Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2024, 16:51
Static task
static1
Behavioral task
behavioral1
Sample
f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
-
Size
15KB
-
MD5
f3e75c94de3c8fbd9a057c63f7ce0062
-
SHA1
8bc106204f4792b6fc25af00d6eac1908dfaad1b
-
SHA256
bcb0a41963c0baddfbc72ade7382ae8f5ec039c1439c71cc8d96f30b8656f519
-
SHA512
7338d6050c05bb5cafac45ce9b5817caa2e0bbaad268c30c52e07bf749bd93be7ecbd5448283bcf98d2d079b4dc68d63f09f75d1424b4c4a0578c2eec39639d9
-
SSDEEP
384:ty/TOFJLcl399gCERlNT+mZXgRiUC9ywO5jYl1aXY+ne:ty/TQml8bRlNvQwUC9UjYl8e
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll = "{00250025-0025-0025-0025-00250025BB15}" f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 1556 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\slbiopfs2.tmp f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\slbiopfs2.tmp f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\slbiopfs2.nls f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15} f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}\InProcServer32 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}\InProcServer32\ = "C:\\Windows\\SysWow64\\slbiopfs2.dll" f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}\InProcServer32\ThreadingModel = "Apartment" f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1556 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe 1556 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1556 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe 1556 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe 1556 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1528 1556 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe 95 PID 1556 wrote to memory of 1528 1556 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe 95 PID 1556 wrote to memory of 1528 1556 f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\414A.tmp.bat2⤵PID:1528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5f842398883950acf17cfd5f3c23e7969
SHA1321fb6b59728198d69364e63465941e2c841b14c
SHA25613ee45ba32418f13665d8c72597b69eae774ba021feda02d60e85b5717268cc5
SHA51256b6116cf09d64884f5174281a0e0f28f45af18a2f70767485eb32e3181a6d7643910fdabd89ac471119f4b75d7b997755344f5cebdb38b1427215d09bf2f46e
-
Filesize
428B
MD52fac5903c986ca533a9573420c1c77de
SHA1928923bf5e601a51ff636878594852d3fd432080
SHA2563f691192c74a1cc8af639ab8136fa097a21ffc8c7dbd00c555ebcb7ffac66f27
SHA51254727f7dc12927955fff9c0b9dcf404d39889a21c7f48d5f55d348aa2876b2279539f330124f6299223edca358a7f90cda8f3dfb46a39f05cfff09f5a7234d58
-
Filesize
963KB
MD55dd9eb70c15da321d4ab9e7c89696e8e
SHA1b932e5f8806bf034c85fc9dd1fb8426491baf456
SHA256ac952d3362ed3b7e8fa081e338568c29ea197eec11a30e45ea2f72872cabee5b
SHA512bc6f64db127c4ae84fab44ba6f29a2e324aecdc9b7c14830c81e4a9e76a175e6aadff2e4183f3475b13f04a5a6adcffbf886fdf4de17ee1c065d1ee14a135a1d