Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 08:31
Static task
static1
Behavioral task
behavioral1
Sample
734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe
-
Size
14KB
-
MD5
734dd04d219834bee0dc4e333575c8aa
-
SHA1
d4f5a8bcb6d3e23493f79c3c12752638c0b367aa
-
SHA256
1aaf0309edd6beab7310503b797e64a4f8c28ebb1abf568ece034fd9afb921be
-
SHA512
dd768896d0f6c475ca7aa5144320a40a9e65466dda4a7bd20305abc139f36ff9c616018167ef894d93e713460eea1f85a2a708a973589286713fca7621b6d80c
-
SSDEEP
384:1o+PRpVf1vpCtuMihEM2P5Nt6tA6oEaRd6V:15PRpV9YMMmEM2P5Nt6XaRI
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xolehlpjh.dll = "{F0930A2F-D971-4828-8209-B7DFD266ED44}" 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2864 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 828 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\xolehlpjh.tmp 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xolehlpjh.tmp 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xolehlpjh.nls 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ = "C:\\Windows\\SysWow64\\xolehlpjh.dll" 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ThreadingModel = "Apartment" 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44} 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 828 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 828 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 828 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 828 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 828 wrote to memory of 2864 828 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 30 PID 828 wrote to memory of 2864 828 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 30 PID 828 wrote to memory of 2864 828 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 30 PID 828 wrote to memory of 2864 828 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\5F5F.tmp.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD52dea6f7fcdcf4ed36ff58697370e8ddd
SHA158d29685a855a88e8df4aee48c3a4e6ef121dff3
SHA256364844e5dde4ca5eb1774b385e0a52b550cb986e7441a82b9c889f773e2de811
SHA5127d60701e9239df7fa940e6abfafcd53ea835c9351799ed9d913e53206b56336ed6b0243e402db75141eb071b4f2d754472827484864636a4703330aadfeba6c4
-
Filesize
2.1MB
MD5a8cec1c4ae8afdd5408d4d000da70421
SHA15f1dce84b5d908e4a8b653010674c4b305ca5667
SHA256046bfea1d59376ea5a8b07b8cbf09a7b50b35b5846d3c8e69e356e0486e2c139
SHA512c691eae90bad5274319dac53530feb656af75a6522b8fbcc5549cab08748101cf37062f5329e8d65cc1eb39a850618b6e4534480b4da91ea9ba95524c5eaab6b