Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
74abae2b952...18.exe
windows7-x64
74abae2b952...18.exe
windows10-2004-x64
7$PLUGINSDI...ig.dll
windows7-x64
3$PLUGINSDI...ig.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDIR/fct.dll
windows7-x64
3$PLUGINSDIR/fct.dll
windows10-2004-x64
3$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3IETab.dll
windows7-x64
6IETab.dll
windows10-2004-x64
6IETab.exe
windows7-x64
6IETab.exe
windows10-2004-x64
6Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 17:43
Behavioral task
behavioral1
Sample
4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/IpConfig.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/IpConfig.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/fct.dll
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/fct.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
IETab.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
IETab.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
IETab.exe
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
IETab.exe
Resource
win10v2004-20240709-en
General
-
Target
4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
-
Size
287KB
-
MD5
4abae2b952a10dd442eef4ea4fa9015f
-
SHA1
8bd1cbf7d6699e9e36938345b5635aff4f601f12
-
SHA256
f0cccead9c7b601d53c2898a5a78b75f7697a09bb999df05569656aa10a6e769
-
SHA512
af4c28d62efde7e9af3df50f9eb5eed2f2c9d5d2593e3cc8513a7ba0b3b6f7d10c11d7033c51595efc73c81d0b366578c9f9db17a192b09e4ab402d71a65c787
-
SSDEEP
6144:bH1JN0LUy75+ZPPfnE2Qyn2SyIilK9Xy61Bt4g75+ZPPfnE2Qyn20Ur:T1f4F+ZPPfnEUnydYugF+ZPPfnEUnI
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000800000002350b-57.dat acprotect behavioral2/memory/3704-60-0x0000000073580000-0x0000000073589000-memory.dmp acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 4448 explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 4996 IETab.exe -
Loads dropped DLL 12 IoCs
pid Process 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3704-0-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000800000002350b-57.dat upx behavioral2/memory/3704-60-0x0000000073580000-0x0000000073589000-memory.dmp upx behavioral2/memory/3704-74-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IETab = "C:\\Program Files (x86)\\IETab\\IETab.exe" IETab.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3704 set thread context of 4448 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 88 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\IETab\IETab.exe 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe File created C:\Program Files (x86)\IETab\Uninstall.exe 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4996 IETab.exe 4996 IETab.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3704 wrote to memory of 4996 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 86 PID 3704 wrote to memory of 4996 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 86 PID 3704 wrote to memory of 4996 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 86 PID 3704 wrote to memory of 4448 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 88 PID 3704 wrote to memory of 4448 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 88 PID 3704 wrote to memory of 4448 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 88 PID 3704 wrote to memory of 4448 3704 4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe 88 PID 4996 wrote to memory of 1276 4996 IETab.exe 89 PID 4996 wrote to memory of 1276 4996 IETab.exe 89 PID 4996 wrote to memory of 1276 4996 IETab.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Program Files (x86)\IETab\IETab.exe"C:\Program Files (x86)\IETab\IETab.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\IETab\IETab.dll"3⤵PID:1276
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe2⤵
- Deletes itself
PID:4448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD5d4d3eaf1936ba7bc33c9915a9d15443b
SHA117a662a957539473dd73b494248cf538e1a1736b
SHA2565e4beb7e70af6f40217db1869da66458e1fedb5452dfafa1985384615876b1ea
SHA512eb99e6d9db330e43cf0e0c143a071ee2bc809485c44098fb740583d037b7ab177992fdb7c5a0ead75951625966bf2c03038178102654da326a7fc125b3abaa95
-
Filesize
114KB
MD5a3ed6f7ea493b9644125d494fbf9a1e6
SHA1ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA5127099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
4KB
MD57cff7fe2caea5184d98c147e7e263132
SHA121f39d3d0dd5f7198d67ef30e95d10ae3460093e
SHA256281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101
SHA512fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a
-
Filesize
13KB
MD529858669d7da388d1e62b4fd5337af12
SHA1756b94898429a9025a04ae227f060952f1149a5f
SHA256c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62
SHA5126f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f
-
Filesize
4KB
MD5e3f3809f51c7982d96aaf9c090f7d176
SHA17494daa8000c0b31c58d94edc509232569a4606f
SHA256010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29
SHA5123fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc
-
Filesize
4KB
MD505450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b