Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 08:54
Static task
static1
Behavioral task
behavioral1
Sample
078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
-
Size
989KB
-
MD5
078f6c4adcea80cd47412fc3ed066c0b
-
SHA1
d01483c81ca96fc29026d944b19c6e2aa18eb9a4
-
SHA256
a1e79973551133833f062e6ec2ba8a48b9ebe1fc2383d20e5b3943758169b254
-
SHA512
a1ed26b83efe81b9b7b47bf545b69213ae4f6fcdd9a0245fc5aabbf15118d69592e4fdea56d72fb0f0d78794624a00998032167b6bf8c564a6a1567c67a322c0
-
SSDEEP
24576:8JKHP49941fK2hM5ls1iYgBrSGIQm+aOQ+8ampnNZgIe0Gs637TxRtId:8Uw+fKVlDpc
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2224 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1080 regsvr32.exe 2056 WerFault.exe 2056 WerFault.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\ regsvr32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\taobao.ico 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Hotspot Shield\HssIE\HssIE.dll 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\newicon.ico 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe File opened for modification C:\Windows\newicon.ico 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2056 1080 WerFault.exe 28 -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\ÊôÐÔ(&D) 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\ = "HotspotShieldÄ£¿é" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é\ = "HotspotShieldÄ£¿é" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\ProgID\ = "HssIE.HotspotShieldÄ£¿é" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\DefaultIcon\ = "C:\\Windows\\newicon.ico" 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\Open(&O) 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\Open(&O)\Command 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\ = "Internet Explorer" 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é\Clsid\ = "{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE} 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\ShellFolder 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.wz1122.com" 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\ÊôÐÔ(&D)\Command 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\InprocServer32\ = "C:\\PROGRA~1\\HOTSPO~1\\HssIE\\HssIE.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\DefaultIcon 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\ShellFolder\Attributes = "10" 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2300 wrote to memory of 1080 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 28 PID 2300 wrote to memory of 1080 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 28 PID 2300 wrote to memory of 1080 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 28 PID 2300 wrote to memory of 1080 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 28 PID 2300 wrote to memory of 1080 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 28 PID 2300 wrote to memory of 1080 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 28 PID 2300 wrote to memory of 1080 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 28 PID 1080 wrote to memory of 2056 1080 regsvr32.exe 29 PID 1080 wrote to memory of 2056 1080 regsvr32.exe 29 PID 1080 wrote to memory of 2056 1080 regsvr32.exe 29 PID 1080 wrote to memory of 2056 1080 regsvr32.exe 29 PID 2300 wrote to memory of 2224 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 33 PID 2300 wrote to memory of 2224 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 33 PID 2300 wrote to memory of 2224 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 33 PID 2300 wrote to memory of 2224 2300 078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 "C:\Program Files\Hotspot Shield\HssIE\HssIE.dll" -s2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 3043⤵
- Loads dropped DLL
- Program crash
PID:2056
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\qpg.bat2⤵
- Deletes itself
PID:2224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
511KB
MD517e8f6bd91e2adcd7e8015015fcd54b6
SHA1d1b1bfd4cd9aad0388efbff1aa16cb1111b9b451
SHA2568f98c68c1ffce60d3a5ab1dc50114777df63b455b5dc12b289a4fa1c47400142
SHA5121b1923b0392e307a9884e41b1f1c41362e4ecb33243f3db2929495356c752e8faf7437ada692c23a63465601bfb3882af65dd067b4bce3cfab19d095b3692e21
-
Filesize
212B
MD560f889ffb438fa9ad4eba1a8862dce56
SHA18c408132bbeb6fcc8c2f504c1548360ed230d242
SHA25697c7a5f6d6e5ad2dde6fbaf6c47a1f433bb1cc5fb9e25cf712594c7d9f89b917
SHA512228db42a90e1fae0767778b2a7fd9679bf37572665e2f6458dedefb94320c9d8adb6055ef2001f3a03dc1e7cdca0b87a1f27d4bc945d200e5904f6248dd83df3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Filesize1KB
MD55ac69fb2967724296bcfe6b639b13cfe
SHA1ff4ff693759eeac29482c1780464f1cf043d63a7
SHA256cac42d6e9d84af2265e007583ab2ecde9f3b045d750b0a645ce4c07326bdfad7
SHA512aa5e455ecef6b45851b1bb26c2d96d7bafa977a154e8f2ee1e24dcab940f0ed8647adfaa6154c0ad30efdc84ca93e585808226d73a9aca42aefbbebfc5de3488