Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 18:43
Static task
static1
Behavioral task
behavioral1
Sample
f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe
-
Size
12KB
-
MD5
f8892f9730f13b42121361fbd357732d
-
SHA1
2c20c5526adb21dd065f48c6effa220b551caeb7
-
SHA256
4edc47bf1cfebabc1e4803e438b1beb3853f3d928a20e0ec507455d300a8d875
-
SHA512
a4aa3abe63795f42363a0dc55452fca24351593465d696358ff70ae09992045b91dc9ae173d4e2eea6915fa824ee8db32e670f95aa2f0ea4224c6bdf31781dd6
-
SSDEEP
192:WF14nGKN7d5QstF9851DKOX1A+b15T2qf4FAwUUTZ1yXTV4aiuNcylN7Smpcjy:SNKN7MSF9kw4A+b11pwTWX545SpfSmWm
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll = "{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}" f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2724 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 3040 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\slbiopfs2.tmp f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\slbiopfs2.nls f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe File created C:\Windows\SysWOW64\slbiopfs2.tmp f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ = "C:\\Windows\\SysWow64\\slbiopfs2.dll" f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ThreadingModel = "Apartment" f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3040 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3040 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe 3040 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe 3040 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2724 3040 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2724 3040 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2724 3040 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2724 3040 f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8892f9730f13b42121361fbd357732d_JaffaCakes118.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\D5B6.tmp.bat2⤵
- Deletes itself
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5601ca62d99e1478198078c0913a59ef9
SHA166027fda1522afb8263296d0485b9204740df9f7
SHA256c29b41356422ac5e0fb21068eda6c96a6699cb1c34e6ce2ef98448a2ed7249f1
SHA5129aadc67928559789a39cebb6cfddf7bdf0859a2a4f5c6c61043efd99b09fe68e9384fb3ca99e66db46a567b3b58c785eb505060e9bb23ae9d9f081eaa43cbc3d
-
Filesize
428B
MD5249d36eaf9e5cc7ffeb4082829b4af78
SHA11f102e3e0833707f2a74d26ccae0ee62c0cd5550
SHA2568fa5788b5e59ebee1b408e357b22b85b70381a1498286a2579ece01cf6e0e055
SHA5123430350b1bfa9161850e4433baa54cbcf0f9d9431ebeab21820df21c94ff55b71f8e9b20c6680a6837deb6c490acf1732ab4a70573c4b6cdf575456c5093e7cd
-
Filesize
555KB
MD5f2e69da9e0d62e24905ef574daf58420
SHA1a71c878e6c475806c2424491073b8bea767c96e6
SHA2566e84de1e99366bae2ea5d7f2de325a7ba40841eba83586956098e93e3dbd894a
SHA5121d509770615bb440eeac9dcf971f1cf6e061c4fb8bed97975a2aa5ccd351a8c09e70810030f856c9d3ef55b61b48060af043ba4850332a8f4ad6ec00cc12a58d