Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 07:03
Behavioral task
behavioral1
Sample
e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe
-
Size
25KB
-
MD5
e96b716d8211744daf8626838b9e190f
-
SHA1
da5e98c9362e73f08236a3ff03c94c78e3d5210f
-
SHA256
cabae28652ec4ff34f5edf012496be16511ecef87a7f70f139f03bf456a4b76c
-
SHA512
00295152c93f701fdf1738264db27da8e725519aa7313d79360aa059176c6e4445c1528962d0ac0209137f632f570742d1459e928718683f06eb633e29a6725f
-
SSDEEP
768:hAjP2Kill341cpOIqBv+mh5pHFICMYDg1WyvXu6:hAjP2K4o1cqBvjJzMuyWyv
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3056 cmd.exe -
Loads dropped DLL 5 IoCs
pid Process 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 2728 regsvr32.exe -
resource yara_rule behavioral1/memory/3064-0-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/3064-10-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MShelp = "RUNDLL32.EXE C:\\Windows\\system32\\BhoPlugin.dll,Install" rundll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EE614961-679D-4B07-9574-3DC31751845F} regsvr32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\259395342 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\ = "IEHelper Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\TypeLib\ = "{B3799B15-BBA9-4471-8021-8FFF6E8D3372}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\ProgID\ = "BhoPlugin.IEHelper.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\ = "BhoPlugin 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ = "IIEHelper" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper.1\CLSID\ = "{EE614961-679D-4B07-9574-3DC31751845F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\VersionIndependentProgID\ = "BhoPlugin.IEHelper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\CurVer\ = "BhoPlugin.IEHelper.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\CLSID\ = "{EE614961-679D-4B07-9574-3DC31751845F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ = "IIEHelper" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\ = "IEHelper Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\BhoPlugin.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib\ = "{B3799B15-BBA9-4471-8021-8FFF6E8D3372}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\InprocServer32\ = "C:\\Windows\\SysWow64\\BhoPlugin.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib\ = "{B3799B15-BBA9-4471-8021-8FFF6E8D3372}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper.1\ = "IEHelper Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\CurVer regsvr32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1872 rundll32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3064 wrote to memory of 1872 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 28 PID 3064 wrote to memory of 1872 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 28 PID 3064 wrote to memory of 1872 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 28 PID 3064 wrote to memory of 1872 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 28 PID 3064 wrote to memory of 1872 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 28 PID 3064 wrote to memory of 1872 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 28 PID 3064 wrote to memory of 1872 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 28 PID 3064 wrote to memory of 2728 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 29 PID 3064 wrote to memory of 2728 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 29 PID 3064 wrote to memory of 2728 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 29 PID 3064 wrote to memory of 2728 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 29 PID 3064 wrote to memory of 2728 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 29 PID 3064 wrote to memory of 2728 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 29 PID 3064 wrote to memory of 2728 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 29 PID 3064 wrote to memory of 3056 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 30 PID 3064 wrote to memory of 3056 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 30 PID 3064 wrote to memory of 3056 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 30 PID 3064 wrote to memory of 3056 3064 e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\system32\BhoPlugin.dll,Install2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\BhoPlugin.dll /s2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2728
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\259395436.bat2⤵
- Deletes itself
PID:3056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD565da4149f1700999708ba3241575b77d
SHA17e1b2c651b7b4a8e44a179487f70f78213988250
SHA25682eaf35dcef017a273e660ce175985a8ba6d13c8d39aa6784c56fdf8af495ee9
SHA512f876c7c8304faaa04618e44f0f1cd0d7fe3b9e8b4918ab1361d44bc38d54ef637b0dfaff586f857836e9a831d8dcf52724ba1724db78fa1e1cb54993775f2b63
-
Filesize
60KB
MD544a7174c200fc03cc13e275810e5ab51
SHA198c3832d478bf3c55d4d4c7f47c779a56e55309b
SHA25619b962cac5a42bf81ecc45b878d8a2b2490cdf051e107f378e87049ff3e7b69f
SHA51203f62300435f4498637382e480b6aa09db13a1e03d729b034cbfcbbbe9c7fafbb82706cf4e32890d3d8e0fa9367ae89da7da3251e0102879bd3de05f5078e1bb