Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 11:53
Static task
static1
Behavioral task
behavioral1
Sample
39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe
-
Size
76KB
-
MD5
39012b72862f10e588ed2d7f2918b879
-
SHA1
df1402d2c787fc35e6dc8c66572fe19668d03548
-
SHA256
61fd924979cc940727719e9be6eae2fc9e8043de23a3526f3a4ddd3686967072
-
SHA512
0c906583e72afd0001340b8bf11311eb413f893618b80e5076a64ae1904881f933dd248fa115b3110afcbb9d85a5a0d52de3ac134ca9f4b443f021a35fa6a612
-
SSDEEP
768:FmL2tvq80Zk2mL2Lm2OSPRi9XhyiVPWsbRmQDXkz7g3UT8X2R3WxaTUrRhul6DJ:22okR2L5pOXEgVmrNRGxaTUDqaJ
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SuperKiller.exe sb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe sb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arswp3.exe sb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSMGUI.exe sb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe\Debugger = "shutdown -r -t 20" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksmgui.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arswp3.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arswp3.exe\Debugger = "shutdown -r -t 20" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SuperKiller.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SuperKiller.exe\Debugger = "shutdown -r -t 20" regedit.exe -
Executes dropped EXE 1 IoCs
pid Process 1672 sb.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\fonts\internat.reg 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe File opened for modification \??\c:\windows\fonts\internat.vbs 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main regedit.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main sb.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.pleoc.cn/" regedit.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\http\shell\Maxthon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\TencentTraveler\command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\TencentTraveler\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" \"%1\"" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\http\shell\Maxthon\command regedit.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\http regedit.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\http\shell regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\http\shell\Maxthon\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" \"%1\"" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\TencentTraveler regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2116 regedit.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3320 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe 3320 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe 3320 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3320 wrote to memory of 2116 3320 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe 86 PID 3320 wrote to memory of 2116 3320 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe 86 PID 3320 wrote to memory of 2116 3320 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe 86 PID 3320 wrote to memory of 1672 3320 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe 87 PID 3320 wrote to memory of 1672 3320 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe 87 PID 3320 wrote to memory of 1672 3320 39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\39012b72862f10e588ed2d7f2918b879_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\regedit.exeregedit /s c:\windows\temp\ie.reg2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Runs .reg file with regedit
PID:2116
-
-
\??\c:\windows\temp\sb.exec:\windows\temp\sb.exe c:\windows\temp\sb.ini2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:1672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD52c0585d04fd61b22fad036ac17f6ede4
SHA1449b0d6bec8a92415af8fe307dfa6372e52554d7
SHA2567b14a238fcbb7c124f47e5a200c7975a4c403dddca698b4b7820c8f1685d8609
SHA512eae74a37efecd1b8f93aac5e1537d731de47981d13a87504056b14a4052ae8cea7a4218c6d224ba30d02ebefe7541af3f6bb11a34a404db6c0dda05e6f06292a
-
Filesize
2KB
MD53920e9e28621db081c0db2c7c2b683a9
SHA149e8806096f9e52761c05d50323e14bf7949104d
SHA256f1ea158ec4f4b3d09640db09b0b7b2d1def71e48c64ca7466c0a079d645e162c
SHA512fe04da995d6246e176e0f50a4a28e6c8f44e1d719d2aee75665711fc3a2c722c27108230efbfa638bd777275c645362d01c4c375a17323d1df7238d8c6fde4ee
-
Filesize
592B
MD52dfd6786cc65ca8bbed835263c9279b0
SHA196fc7e635c5975c4b3923d11ecbba5ac3d216812
SHA256de264a93be4f0ce0dd6262a249a6d2cdb452108476a7378151750554933545b3
SHA512b8b34fb3d90ffd470abb7d81976ba08cdc381b61761eb35f08ed01265ffa60dadc8e6cc140d4cc16fd1bf34c065e109cd3c88dd8f6f53ba210598bbd5b9964a9