Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
-
Size
617KB
-
MD5
0b1e864b222d300a39e03e7f391c76bd
-
SHA1
ff94e34249b1fac21c6c08a8a61c54c1fc34605b
-
SHA256
929435a5f3423df3469feed300627691142af912ca78ccd2f4e5e0db0ff78143
-
SHA512
fd219b1ec7a18adc343d3b0b8a9c70af899c7a9f0fa8932de8a4c8754dc6f714ae1ee901a81d87f0aa8a8ed7048c410c120404dd6a120b3081d428c75ce24c37
-
SSDEEP
12288:HZjMLf11MmPQeRXEHYYS3gA0FJO1t3r6Q9A:HafIiy4NwdLpQ9A
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6ABC6FAB-327D-11EF-92F1-D6AA8B0874BD} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f0000000002000000000010660000000100002000000046afcb45e5a73ef11efd3a2ae22e1544c852a86ca5c25e3d84c767eec59aeef3000000000e8000000002000020000000ee3edc1125dcb899fced2581ec09a2ef77460cb1e211cbd43134c8cb40df7bf920000000d5d42cd83bcee37e692f0cd4cd7d34e95e0defe4c5b3e82bb2193792ea7154b9400000007e861b06bfd1b9193b1d21ab7ce9008a549c1fe5db4a45d7ecad1abdbc12ea258f1902c27b77b5c91c742bb2d86859831a637e19730969907c36a39a0f783430 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425431850" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6ABA0D7C-327D-11EF-92F1-D6AA8B0874BD} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3056954d8ac6da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402a8e4d8ac6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000db28b687e40c419123c22cd107c693b09b538a7914fb570619cd8cb2074dfe7f000000000e80000000020000200000001ff7f3a97e45a80e0671f34b6f961b501e0b2f7a5f89caca55e299d9f882d14720000000150c777f224e9adc4e89bc721344e5da728201a27ab1c5139cbadd682c7226ca40000000261f6d5aa356105fd4160b8d817f56d4cb97ff050765bd207a2c744e2d43fcd93090eb4f3ed07ac4c6ab96ab01025a080cb5b19f2b47fd84f727c71c35ff0fdd iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe 4852 iexplore.exe 592 iexplore.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4852 iexplore.exe 4852 iexplore.exe 592 iexplore.exe 592 iexplore.exe 4924 IEXPLORE.EXE 4924 IEXPLORE.EXE 4648 IEXPLORE.EXE 4648 IEXPLORE.EXE 4648 IEXPLORE.EXE 4648 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4528 wrote to memory of 4852 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe 81 PID 4528 wrote to memory of 4852 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe 81 PID 4528 wrote to memory of 592 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe 82 PID 4528 wrote to memory of 592 4528 0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe 82 PID 4852 wrote to memory of 4924 4852 iexplore.exe 83 PID 4852 wrote to memory of 4924 4852 iexplore.exe 83 PID 4852 wrote to memory of 4924 4852 iexplore.exe 83 PID 592 wrote to memory of 4648 592 iexplore.exe 84 PID 592 wrote to memory of 4648 592 iexplore.exe 84 PID 592 wrote to memory of 4648 592 iexplore.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.jipinla.com2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4852 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4924
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?dn842⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6ABA0D7C-327D-11EF-92F1-D6AA8B0874BD}.dat
Filesize5KB
MD5d7c17c58d8752209bd64dc21697e4c74
SHA1d37cc8b15ed4e5a9311b0ae7246e820a83066499
SHA256a73127504b4dfbe410b7fb59a87a8fd6f2139451e61170090e90203bd6b9fa20
SHA5126a221f4e90cf9535a4f09e005a7cd58fb1e3ace9d3a65bee3dca7a0091edce0190bc0de0bca64dbaf1c4a496191df392884713aa46836001fe3c5dac1414388d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6ABC6FAB-327D-11EF-92F1-D6AA8B0874BD}.dat
Filesize3KB
MD5b95638a963ba53362e936627b8bd8ab7
SHA15eb91754554aef452287f36b2bdeaab5fd11a7c7
SHA256c7e1bc93bd33ca94e6bbf0e853bf57a89cbb33ba7daa624f9d7e293e19637dfc
SHA5128c4f6f4b32916537cf926a82d26b08bb179cbafff95f15c63b1d3642feb6d3ca58367bb5ecc29941a1a2b3bab91cd90ee021868566cf043c645ec2a5f09d3661