Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe
-
Size
765KB
-
MD5
027ff902147f8adc996efb1e177c43bf
-
SHA1
49c3baebd6fd41bdeeef80d96285d96f423e7ca3
-
SHA256
ac6cdea4b90c578aa287677a77a51458810baad245c3e4439a3a81728d9d1da4
-
SHA512
2f76d2f8f6456e03270943d58928d9f23a7ee6cf3da9d5b9560bc510abb84322cada288b8ed53a80460562908309d3bb299932955f23c68bbe3d30c1fcb1d929
-
SSDEEP
12288:rp7rs9PFtoCvMxJfwB66wZ5ofVou4al+xA2le+yp3e2kW4lA+KjHciTF/TfVJD/s:rdrMP7oDxJfwB4Z5odoCltSe13EWAAja
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00090000000233d8-4.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 3660 Boercservice.exe -
Loads dropped DLL 6 IoCs
pid Process 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 3660 Boercservice.exe 3660 Boercservice.exe 3660 Boercservice.exe -
resource yara_rule behavioral2/files/0x00090000000233d8-4.dat upx behavioral2/memory/2448-7-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/memory/3660-26-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/files/0x000700000002341f-21.dat upx behavioral2/memory/2448-38-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/memory/3660-43-0x0000000010000000-0x000000001012A000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Boercservice.dll Boercservice.exe File created C:\Windows\SysWOW64\Boercservice.exe 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Boercservice.exe 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe File created C:\Windows\SysWOW64\Boercservice.dll Boercservice.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\IJL15.DLL Boercservice.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\4f73067947b8fd21e3f43f22006d2297.dat Boercservice.exe File opened for modification C:\Windows\Fonts\4f73067947b8fd21e3f43f22006d2297.dat Boercservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113924" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113924" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425619950" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "39997349" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "42341070" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "NO" Boercservice.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2DFFEBD4-2EB7-11EF-86EC-CE876AE29DDA} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113924" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "39997349" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 3660 Boercservice.exe 3660 Boercservice.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3424 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 3660 Boercservice.exe 3424 IEXPLORE.EXE 3424 IEXPLORE.EXE 4796 IEXPLORE.EXE 4796 IEXPLORE.EXE 4796 IEXPLORE.EXE 4796 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2448 wrote to memory of 3660 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 82 PID 2448 wrote to memory of 3660 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 82 PID 2448 wrote to memory of 3660 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 82 PID 3660 wrote to memory of 3424 3660 Boercservice.exe 83 PID 3660 wrote to memory of 3424 3660 Boercservice.exe 83 PID 3424 wrote to memory of 4796 3424 IEXPLORE.EXE 84 PID 3424 wrote to memory of 4796 3424 IEXPLORE.EXE 84 PID 3424 wrote to memory of 4796 3424 IEXPLORE.EXE 84 PID 2448 wrote to memory of 5116 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 88 PID 2448 wrote to memory of 5116 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 88 PID 2448 wrote to memory of 5116 2448 027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe 88 PID 3660 wrote to memory of 3424 3660 Boercservice.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\027ff902147f8adc996efb1e177c43bf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Boercservice.exeC:\Windows\system32\Boercservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3424 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4796
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\del_file_1.bat2⤵PID:5116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
34KB
MD5d9752e0f2f03cdf8b206d2c991f62fdd
SHA106d41a8a00fe4b62e659b134c4ca298963b45c5a
SHA25646e3fccc390801875e4a99ad0d0ba019f5ec40ab5ccdb245b59db2f850399927
SHA51288555204cb8fc2d69050c340d7decf7522a6aa5e6a220dbcb2c98eae1436f8eaf8ea7632e8ced8002459f4e82c9e418c4423b8083c328ca7497ae45b05c4a89b
-
Filesize
124KB
MD5a062fbf36321864ac8e7e2e408ff0d90
SHA18cc46a09096eb373e5e01d7547f108eb09bbac9d
SHA256249a27ede8d0fbd3e5dd89b9150d1215c7ae1dc2f137db5a67cee44e6b5c0431
SHA5122ddb24f7f9a6f6b17b4ac3a5e0b4cfe9424a710ef34c7918754bcd4acff8ff41e043c2e8ab829da42d2e4a80cc45b59f309253833ba3d7329ba79d7fc7128819
-
Filesize
406KB
MD56aea0226a87d8d144963ab68b02009ac
SHA16dcc3d247ac8e872c8cfb7db73e1de1032fc6b11
SHA256ad7a6428108f2d01f2e1b747fc5f225fe7e32da7219c7df017a566566954b173
SHA512d171cb12715b1952d4f214780472668d57604e1f4efba798f1a84dab633ab39a95830ec80dee4a7abfa5969ea4d472f21f54d99ff480d02660c41e3f9489af4a
-
Filesize
765KB
MD5027ff902147f8adc996efb1e177c43bf
SHA149c3baebd6fd41bdeeef80d96285d96f423e7ca3
SHA256ac6cdea4b90c578aa287677a77a51458810baad245c3e4439a3a81728d9d1da4
SHA5122f76d2f8f6456e03270943d58928d9f23a7ee6cf3da9d5b9560bc510abb84322cada288b8ed53a80460562908309d3bb299932955f23c68bbe3d30c1fcb1d929
-
Filesize
235B
MD5756e1d46e49c88e669de6e1c6bbc2fe0
SHA13a9fee2871d51d6fbf5197472962dcb30dc34718
SHA25622870e14d4db93ad3f5fe4dcde4e3122c8bf6db57a37633605bac88ea25d33a9
SHA51209d865531c76ee2b7e95b404410e0522be9d08ae7e171d4d0b1e5f265e4582011ce178abfff8d6cb40a84a82eea2578753d919a4a9643c1dcf62e6b8367ac56f