d3a440b7fc9ea5231b123ed7882fded1636e2d0d441b5a3129da5ffc330baa5ceecffaf64484f7b11894b3b3db00334

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    1.1MB

    MD5

    6b10d2a8a979675036ddef0f3760159b

    SHA1

    4ad4ec3a4eb41d719153c691ae8fc0d3af0f5038

    SHA256

    f0a3a4e43a9f46e62eeeb2f718343aeadc6dc9672f6094ed7a130c923429b030

    SHA512

    eb9142a037a93f5d873496051bc74ab2bd8c2cb58a2b9d5e2664325661d31a98378860d492dd9532c72c20b28feca3bf0ba412cc7b88a2b98b514c67b19f64c8

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    1.1MB

    MD5

    64dc58bd24a3c99ba0cf6a9e968cf955

    SHA1

    644587fec32034690c3c644ac3c1c1e0c76fd6d7

    SHA256

    d5bd5e131104a950d83a076005a7ce9e1685ad9c00ced88f3eb43da8b6c26dab

    SHA512

    b841edc19995ce99d483737ed48f5c6a0f3491804f7905f213564d5879d02abda8c8461d134a784098d1985e6a3cf3be341d6936bb7b1171b89373da102958e0

  • memory/108-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/108-70-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2348-10-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB