Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe
-
Size
10.0MB
-
MD5
9bd5b173c3fc8ccf9248309982d6aa5b
-
SHA1
eb3331285bfd1cc62d80c2e411ce5523f5f8f4a1
-
SHA256
4b295341a377ce93253956c73574b634b7799297edb4699d9507c153fec1396b
-
SHA512
f2716b8af1186ce3a1b7c01c64c97456812eeffeeeaa68fd78b5e5767c8134f9577e2ec597b324f93c23a653421d061d8a87684b1098481c1cb4953e5f128876
-
SSDEEP
196608:vXkpYN49IBrkisJjAiH3J8QQaeY9EtC4lHE8rqNabGpcBoMIB+CHJX21Ta9:v0pYN4CkiGAwuQVe1HE8rqNa2cBoMIB9
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2996 PDFArchitect3Installer.exe -
Loads dropped DLL 3 IoCs
pid Process 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 2556 regsvr32.exe 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58D07BB6-4416-4544-8064-3DB60EEDCF7B}\TypeLib\ = "{9E8128F0-77FD-462D-88F7-550D473658C0}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9242C198-10B3-4F73-935D-1C7905796C67}\Version\ = "1.0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F7470C-2E15-4762-9613-155654B24238}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4CB4452-4A1A-4D69-B194-10F00E72CF6B}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F7470C-2E15-4762-9613-155654B24238}\InprocServer32\ = "C:\\ProgramData\\PDF Architect 3\\Installation\\Statistics.dll" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F7470C-2E15-4762-9613-155654B24238} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AF0E415-E2A3-4760-8FD7-540C0D4C0A99} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E8128F0-77FD-462D-88F7-550D473658C0}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86097479-8DDE-4D4E-AC92-B04BC4D3F28F}\TypeLib\Version = "1.0" PDFArchitect3Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9242C198-10B3-4F73-935D-1C7905796C67} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C190A609-836F-4E00-B902-A894C0FA44E5}\ = "InstallItemModule Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AF0E415-E2A3-4760-8FD7-540C0D4C0A99}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B070A15F-DD6D-411C-BAA4-424264999487}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{817163EF-0E2B-42BE-9A69-39AAF2E71D80}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86097479-8DDE-4D4E-AC92-B04BC4D3F28F} PDFArchitect3Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B070A15F-DD6D-411C-BAA4-424264999487}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E81AD0B-D546-4107-9058-7CC9F66ACAA8}\Version\ = "1.0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C190A609-836F-4E00-B902-A894C0FA44E5}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AF0E415-E2A3-4760-8FD7-540C0D4C0A99}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8B6481C-CFC1-4643-989B-7D163445E1DD}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EC39462E-192E-4BFB-A9B0-28862B65F705}\1.0\0 PDFArchitect3Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{738E6D37-5753-43BE-8221-373534DAFD29}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" PDFArchitect3Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F7470C-2E15-4762-9613-155654B24238}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4CB4452-4A1A-4D69-B194-10F00E72CF6B}\ = "DownloadItemModule3_1 Class" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AF0E415-E2A3-4760-8FD7-540C0D4C0A99}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{817163EF-0E2B-42BE-9A69-39AAF2E71D80}\ = "ToolbarStart Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E8128F0-77FD-462D-88F7-550D473658C0}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EC39462E-192E-4BFB-A9B0-28862B65F705}\1.0\FLAGS\ = "0" PDFArchitect3Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C190A609-836F-4E00-B902-A894C0FA44E5}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77CDE36D-7DFE-4223-8E25-3FFD866B17E8}\TypeLib\ = "{9E8128F0-77FD-462D-88F7-550D473658C0}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EC39462E-192E-4BFB-A9B0-28862B65F705}\1.0\HELPDIR PDFArchitect3Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EC39462E-192E-4BFB-A9B0-28862B65F705}\1.0\HELPDIR\ = "C:\\ProgramData\\PDF Architect 3\\Installation" PDFArchitect3Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E8128F0-77FD-462D-88F7-550D473658C0}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AAA9A07E-68FF-4215-84F2-96115976F786} 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{738E6D37-5753-43BE-8221-373534DAFD29}\TypeLib\Version = "1.0" PDFArchitect3Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56A7C619-DAF7-4540-A77A-0C6E518E7530}\InprocServer32\ = "C:\\ProgramData\\PDF Architect 3\\Installation\\Statistics.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56A7C619-DAF7-4540-A77A-0C6E518E7530}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37DD0F6C-6029-46F2-8B21-3E4AB4750AFF}\TypeLib regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4CB4452-4A1A-4D69-B194-10F00E72CF6B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29CF5B0B-C679-4C5E-AAE0-B91F4FD87378}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29CF5B0B-C679-4C5E-AAE0-B91F4FD87378}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E8128F0-77FD-462D-88F7-550D473658C0} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A61EF0F9-58BA-46AA-A978-0C47B48FAC8C}\Elevation\Enabled = "1" PDFArchitect3Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86097479-8DDE-4D4E-AC92-B04BC4D3F28F}\TypeLib\Version = "1.0" PDFArchitect3Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86097479-8DDE-4D4E-AC92-B04BC4D3F28F}\ProxyStubClsid32 PDFArchitect3Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37DD0F6C-6029-46F2-8B21-3E4AB4750AFF}\ = "GeoIpStruct Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{738E6D37-5753-43BE-8221-373534DAFD29} PDFArchitect3Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C190A609-836F-4E00-B902-A894C0FA44E5}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77CDE36D-7DFE-4223-8E25-3FFD866B17E8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56A7C619-DAF7-4540-A77A-0C6E518E7530}\TypeLib regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AF0E415-E2A3-4760-8FD7-540C0D4C0A99}\TypeLib regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AAA9A07E-68FF-4215-84F2-96115976F786}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000 PDFArchitect3Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E81AD0B-D546-4107-9058-7CC9F66ACAA8}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9981C967-2D7C-4633-8737-F55C3CC344B0}\InprocServer32\ = "C:\\ProgramData\\PDF Architect 3\\Installation\\Statistics.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9242C198-10B3-4F73-935D-1C7905796C67}\ = "SaveUserDataStruct Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29CF5B0B-C679-4C5E-AAE0-B91F4FD87378}\ = "GeoIP Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E8128F0-77FD-462D-88F7-550D473658C0}\1.0\HELPDIR\ = "C:\\ProgramData\\PDF Architect 3\\Installation" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AAA9A07E-68FF-4215-84F2-96115976F786}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{817163EF-0E2B-42BE-9A69-39AAF2E71D80}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9981C967-2D7C-4633-8737-F55C3CC344B0}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39E42990-F576-4230-9F81-62B537B6B839}\ = "CancelDataStruct Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9981C967-2D7C-4633-8737-F55C3CC344B0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A61EF0F9-58BA-46AA-A978-0C47B48FAC8C}\ = "Installer Class" PDFArchitect3Installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F7470C-2E15-4762-9613-155654B24238}\TypeLib regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2576 msiexec.exe Token: SeTakeOwnershipPrivilege 2576 msiexec.exe Token: SeSecurityPrivilege 2576 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2996 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 28 PID 2036 wrote to memory of 2996 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 28 PID 2036 wrote to memory of 2996 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 28 PID 2036 wrote to memory of 2996 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 28 PID 2036 wrote to memory of 2996 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 28 PID 2036 wrote to memory of 2996 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 28 PID 2036 wrote to memory of 2996 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 28 PID 2036 wrote to memory of 2556 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 29 PID 2036 wrote to memory of 2556 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 29 PID 2036 wrote to memory of 2556 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 29 PID 2036 wrote to memory of 2556 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 29 PID 2036 wrote to memory of 2556 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 29 PID 2036 wrote to memory of 2556 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 29 PID 2036 wrote to memory of 2556 2036 9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9bd5b173c3fc8ccf9248309982d6aa5b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\ProgramData\PDF Architect 3\Installation\PDFArchitect3Installer.exe"C:\ProgramData\PDF Architect 3\Installation\PDFArchitect3Installer.exe" /RegServer2⤵
- Executes dropped EXE
- Modifies registry class
PID:2996
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\ProgramData\PDF Architect 3\Installation\Statistics.dll"2⤵
- Loads dropped DLL
- Modifies registry class
PID:2556
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f3f80ad461348170e8276ffbfed23f36
SHA1c1aea2f5e44bc4f28cf9300ad3d6d01573962dd2
SHA2560f9d8dade0f03c92c8ed4f4f404ceeed77edba0d540d7297da0963db8283ca3d
SHA512c84e42d8232b5d809482acc64231aa6f52eba0242686505c416af5a4aad3611e9128da752c54e716b09166911357c6ae169383627d79df6f58f5747f9a1008d8
-
Filesize
10.0MB
MD59bd5b173c3fc8ccf9248309982d6aa5b
SHA1eb3331285bfd1cc62d80c2e411ce5523f5f8f4a1
SHA2564b295341a377ce93253956c73574b634b7799297edb4699d9507c153fec1396b
SHA512f2716b8af1186ce3a1b7c01c64c97456812eeffeeeaa68fd78b5e5767c8134f9577e2ec597b324f93c23a653421d061d8a87684b1098481c1cb4953e5f128876