Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 08:31
Static task
static1
Behavioral task
behavioral1
Sample
734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe
-
Size
14KB
-
MD5
734dd04d219834bee0dc4e333575c8aa
-
SHA1
d4f5a8bcb6d3e23493f79c3c12752638c0b367aa
-
SHA256
1aaf0309edd6beab7310503b797e64a4f8c28ebb1abf568ece034fd9afb921be
-
SHA512
dd768896d0f6c475ca7aa5144320a40a9e65466dda4a7bd20305abc139f36ff9c616018167ef894d93e713460eea1f85a2a708a973589286713fca7621b6d80c
-
SSDEEP
384:1o+PRpVf1vpCtuMihEM2P5Nt6tA6oEaRd6V:15PRpV9YMMmEM2P5Nt6XaRI
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xolehlpjh.dll = "{F0930A2F-D971-4828-8209-B7DFD266ED44}" 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 5116 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\xolehlpjh.tmp 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xolehlpjh.tmp 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xolehlpjh.nls 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ThreadingModel = "Apartment" 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44} 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ = "C:\\Windows\\SysWow64\\xolehlpjh.dll" 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5116 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 5116 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5116 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 5116 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 5116 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5116 wrote to memory of 5024 5116 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 96 PID 5116 wrote to memory of 5024 5116 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 96 PID 5116 wrote to memory of 5024 5116 734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\734dd04d219834bee0dc4e333575c8aa_JaffaCakes118.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\196F.tmp.bat2⤵
- System Location Discovery: System Language Discovery
PID:5024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD52dea6f7fcdcf4ed36ff58697370e8ddd
SHA158d29685a855a88e8df4aee48c3a4e6ef121dff3
SHA256364844e5dde4ca5eb1774b385e0a52b550cb986e7441a82b9c889f773e2de811
SHA5127d60701e9239df7fa940e6abfafcd53ea835c9351799ed9d913e53206b56336ed6b0243e402db75141eb071b4f2d754472827484864636a4703330aadfeba6c4
-
Filesize
2.3MB
MD52a1125273c6f45c7a6816abdebf49acc
SHA11c2e2d81adfc2f4bacdd58a8eb4cb5733aa898ee
SHA256d96ddbce284aab34a6a462d934897d3d17f9ead1d9fb5f4557c329292974a4d2
SHA5124a274e96d29720ce5570e7bd50834d98c0fc45da51a521d0b55c1d44d76ce7cf5c0863e406c37f30ad248b696392f4012baa138513ed5a0100998ef7a14ab4ce