Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
248928b7b857f742be05aa928101d5f3_JaffaCakes118.dll
Resource
win7-20240215-en
General
-
Target
248928b7b857f742be05aa928101d5f3_JaffaCakes118.dll
-
Size
988KB
-
MD5
248928b7b857f742be05aa928101d5f3
-
SHA1
e395a8cf2db356a95dcbd1b5adff3937d12caadf
-
SHA256
1df85ebabf3497906c02c02cd6731f3907815a8a3ccf2acdf3ae5fd6507e83e8
-
SHA512
9cb1d87c8174314e944f637fb15624a8b6d0f0f29debbd6b7a82476737cf60dddcefed3e7fa76b8755798c2888cf64fab98c0071595d3466f99b0e78df3cf4e8
-
SSDEEP
24576:GVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:GV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3412-4-0x0000000002B90000-0x0000000002B91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 1952 wextract.exe 2676 PresentationHost.exe 4436 BdeUISrv.exe 2360 SystemPropertiesDataExecutionPrevention.exe -
Loads dropped DLL 5 IoCs
pid Process 1952 wextract.exe 2676 PresentationHost.exe 2676 PresentationHost.exe 4436 BdeUISrv.exe 2360 SystemPropertiesDataExecutionPrevention.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wuaobpzp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\neoFJaEpSC\\BdeUISrv.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wextract.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4524 regsvr32.exe 4524 regsvr32.exe 4524 regsvr32.exe 4524 regsvr32.exe 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3412 Process not Found 3412 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3412 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3412 wrote to memory of 4912 3412 Process not Found 96 PID 3412 wrote to memory of 4912 3412 Process not Found 96 PID 3412 wrote to memory of 1952 3412 Process not Found 97 PID 3412 wrote to memory of 1952 3412 Process not Found 97 PID 3412 wrote to memory of 2452 3412 Process not Found 98 PID 3412 wrote to memory of 2452 3412 Process not Found 98 PID 3412 wrote to memory of 2676 3412 Process not Found 99 PID 3412 wrote to memory of 2676 3412 Process not Found 99 PID 3412 wrote to memory of 4896 3412 Process not Found 100 PID 3412 wrote to memory of 4896 3412 Process not Found 100 PID 3412 wrote to memory of 4436 3412 Process not Found 101 PID 3412 wrote to memory of 4436 3412 Process not Found 101 PID 3412 wrote to memory of 3628 3412 Process not Found 102 PID 3412 wrote to memory of 3628 3412 Process not Found 102 PID 3412 wrote to memory of 2360 3412 Process not Found 103 PID 3412 wrote to memory of 2360 3412 Process not Found 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\248928b7b857f742be05aa928101d5f3_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\cB9\wextract.exeC:\Users\Admin\AppData\Local\cB9\wextract.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1952
-
C:\Windows\system32\PresentationHost.exeC:\Windows\system32\PresentationHost.exe1⤵PID:2452
-
C:\Users\Admin\AppData\Local\zhQp5X\PresentationHost.exeC:\Users\Admin\AppData\Local\zhQp5X\PresentationHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:4896
-
C:\Users\Admin\AppData\Local\P6sUFap\BdeUISrv.exeC:\Users\Admin\AppData\Local\P6sUFap\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4436
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:3628
-
C:\Users\Admin\AppData\Local\zr0hbweX\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\zr0hbweX\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD58595075667ff2c9a9f9e2eebc62d8f53
SHA1c48b54e571f05d4e21d015bb3926c2129f19191a
SHA25620b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88
-
Filesize
990KB
MD5691fe43bfe95140d73a7f429ccfc4c44
SHA17af58ca370d26989a2bab57155a8aa323aa5bdae
SHA25605b222f217822092abde5ef47db9c13e6271e7891747a55b5eeb089cf3863236
SHA5125b6ec7669b9ef5a8cd9b16491b7b3f10e79c8ba86f111becd29b8de27f13ebb6022ee9eb903b2f7125c013a929fcfff6d1cefb3e8c580d06a23af29ac7f3d86c
-
Filesize
989KB
MD573df3e54cf8834d5688afa78eed07cab
SHA18190ac76e18d4f3542bb2ddb12a8302f57c4f5c6
SHA2565104ccfba57ef0b7a7dad80e24fbd15bc146ccf30227a1e8c423906dcbd0055c
SHA5124b8253abc7d743ad30a99c57e921842ddd52ae88074f6e9be78bbf5733b14f95a17b5806798ccaa4b0b16f45ffa2b73bfbc1aaeff7d8c1d9613523c64b628088
-
Filesize
143KB
MD556e501e3e49cfde55eb1caabe6913e45
SHA1ab2399cbf17dbee7b302bea49e40d4cee7caea76
SHA256fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0
SHA5122b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172
-
Filesize
276KB
MD5ef27d65b92d89e8175e6751a57ed9d93
SHA17279b58e711b459434f047e9098f9131391c3778
SHA25617d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48
SHA51240f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e
-
Filesize
989KB
MD521a83a4e1eb060c76995e5d4a5a4047d
SHA15532ecbfa161c7a71efe3fdc02529ec913d70993
SHA2563bb8caa6c05867722bd3a4d69ea5aa9d172cc4265f92191e6ec60d312c43ece5
SHA5122d02d1cb2707983b842f57a77b2103d1c3dced209b371ae4ebc02e6acb2bf68f0c3688f8269e9201f73db60a2fb75165e33d0a4103fc12d12980c8fa23827165
-
Filesize
988KB
MD543d91da61b14a57caa18745e2d9e424a
SHA1eed47eb8eb635f70e491369b4f6f2fe20841d060
SHA256b7ee2aa8e4cfe86830c91bba9df7efba721e7cdb7442e690ece471e6a4f32e90
SHA5120f11544b63ba145ce86930050ccf6249652b5c5c01e548dd40dc63cd78bb5676a5df7cd02469738c96dbe5430b0e0fca5bc1c168dafad9d41a7b561bca6fb1f5
-
Filesize
82KB
MD5de58532954c2704f2b2309ffc320651d
SHA10a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA2561f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed
-
Filesize
1KB
MD56f1790c28f827e29d485c72921ae325e
SHA19a7d38a6340641a58d3a0e1bc137205f042c9bfa
SHA256375ec464393df6f8f92c3ccf435b0d0e74a595f77609dfe6e2b035dcf637f786
SHA5122488da00fbff009bc4bd1818462545ff0b1fedfd74f396616f4e9cfb283ca1ebcf51cda0d41fc32a7b170af5a676c8f629284ec1fda4f59e02c59b636c850d1f