Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3fddb8b56a0...18.exe
windows7-x64
7fddb8b56a0...18.exe
windows10-2004-x64
7$0/resultbar.dll
windows7-x64
1$0/resultbar.dll
windows10-2004-x64
1$0/resultbar.exe
windows7-x64
1$0/resultbar.exe
windows10-2004-x64
3$0/uninstall.exe
windows7-x64
7$0/uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$0/resultbar.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$0/resultbar.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$0/resultbar.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$0/resultbar.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$0/uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$0/uninstall.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
General
-
Target
fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe
-
Size
654KB
-
MD5
fddb8b56a01dfc7b2f20db5ae8c6afa7
-
SHA1
53a3b37818847340a7c1c4111dcb4510f5bc9060
-
SHA256
b5457332bb2f8d2d2658b2db158f0ed12af8e4502c76e0ac717f7313d13fd8ba
-
SHA512
c85f534908af034cfac24bd102479d473ef49ab454c6d04cb82c3c22278f75f9224a29e889e2335d3ae98b915563e30bc91d489dd85fa2d850606b722a4ab7f0
-
SSDEEP
12288:QOazeZYFBIuY8ldJ2su4+wVeWuXJ0kkw+dqDRhXzN/I3aSu7+RiF2obD1Y:D2FhY+d/on5/F+dqR/I3aSu7B+
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1260 resultbar.exe 116 resultbar.exe 4192 resultbar123.exe 4416 resultbar.exe -
Loads dropped DLL 3 IoCs
pid Process 116 resultbar.exe 4192 resultbar123.exe 4416 resultbar.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 resultbar123.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE resultbar123.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies resultbar123.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 resultbar123.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\BB7A1ZQM.htm resultbar123.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\ResultBar\resultbar.exe resultbar.exe File created C:\Program Files (x86)\ResultBar\uninstall.exe fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe File created C:\Program Files (x86)\ResultBar\resultbar.dll resultbar.exe File opened for modification C:\Program Files (x86)\ResultBar\resultbar.dll resultbar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resultbar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resultbar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resultbar123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resultbar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x00070000000234c4-34.dat nsis_installer_1 -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" resultbar123.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix resultbar123.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" resultbar123.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" resultbar123.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ resultbar123.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe 4192 resultbar123.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4416 resultbar.exe 4416 resultbar.exe 4416 resultbar.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1260 2416 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 82 PID 2416 wrote to memory of 1260 2416 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 82 PID 2416 wrote to memory of 1260 2416 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 82 PID 2416 wrote to memory of 116 2416 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 83 PID 2416 wrote to memory of 116 2416 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 83 PID 2416 wrote to memory of 116 2416 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 83 PID 4192 wrote to memory of 4416 4192 resultbar123.exe 85 PID 4192 wrote to memory of 4416 4192 resultbar123.exe 85 PID 4192 wrote to memory of 4416 4192 resultbar123.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\nsf6CE5.tmp\resultbar.exe"C:\Users\Admin\AppData\Local\Temp\nsf6CE5.tmp\resultbar.exe" "C:\Users\Admin\AppData\Local\Temp\nsf6CE5.tmp\resultbar.dll" 13424952222⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260
-
-
C:\Users\Admin\AppData\Local\Temp\nsf6CE5.tmp\resultbar.exe"C:\Users\Admin\AppData\Local\Temp\nsf6CE5.tmp\resultbar.exe" "C:\Users\Admin\AppData\Local\Temp\nsf6CE5.tmp\resultbar.dll" sayeyagez "" dafucoti2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:116
-
-
C:\ProgramData\ResultBar\resultbar123.exe"C:\ProgramData\ResultBar\resultbar123.exe" "C:\Program Files (x86)\ResultBar\resultbar.dll" emidafuco kevivaceq1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Program Files (x86)\ResultBar\resultbar.exe"C:\Program Files (x86)\ResultBar\resultbar.exe" "C:\Program Files (x86)\ResultBar\resultbar.dll" cajozura wufeyakilo2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5c78dc19bab9bcb490d031ccca4bdf853
SHA1f40960a41ff93fdcad2793f36fb5437db93b120c
SHA256a743fab26fad94ba571933471af4685660a80c73ef4a86ea276aebcc197b2600
SHA512da9f21b7eb01b3350614ee912f98389e209e0ce0afed08fdd13bea153f28510a2aeb468c10bf3317e0fe2716af9d67702996a8cbf18eb3ce1435be68c722abca
-
Filesize
564KB
MD578a214f021ec9350231d6e6897626a43
SHA1a193bfa081bae83b9de7bf8587015e56d7dd21ec
SHA256ad3b50427a57326cfb9cbd3f9e2f998dbe6592b37139f32081845b2665495666
SHA5122c2b97fc70b077b5d81fa37c8cd40935c858e053226abc6e1e76387889af171fd5cf03c18a2348766d67c90035922b338ae3c56349de39822b6c008abe51b4b1
-
Filesize
48KB
MD5dd4be76eb8e2dbb337058604ea25c57d
SHA16f0d8746eaf2d2258b86b7301c9a9928e807a541
SHA256915228f7184e3180ba59a9d282e017c63fe3f7d0e34f7a9786ec0698a60a5019
SHA512188a318d0a28b6089388aa26e72e9432aed85d96e4a047ca78158db59c99c0a09c9966b5c5d29def0048ddeac8cb409f0db08a2b8148634c14a950c68efddf5f