Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3d9af5dd07a...18.exe
windows7-x64
10d9af5dd07a...18.exe
windows10-2004-x64
7$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$TEMP/coffer.dll
windows7-x64
3$TEMP/coffer.dll
windows10-2004-x64
3Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 05:18
Static task
static1
Behavioral task
behavioral1
Sample
d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Splash.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Splash.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$TEMP/coffer.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
$TEMP/coffer.dll
Resource
win10v2004-20240802-en
General
-
Target
d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
-
Size
345KB
-
MD5
d9af5dd07a77a24d5499164aed22dc0a
-
SHA1
36aeb648e254ff72689ef8c95ab5851f95c8a73e
-
SHA256
5113f7698c80f8183b0fd72ff91adeed308b93937fc9ca9aefb8d7f878569fd3
-
SHA512
29328a3081a6939d370ae5d039490a3637b24d7c8f7420fa0d7e5f33d31b60fdbea2286d42580ba40b5a8d05c962616b59765b7ad4fe82bde340d9c11a90a1e7
-
SSDEEP
6144:S58/+dBOIfjkkODm7aNXcdVcUdc+1znmBDFV1ZE3furMpN0tKPo3/3Y:NkOYLODm7aZc1dnzngTZ2u0xPy/o
Malware Config
Extracted
formbook
3.9
ik
aktfh.com
gzxcserver.com
ollgabruell-fengshui.com
peggyhaddadinteriors.com
tamoxifencitrate.store
dongygiatruyendactri.com
dosti-desire-thane.info
hidejunkie.com
client76212.review
chopaankabobhouse.com
sboz1.com
oilbularya.com
peachyfindz.com
chroniclephotograhpy.com
ynherbaltea.com
lirong2019.com
coolcloudhvac.singles
ruimingwuye.com
xinyue-vip-qq-dnf-com.site
binaprimamultiutama.com
xn--gzrz36f.com
xemwl.com
integral-logistics-design.com
6vlu.com
svjny.com
765gw.com
wboqtum.com
reflectorpolitico.com
plattshomeimprovement.com
qyrdg.com
eastbaywellnesspractice.com
66jiedai.com
jazhao.com
itunessource.com
sanguanbuzheng.com
dentistrymarketingservices.com
foxboilercare.com
631xys.info
russellmarlowe.com
xiaoerjiazhuang.net
traveltorest.com
halospastries.com
gyyishang.com
marjoriexavier.com
7cfn.loan
mesquite-locksmith.com
extremespank.com
tututote.com
tyingittogether.com
visordigitalsv.com
casazanzibar.net
y75xlt.info
paradigm-itengin.net
271pal.info
zuolanu.com
acschultesnc.net
nordline-messer.com
fintechcity.biz
ikplyz.info
jacuzzihotuboflakeforest.com
hsdfsyey.com
artfox6.com
gking.net
diabetescureguide.com
oyishu.com
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/89192-100036-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/89192-100040-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Loads dropped DLL 4 IoCs
pid Process 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T2_TQ080_HW = "C:\\Program Files (x86)\\Ldvalg\\mspbc.exe" svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 89192 set thread context of 1200 89192 nslookup.exe 21 PID 89292 set thread context of 1200 89292 svchost.exe 21 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Ldvalg\mspbc.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 89204 2632 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1506706701-1246725540-2219210854-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 89192 nslookup.exe 89192 nslookup.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe 89292 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 89192 nslookup.exe 89192 nslookup.exe 89192 nslookup.exe 89292 svchost.exe 89292 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 89192 nslookup.exe Token: SeDebugPrivilege 89292 svchost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2632 wrote to memory of 89192 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 31 PID 2632 wrote to memory of 89192 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 31 PID 2632 wrote to memory of 89192 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 31 PID 2632 wrote to memory of 89192 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 31 PID 2632 wrote to memory of 89192 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 31 PID 2632 wrote to memory of 89192 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 31 PID 2632 wrote to memory of 89192 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 31 PID 2632 wrote to memory of 89192 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 31 PID 2632 wrote to memory of 89192 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 31 PID 2632 wrote to memory of 89204 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 32 PID 2632 wrote to memory of 89204 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 32 PID 2632 wrote to memory of 89204 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 32 PID 2632 wrote to memory of 89204 2632 d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe 32 PID 1200 wrote to memory of 89292 1200 Explorer.EXE 33 PID 1200 wrote to memory of 89292 1200 Explorer.EXE 33 PID 1200 wrote to memory of 89292 1200 Explorer.EXE 33 PID 1200 wrote to memory of 89292 1200 Explorer.EXE 33 PID 89292 wrote to memory of 89344 89292 svchost.exe 34 PID 89292 wrote to memory of 89344 89292 svchost.exe 34 PID 89292 wrote to memory of 89344 89292 svchost.exe 34 PID 89292 wrote to memory of 89344 89292 svchost.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:89192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 6003⤵
- Program crash
PID:89204
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:89292 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\nslookup.exe"3⤵
- System Location Discovery: System Language Discovery
PID:89344
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD568c01bc47d1045c9e8dda48a10ec7b51
SHA13a207ceabee302c6ad8c7420afceb375acb7a52d
SHA256c02302d396b58a3fd040d7a9ca77707bc294c2565a09e544853e64506c6a4eed
SHA51275d2fbdb18c69d293609bc175eb4fd883f05530705bfac9f15101edc1d5458e0d134d473530d2db263ee2da524570c695d70e7961cec9dd751b02562c18ed539
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
Filesize
517B
MD5893cae59ab5945a94a7da007d47a1255
SHA1d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06
SHA256edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938
SHA512d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9
-
Filesize
34KB
MD59efcdaec062823e9749250da225dfe4d
SHA11d6209a71c061729683ce81890f2d8c0c02c6e05
SHA25604904de1d15bb931cf85eadb7714bd53f7236de0fbc1f62c22aafb3470ff847c
SHA512b7faee0a4c769ee39fc11fe20c6ec362b6802e9fd7f81d8a495f1423263af8074cf995c1ff8d964680c10c3026e69ddb66e749b9b29784309502d805673a720a
-
Filesize
4KB
MD53f35f73787f0c3bb5e59445fb18ade0d
SHA1f1566faff96c3988cfc28dc7d433094b6348cdbf
SHA2565570969d22a33c23b60c5f5536f781219e458a869b77b8dde4a94cc124ee4de6
SHA51245c42ea95f53a3b8a3fd74bd55ad6f0b3f2b91dd969104de845fd819fe307dec2b4d472bee45554500b0c51052ee82ac98196e894af806edf67a947328474e57
-
Filesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06