Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 05:31
Static task
static1
Behavioral task
behavioral1
Sample
0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$R3/dvflekzd.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$R3/dvflekzd.dll
Resource
win10v2004-20240802-en
General
-
Target
0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe
-
Size
148KB
-
MD5
0e2614021d554b0534d0fb8e50dadd5e
-
SHA1
1a78dd974bc2346931566d06f17899bdf6ab7971
-
SHA256
9f02093aac7808cb10582b4b2767aa16782f28d00b8b8e9c9d45196e00338cd7
-
SHA512
455c2fe11aea0c99ca6c9a41c474bc028db28566c1173588a56d4a406d6263389548ed1df181931a57735f04a64ca89649e56064f63101d271f6d9739fbaf7b2
-
SSDEEP
3072:zQIURTXJAMeVY06GRKHxN48rdIfbnUT9Pk7x+mowAEq:zsneP+H08rdPTBk+wC
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 1928 0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe 3960 rundll32.exe 1784 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Google\\xxdtodvy.dll,FilterSetEffectID" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3960 rundll32.exe 3960 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1784 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1928 wrote to memory of 3960 1928 0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe 82 PID 1928 wrote to memory of 3960 1928 0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe 82 PID 1928 wrote to memory of 3960 1928 0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe 82 PID 3960 wrote to memory of 1784 3960 rundll32.exe 83 PID 3960 wrote to memory of 1784 3960 rundll32.exe 83 PID 3960 wrote to memory of 1784 3960 rundll32.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e2614021d554b0534d0fb8e50dadd5e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\nsr7D80.tmp\dvflekzd.dll",FilterSetEffectID2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Google\xxdtodvy.dll,FilterSetEffectID3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1784
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
328KB
MD5ef63a544e38c3a3f1f40d51cdd67466b
SHA15f3e77446c880b9ddcce9dfb26442f2631d9b9b9
SHA256f35d0b4b42d3c8800f146e96924be72e6c3c4cdf5eebd5ae59127e276bbc12cc
SHA51283cdaac3504701319e07a14a18170813dd4914faa1b75e73ae5beeb23a44eb1cdee5b772d606de9938f99c4fe6808998677638970ed1c4639e58b5fa57effff9