Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll
Resource
win10v2004-20240412-en
General
-
Target
feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll
-
Size
2.2MB
-
MD5
feb0bf5b0d7f6820c330fa45091cd189
-
SHA1
a1f50429415bc7cbf1706c22dfdca734173fb9ac
-
SHA256
474fe0f75ec639814eac17468c8ce29908ed30f3665457d864cffa6540047ea0
-
SHA512
07f208c66899c0f298037dd8aab4d772e2ef6321a36519112e5d677170a58ee19d69e8a397ae0cb485cc1f2c71d82b55c004d96cf40c459fbda3b405602670f8
-
SSDEEP
24576:52WdDKT6lr1CDu2ruh59hmxxJNOjOAUBJjlD4qH5vlalua2UotfG6o:53DlBEidgxJN5AejlD4uvlab2UotfG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe vchelp.exe" Regedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 4792 rundll32.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\windows\SysWOW64\QFTKBVLATWCGCX.DLL rundll32.exe File opened for modification C:\WINDOWS\SysWOW64\wbem\ELPMGWT.MDA rundll32.exe File created C:\Windows\SysWOW64\arun.reg rundll32.exe File opened for modification C:\windows\SysWOW64\QFTKBVLATWCGCX.DLL rundll32.exe File opened for modification C:\Windows\SysWOW64\11D18gXgg.dll rundll32.exe File created C:\WINDOWS\SysWOW64\wbem\ELPMGWT.MDA rundll32.exe File created C:\windows\SysWOW64\KBQGA.DLL rundll32.exe File created C:\windows\SysWOW64\VNXKOW.LDO rundll32.exe File created C:\Windows\SysWOW64\11D18gXgg.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 1 IoCs
pid Process 3296 Regedit.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4792 5000 rundll32.exe 86 PID 5000 wrote to memory of 4792 5000 rundll32.exe 86 PID 5000 wrote to memory of 4792 5000 rundll32.exe 86 PID 4792 wrote to memory of 4520 4792 rundll32.exe 87 PID 4792 wrote to memory of 4520 4792 rundll32.exe 87 PID 4792 wrote to memory of 4520 4792 rundll32.exe 87 PID 4792 wrote to memory of 3960 4792 rundll32.exe 88 PID 4792 wrote to memory of 3960 4792 rundll32.exe 88 PID 4792 wrote to memory of 3960 4792 rundll32.exe 88 PID 4792 wrote to memory of 3360 4792 rundll32.exe 89 PID 4792 wrote to memory of 3360 4792 rundll32.exe 89 PID 4792 wrote to memory of 3360 4792 rundll32.exe 89 PID 4792 wrote to memory of 3160 4792 rundll32.exe 90 PID 4792 wrote to memory of 3160 4792 rundll32.exe 90 PID 4792 wrote to memory of 3160 4792 rundll32.exe 90 PID 4792 wrote to memory of 3932 4792 rundll32.exe 91 PID 4792 wrote to memory of 3932 4792 rundll32.exe 91 PID 4792 wrote to memory of 3932 4792 rundll32.exe 91 PID 4792 wrote to memory of 3296 4792 rundll32.exe 100 PID 4792 wrote to memory of 3296 4792 rundll32.exe 100 PID 4792 wrote to memory of 3296 4792 rundll32.exe 100
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat3⤵PID:4520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat3⤵PID:3960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat3⤵PID:3360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat3⤵PID:3160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat3⤵PID:3932
-
-
C:\Windows\SysWOW64\Regedit.exeRegedit.exe /s "C:\Windows\SysWOW64\arun.reg"3⤵
- Modifies WinLogon for persistence
- Runs .reg file with regedit
PID:3296
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD5b0a27860ea12fd07015510c5c35c7554
SHA1535e08f7a8759f019fb085554675034faca50bb3
SHA2561c62ea2659178f376ddcc36492ffc6c4a0c08c78436566f20170bbe3b02d9cd9
SHA512f4af7e332e6b866501a79cc98a76fa1f1fa3a24d61f27a188b503c64360140dd67e0b9bb60590e8f1b5369413a1cc5d8929ea2f8ff1db843a5d8098aca5c884a
-
Filesize
921B
MD5b7d9db6b08668f6225b47354d1625d57
SHA147068158132fe367904bbffe71d6445ba4a87b8d
SHA256db4a5ad033e9052a1a709ec47e9b1bcd7afb9f3c799ef7c9451871593febb0ff
SHA512e8bc3753bfb3e82c8e5865be23c8c976d8c7d96db5e5ec5fa80dc1c526f4af5f4e7876a7e1e756db1bff227cbd2d57ac69c7157173c0fe575fb7b345f8d1759e
-
Filesize
1KB
MD503870ec18f067da58cb6253c2fad3265
SHA1fb8e064476fb3af2faf3a977835bb3b284cf4a33
SHA256f2c43e0bb1465011d8b66ddb6c9bd206e37c512d9096546d0990952ac5ada770
SHA512a3c58f60a0af99d1e5640a663807f5ea0f5a812e15f9ba385a38f93a4267ea6493931aad304645bc158131cfa5fee54052330295d3b2b934f9aa0212b4ca9ef1
-
Filesize
149B
MD5adfc8b71e83fe2857ee9679492f69327
SHA1691d668a9bafd29397d07d40f7a9835c2a69995b
SHA256ce08d9de9b28cee3e147505a99335f3b7f5ab1b82dc009032864c0c1b911cd3c
SHA51213f37167233bf6b00c0f23174e336f7abfbcded6e7bf8d6d5d146459a74f03cfe96a6e414d5ebfe55967be4c02a3f4e6f23cc2c5333180338a45ad7507ced822