Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 00:28
Behavioral task
behavioral1
Sample
64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
64dc58bd24a3c99ba0cf6a9e968cf955
-
SHA1
644587fec32034690c3c644ac3c1c1e0c76fd6d7
-
SHA256
d5bd5e131104a950d83a076005a7ce9e1685ad9c00ced88f3eb43da8b6c26dab
-
SHA512
b841edc19995ce99d483737ed48f5c6a0f3491804f7905f213564d5879d02abda8c8461d134a784098d1985e6a3cf3be341d6936bb7b1171b89373da102958e0
-
SSDEEP
12288:5MMpXKb0hNGh1kG0HWnAL7MMpXKb0hNGh1kG0HWnAL7MQ7:5MMpXS0hN0V0H7MMpXS0hN0V0H
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000900000001227e-7.dat aspack_v212_v242 behavioral1/files/0x0007000000016d2c-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-52.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2348 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 108 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe 108 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\R: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\U: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\V: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\X: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\B: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\M: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\T: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\E: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\I: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\K: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\L: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\A: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\S: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\H: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\J: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\O: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\Y: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\G: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\Z: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\P: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\W: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\N: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\Q: 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 108 wrote to memory of 2348 108 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe 29 PID 108 wrote to memory of 2348 108 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe 29 PID 108 wrote to memory of 2348 108 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe 29 PID 108 wrote to memory of 2348 108 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5efbb8c39021a191804e40ac880f5e1bd
SHA1757e418900ea6e4b985f469aba8e4c91bfe39129
SHA256e19730ca30e77dc85a4e90fb5254fb9e3f06f75599bbc24acacd40ab21c0a0e7
SHA5125cf41a059797d2c73d5fa48c834f6c9e18f2a51cad48e4d57969a30a9e80cd27b5f3cf3215f35c4f5e26190ffc52e5edbc6425ca9327178a3b97634dfd07a8e1
-
Filesize
950B
MD5ae50550166339f8be5e5e080c2f59a83
SHA194dbb5b6e73640b349a51fc5074e6614ffe227e7
SHA256e89d5480428237090780ca04fb539fd5c5631847893f8e8ed915911b9a70686d
SHA51218a673626ea9c25bbbc685d7a8027dbdb0bf2220bb1319ccea161d42077fc262b3091b9058d2d35191959c526ca6223af81c533b1dab07baa65bac3db97232d6
-
Filesize
1KB
MD5e1f2702f1cd94a21e8d37e643ac99180
SHA1d8f9b4f81a2117d6690ef74a6a39e3cc087a12a8
SHA256632ed1412f345f9e6b34844b27109317a6b337981ae36b66c0d0b6efbe867fd1
SHA512537ec7367acf5544cd022751b3d9a9c35d3a440b7fc9ea5231b123ed7882fded1636e2d0d441b5a3129da5ffc330baa5ceecffaf64484f7b11894b3b3db00334
-
Filesize
1.1MB
MD56b10d2a8a979675036ddef0f3760159b
SHA14ad4ec3a4eb41d719153c691ae8fc0d3af0f5038
SHA256f0a3a4e43a9f46e62eeeb2f718343aeadc6dc9672f6094ed7a130c923429b030
SHA512eb9142a037a93f5d873496051bc74ab2bd8c2cb58a2b9d5e2664325661d31a98378860d492dd9532c72c20b28feca3bf0ba412cc7b88a2b98b514c67b19f64c8
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
1.1MB
MD564dc58bd24a3c99ba0cf6a9e968cf955
SHA1644587fec32034690c3c644ac3c1c1e0c76fd6d7
SHA256d5bd5e131104a950d83a076005a7ce9e1685ad9c00ced88f3eb43da8b6c26dab
SHA512b841edc19995ce99d483737ed48f5c6a0f3491804f7905f213564d5879d02abda8c8461d134a784098d1985e6a3cf3be341d6936bb7b1171b89373da102958e0