Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 03:50
Behavioral task
behavioral1
Sample
b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
-
Size
216KB
-
MD5
b63bf326cb8776d28e91539dac2c1265
-
SHA1
2c165a747e2af1e0c760aefa15454ab6c8f12da8
-
SHA256
ad40467c37cef7463a5b7c9d3948170b8ae2324e55d6d73e8e6b859228286b37
-
SHA512
290c4f068b06cc58755f9cdc87f1e42b72045021db0ae258bbcaad5c14f077248aff6342ec46bb749f8d322dc94f889082baff77d7532c6079053cc022957459
-
SSDEEP
3072:jSB5qSR3bSUm4R8WSXB0bXjuz31HWHUtesybqm:jSeUm/WSXAseHbq
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Dofake.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Dofake.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2280 rundll32.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000c000000012273-5.dat acprotect -
Deletes itself 1 IoCs
pid Process 2616 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2628 Dofake.exe -
Loads dropped DLL 7 IoCs
pid Process 2188 regsvr32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2392-0-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/files/0x000c000000012273-5.dat upx behavioral1/memory/2280-11-0x0000000010000000-0x0000000010028000-memory.dmp upx behavioral1/memory/2280-12-0x0000000010000000-0x0000000010028000-memory.dmp upx behavioral1/memory/2392-13-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2392-33-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2280-146-0x0000000010000000-0x0000000010028000-memory.dmp upx behavioral1/memory/2280-150-0x0000000010000000-0x0000000010028000-memory.dmp upx behavioral1/memory/2280-151-0x0000000010000000-0x0000000010028000-memory.dmp upx behavioral1/memory/2280-152-0x0000000010000000-0x0000000010028000-memory.dmp upx behavioral1/memory/2280-153-0x0000000010000000-0x0000000010028000-memory.dmp upx behavioral1/memory/2280-154-0x0000000010000000-0x0000000010028000-memory.dmp upx -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Dofake.exe File opened (read-only) \??\M: Dofake.exe File opened (read-only) \??\E: Dofake.exe File opened (read-only) \??\G: Dofake.exe File opened (read-only) \??\H: Dofake.exe File opened (read-only) \??\I: Dofake.exe File opened (read-only) \??\J: Dofake.exe File opened (read-only) \??\K: Dofake.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\msn6561.dll b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\msn6561.dll b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe File created C:\Windows\SysWOW64\ssshile.dll b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe File created C:\Windows\SysWOW64\Dofake.exe b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Web.ini rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dofake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\ssshile.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\ = "testAtl 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\ = "ATlMy Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ssshile.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID\ = "TestAtl.ATlMy.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45} regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2280 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 2628 Dofake.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2188 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2188 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2188 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2188 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2188 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2188 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2188 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2280 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 31 PID 2392 wrote to memory of 2280 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 31 PID 2392 wrote to memory of 2280 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 31 PID 2392 wrote to memory of 2280 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 31 PID 2392 wrote to memory of 2280 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 31 PID 2392 wrote to memory of 2280 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 31 PID 2392 wrote to memory of 2280 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 31 PID 2392 wrote to memory of 2628 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 33 PID 2392 wrote to memory of 2628 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 33 PID 2392 wrote to memory of 2628 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 33 PID 2392 wrote to memory of 2628 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 33 PID 2392 wrote to memory of 2616 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 34 PID 2392 wrote to memory of 2616 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 34 PID 2392 wrote to memory of 2616 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 34 PID 2392 wrote to memory of 2616 2392 b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\System32\ssshile.dll2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2188
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 msn6561.dll , InstallMyDll2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Windows\SysWOW64\Dofake.exeC:\Windows\System32\Dofake.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Windows\SysWOW64\cmd.execmd /c 375519961O57540.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e024defdc3d4878a172df36071b1b928
SHA159697a7358c0449376b3fb763633edb890faeb4f
SHA25688dee481c1410546996e93133fc605cce3c8109b0e6ad77e1004d0949de23056
SHA51263e3ca4b870fa137e742002a67676ea63f675caa3c596dfe60a6db1e9d8e96431006e462073b105d325f389bccbf6ce17234dfcedc6d615eca3d3836b64713bd
-
Filesize
2KB
MD53b9123e58c22dfba46bb70e839cf5b53
SHA1eff940aaf0a6c435a542b87b2ed825e6d4db739c
SHA256b8d65ec76ff9eff9dfdec033a126a728b6dce4ac50d2cfab289da1da07d181cd
SHA512a7ae5f421bb427286557dfcd5f47f3cc3ff9fd20bb674a6f1da74dfdf5295a620dceff6858ddb5ae4adfc2eee5776d82c90f7ddbdb859ba3ba2e0d70c3fe74a7
-
Filesize
34KB
MD52850424792c45d045064fd20caee9154
SHA107575ab6e60ec261d724dad00a952fd376c66a43
SHA256f04bba4986055df9fadba6356fa4b49cfb08647c46e4d9d67ee4d87ab826758d
SHA512fae07fc61102eb98d2add60df6a8a2c92dbe5b5b80b1de91e009d1271f07937d95f31d7f05b04a36d2cedf501215c4536d33b3c7f6afc81eb738322a7c96664f
-
Filesize
56KB
MD5d56187f40d666692aafe6573d57eed4f
SHA1bbc4d3c09668e521408b71bb1a6ea4eaa6a5bb79
SHA256f8309a95f297d4818e3f8b957f144fe95425f8b467db324f12c19a6fb7b9b436
SHA5122163d8dbf29a3a4add720b020d4531078b18f09a33f44c7a9ba0a93f46ccd7a79788e7974ec1fcba2fe9b71686cea8b311a0bd848874c5b416863608b5ce1422
-
Filesize
96KB
MD5a6added823aee4871efe1a4ca8f47a09
SHA1b39cc6522719748ca0481536e2f1e6405e95567f
SHA25650b5ddd1e166865865e26fc960faa4e347734c39e632efed1d713d96b93d010b
SHA512d6e0d9c968059ec9553bcf76d109be7ae373087701cc907a5c260f90d9a4071e64d9f0fa5abecc8fbadb8b7823cf18496fc92c32bf348483b614912296a2da8d