Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 04:22
Static task
static1
Behavioral task
behavioral1
Sample
f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe
-
Size
747KB
-
MD5
f52c7b690208a4fd9c3f2cc670e25375
-
SHA1
44ae7cfe1d226ff41cb7bf07b797b189f136e15e
-
SHA256
586512e8141469dac710fd7d0d7d35b94a7745c661d49a33ae625895c16a32c6
-
SHA512
599b0bca0b27f7e2d50369aeb2c6717c30df0c4ad8863d959fe7c417f61ba7bc5aee2df06ea753d622d7f5957046b2bf4170bf9a8d6d680af9e9dbcb52da4513
-
SSDEEP
12288:4soCYNrHi0tJICt3DIi0S80hrRZaqWR40rHeluaL0dUiuRm2Bao5:4soCYNrC2NJvhjyR4kKJRi0+4
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0008000000023c9d-4.dat acprotect behavioral2/files/0x0007000000023c9f-15.dat acprotect behavioral2/files/0x0007000000023c9e-13.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 1564 PrstService.exe -
Loads dropped DLL 4 IoCs
pid Process 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 1564 PrstService.exe 1564 PrstService.exe 1564 PrstService.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\PrstService.exe f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\PrstService.exe f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe File created C:\Windows\SysWOW64\PrstService.dll PrstService.exe File opened for modification C:\Windows\SysWOW64\PrstService.dll PrstService.exe -
resource yara_rule behavioral2/files/0x0008000000023c9d-4.dat upx behavioral2/memory/4308-5-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/files/0x0007000000023c9f-15.dat upx behavioral2/files/0x0007000000023c9e-13.dat upx behavioral2/memory/1564-26-0x0000000002360000-0x0000000002384000-memory.dmp upx behavioral2/memory/4308-30-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/memory/1564-33-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/memory/1564-49-0x0000000010000000-0x000000001012A000-memory.dmp upx -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\Exmlrpc.fne PrstService.exe File created C:\Program Files\Internet Explorer\krnln.fnr PrstService.exe File opened for modification C:\Program Files\Internet Explorer\krnln.fnr PrstService.exe File created C:\Program Files\Internet Explorer\IJL105.DLL PrstService.exe File opened for modification C:\Program Files\Internet Explorer\IJL105.DLL PrstService.exe File created C:\Program Files\Internet Explorer\dp1.fne PrstService.exe File opened for modification C:\Program Files\Internet Explorer\dp1.fne PrstService.exe File created C:\Program Files\Internet Explorer\Exmlrpc.fne PrstService.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\PrstService.jpg PrstService.exe File opened for modification C:\Windows\Fonts\PrstService.jpg PrstService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrstService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B78D2D58-82D7-11E6-B35D-76A26C5A2900} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "180939234" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "NO" PrstService.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 1564 PrstService.exe 1564 PrstService.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSystemtimePrivilege 1564 PrstService.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2668 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 1564 PrstService.exe 2668 IEXPLORE.EXE 2668 IEXPLORE.EXE 4948 IEXPLORE.EXE 4948 IEXPLORE.EXE 4948 IEXPLORE.EXE 4948 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4308 wrote to memory of 1564 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 84 PID 4308 wrote to memory of 1564 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 84 PID 4308 wrote to memory of 1564 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 84 PID 4308 wrote to memory of 3892 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 88 PID 4308 wrote to memory of 3892 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 88 PID 4308 wrote to memory of 3892 4308 f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe 88 PID 1564 wrote to memory of 2668 1564 PrstService.exe 98 PID 1564 wrote to memory of 2668 1564 PrstService.exe 98 PID 2668 wrote to memory of 4948 2668 IEXPLORE.EXE 99 PID 2668 wrote to memory of 4948 2668 IEXPLORE.EXE 99 PID 2668 wrote to memory of 4948 2668 IEXPLORE.EXE 99 PID 1564 wrote to memory of 2668 1564 PrstService.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f52c7b690208a4fd9c3f2cc670e25375_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\PrstService.exeC:\Windows\system32\PrstService.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4948
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\delus.bat2⤵
- System Location Discovery: System Language Discovery
PID:3892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5387cf1d2f17aff6967f3107773764513
SHA1b971bcd44988bee744f8133acb032e07d9dcd1db
SHA25674c55aaee905be674763d679ca05a6baaf93f456b5d8935d6293e523766968c6
SHA51219a4fb39b2f9863c92d76016290e701fd6bb1aa5d889896666922fd862d5b72b95a97aa27d3d0b3218233ba9dbcb3db147efbf9e61e5be853d4d3672e87bfd5c
-
Filesize
56KB
MD56649262561fba5d19f8b99dd251b5d02
SHA1286e2ab6bc2220b3c9a83720c4c612623210e10f
SHA256824afe6bde1c2890077e9a40c4261a77a1d736429709a45d68ed508581e74771
SHA512688bd75b1e9661f425a21577063362e609ce496880a4780012317d56075095e5804fb7b849b32fbbea06fbbff5d47a5534113b6613f1a236b2a76cd043bba7ef
-
Filesize
406KB
MD5e79169d47394020f7c893abb840b61bb
SHA1c5b9c2cbef3d5458b52ebb67461e84432673fb1b
SHA25611c25cdeb02ac401d913dc48b935a087e32c2d9b7b7c4a5cfdf36e4947e959dc
SHA51221ca64559082a31e46e28513de762fa2239c521f60b3485bf99926f895f0bf6f63fe2162c3e2eb25705efad22d351e24b8283442f4954ac88bc8c56ef5dc529a
-
Filesize
747KB
MD5f52c7b690208a4fd9c3f2cc670e25375
SHA144ae7cfe1d226ff41cb7bf07b797b189f136e15e
SHA256586512e8141469dac710fd7d0d7d35b94a7745c661d49a33ae625895c16a32c6
SHA512599b0bca0b27f7e2d50369aeb2c6717c30df0c4ad8863d959fe7c417f61ba7bc5aee2df06ea753d622d7f5957046b2bf4170bf9a8d6d680af9e9dbcb52da4513
-
Filesize
230B
MD572504473241fb6647e9b3c242e37441a
SHA17431b89da9bccd4b304e48d1ac04a90ba473c527
SHA256b567ca5370d027d49bad6abbc3d88e7016da39d3648468cc19718f0e03aa7d6c
SHA512a798bc377697eb7e65253f34f4c215f108cf93e08a941b73a9fdf667063bcee28fa327ba743d4c2c3502e105dcc65ce9417de04be5eb2571a49f8ca939b9ae93