Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 11:52
Static task
static1
Behavioral task
behavioral1
Sample
63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe
-
Size
229KB
-
MD5
63203ae85df9137abd546f4e8020c663
-
SHA1
d2b56bf943725656c3f70762597b5326c9555c7d
-
SHA256
b680531487a0b57b2007d5a267edd3319227b56c7b43683d1f6a445f16ce3b9c
-
SHA512
fd1380a6ad1264e064a918c25f951d2bdfef53a1c688f43c2b0e011ed734bb12a20a861080f6d2a869e313eb3d6b6161db2f4fb98a3240669f0278cede93fb7d
-
SSDEEP
6144:SY94Nr1JnShSEk7SgEOH9YnrnGftMTkXkS6HMsWbPRpS:R9OZJnS83uDGft4kXv6ssIJpS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation rinst.exe -
Executes dropped EXE 2 IoCs
pid Process 4908 rinst.exe 540 bpk.exe -
Loads dropped DLL 4 IoCs
pid Process 540 bpk.exe 540 bpk.exe 540 bpk.exe 644 63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe" bpk.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" bpk.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\bpkwb.dll rinst.exe File created C:\Windows\SysWOW64\inst.dat rinst.exe File created C:\Windows\SysWOW64\rinst.exe rinst.exe File opened for modification C:\Windows\SysWOW64\pk.bin bpk.exe File created C:\Windows\SysWOW64\pk.bin rinst.exe File created C:\Windows\SysWOW64\bpk.exe rinst.exe File created C:\Windows\SysWOW64\bpkhk.dll rinst.exe File created C:\Windows\SysWOW64\mc.dat rinst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\bpkwb.dll" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\bpkwb.dll" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 540 bpk.exe 540 bpk.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe 540 bpk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 644 wrote to memory of 4908 644 63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe 86 PID 644 wrote to memory of 4908 644 63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe 86 PID 644 wrote to memory of 4908 644 63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe 86 PID 4908 wrote to memory of 540 4908 rinst.exe 89 PID 4908 wrote to memory of 540 4908 rinst.exe 89 PID 4908 wrote to memory of 540 4908 rinst.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63203ae85df9137abd546f4e8020c663_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\bpk.exeC:\Windows\system32\bpk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:540
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
400KB
MD5c3f13df421ad9d47ca3a1ca1440a5627
SHA198645e54423175ef4035fd390125cec58314884b
SHA2568a6e3333b4de1a3c6dad9b1763331324a49f22bf22a075a16da734faa6611548
SHA512147559ed11efc6cd9dab1c516e54793a235b34b10150965b0aa1b3eadea45bc21a6d5bb07bd6306184295b60281698f66986527054513f789dd022980fbdbe40
-
Filesize
24KB
MD51626cfe5d00530eaf7aef8e98ee0db49
SHA10019880240275868ed3c59370913e9dbffcc48b3
SHA256dc0515cf0f3cbfa3af51f1d7c906e56bae497465defc00c95a938cee195232ab
SHA512fc53b1d7513996619099819abd5897cc93a42d0f79c15fcc803f0d24dca49ce1f5dd02ce0dc14e6dca4298f748df9c0ef3af18c706ed0829d3dfbf3c6de7ad9e
-
Filesize
40KB
MD59d03ba8ea5bb7c2ece779e01924c4f36
SHA19e48cb4ad76bde4c3b3328b0e26e0ec09d6299b7
SHA256e5351dc04a285c7275cc7c7e136d996463bae626bd1a2330c9441dead63df75c
SHA512d2629b964ba2a17654f4ce82c0ae932e020ce841ef755f9ea0fc34c6f0e1997eeef180010576e79112f015a0d6f0592c2cca2bfc35aace67b894d3c5941b87f7
-
Filesize
996B
MD59024a1e9b6bf2af7362ba08f69196ee9
SHA1b2ebede8827f74f187082d06f13508d695907135
SHA2564562b4184e546fc0d167ab904d162c48b4dff469b90b1d42bf0dedcfe6423cda
SHA5123bacad6cbbb40bdb6b199f12f8e06ceb1106d1fb31581961ccd78e4ecda56eee3b719dc3ced84acca7b5a6860013738556e88f5596f7927a59012822eb287aca
-
Filesize
28B
MD519a62a5fe2ff593e78844ba683483813
SHA1842acaf05e7b7ed24a1d535b76602045fd0ecb09
SHA2560c7b05723a389eea3653037601e70779e8357cfeed3df47db9101d2e33ffcacf
SHA512c1aad87670889a49cba94e1ebc0ce081e50ce2cd424f9e0caa5bbcba651c43b353a89dcd485dd7603db2594390145192540f8af703f21032cbe32b1cf76a48f2
-
Filesize
3KB
MD5d5c12c96a9c8094d1053ed572d0280bc
SHA1499303577d5ff628bd9d5f78bd8e589352a14728
SHA256ea191a8d37fdd94d5fbba968c7390f51c6f11d6d4befe85a9bc569859771061d
SHA512b3eb840b504deb285f7ab86210fc67ce1adca568dd296059fe0a8bc8c20b689c289eb8aaf60523fb25308114d848c54c66367df7f5d7c4191bf30b2742f16e3b
-
Filesize
7KB
MD5fbe4bab53f74d3049ef4b306d4cd8742
SHA16504b63908997a71a65997fa31eda4ae4de013e7
SHA256446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092
SHA512d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f
-
Filesize
400KB
MD5341c7d495813a8e38bc5f4b1e4070341
SHA165c7e0623df72470850f3a8dc9acddae9d680406
SHA256cbc8cf389f07bdcc20f04a4b9134bae894081ffac27555afb0dd1f6d7aa57450
SHA512b8bab11cd602d8b45f42b3775b86df5faa4f0596ed3ca4e20b77be0040ca32eea5f14f95ef704230238ec56d6a818b66f400b9e9066bb5e854b01bf181571f7c
-
Filesize
24KB
MD5d3d919fd95dbcffd0d9658dc24f80ba6
SHA19cdde1f9fce4c575c1a3f8ef7845ad7dbeec6205
SHA256cfb1a5165cfb64dc8e33f2e265ffc41a62b18539582ac1d3c2dcc55f5b40719c
SHA5129c04aeddac457c818d4ab92f7e8cf2e17ba3fc251b534edf2a31d49a5411bd1fda910345775b57b5afc3c4ff5bf9cba5003e68ffd69fd058b26e1b17f885a852
-
Filesize
40KB
MD521d4e01f38b5efd64ad6816fa0b44677
SHA15242d2c5b450c773b9fa3ad014a8aba9b7bb206a
SHA2563285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977
SHA51277dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8
-
Filesize
28B
MD52daad9654e0fbe773241243378959d76
SHA130708fd9ca8c238b8f45a294e315ef9b88c2a9d8
SHA256efb03ffe711a5418167e01123cea0af688869f97006f261781283f7d2d00b36f
SHA51228b9627d6fcee14e6bb389599844145e57c2c12a524bce98f5f70690e9317d63bccbf9072e55c3f569eb3723c761c4a8efd3fa7864ab3a45460f48ce4c982615
-
Filesize
3KB
MD564e9cfa5ef6f114cca031bfbd0ec04c1
SHA1074411fcf8b07563900d8488ff0912066275e1c5
SHA2564e14db371f18702936f564cf805676b11403ff45addac2d0cf422e66611f0ece
SHA51274360380bad2104104744a017e33e946c8f7a94fa55aff9e1d13a91df1826da9be554ae8479b9614fe5f867085d482fdffc8bd9af6d1a564440b3e3049649633