Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
312e9927d52...18.exe
windows7-x64
712e9927d52...18.exe
windows10-2004-x64
7$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 10:14
Static task
static1
Behavioral task
behavioral1
Sample
12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
General
-
Target
12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
-
Size
1005KB
-
MD5
12e9927d52006fdfb16919e0ccdfb670
-
SHA1
128643ef042e58f53b0d493441afb5ef6fa61bc5
-
SHA256
23914f9b9807d142ea60691ea70e16fd8237bb1e3544faaecd78e114537416fa
-
SHA512
76dae07dd4b99f1bffb9bdbe79b07a2246f31271a288562adff5e6d9af4587c1234895ac651c55025d27de4e4d623adf266aaabaf0735791900a628c8d981ad1
-
SSDEEP
24576:5aK/eDpS1eAR+XTQeZaSyYE5Qs+B9Kfyl/QlrnRdyNCMNqL1Xi:3/e9jCST5ZHyYE5hboir91Xi
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4516 svchost.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3076 svchost.exe -
Loads dropped DLL 14 IoCs
pid Process 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe -
Drops file in Program Files directory 38 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\dotnet\dotnet.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023621-8.dat nsis_installer_1 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 3664 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2280 wrote to memory of 4516 2280 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 89 PID 2280 wrote to memory of 4516 2280 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 89 PID 2280 wrote to memory of 4516 2280 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 89 PID 4516 wrote to memory of 3664 4516 svchost.exe 90 PID 4516 wrote to memory of 3664 4516 svchost.exe 90 PID 4516 wrote to memory of 3664 4516 svchost.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3664
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:81⤵PID:3136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
969KB
MD54aa7b3644724f2da70054eb3c4f92c78
SHA1e18fbb8ca40ed86c3793474cc35f427e669cddea
SHA2560ba8d7841aa524ef55b0c9ce4557b7286e0bb5eb2195ef1bd03c7dab8da9f10c
SHA5127b703024d6328b20ea4bd27885a6cdcfdaef14a4d48df998e9eed80c3b04e0171d2c87cc36a8277e3d599c6529df8c4635c59a5503113a6bbc6344e010a08e05
-
Filesize
2KB
MD56c20819f7b1b3c25b4cc2aab38bdc6c3
SHA1005c475c579cee2c60d77642d6d9586e0884964e
SHA256156719e9b9f965f0e205aeb9e4f07254ea0576fd422f7e90e8f1d90e5fc51050
SHA512635b602c451a8f29e6618670ebc08753d0008025fc3f0ca7619eaa578a76acaad1a88f86df9be64a3dd50db849e6513e465b1a3eda006da16b9ec03c566de2ea
-
Filesize
14KB
MD5296a5f3179fa8d7a7a855eaf696ede44
SHA157aa5b71553ed282dd22c768e039a187f5c13f63
SHA256ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960
SHA512bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6
-
Filesize
14KB
MD51413350c401e65ee4666fa36c9d8997c
SHA1acab76b047c0512125de49fead6b84e92da0b0f6
SHA256aff65714ba229568469a9addf9b2b58e4bb169ee94ac423523e12afa9ec28365
SHA5129b46512941e2ad8ef47f0024a0f0e069743c714dd5c525bbbfc9dd871696a121b53236757225257495ba8a1a71f68ea79a324a84503a6f0a3d3c40990aa1f160
-
Filesize
35KB
MD52cfba79d485cf441c646dd40d82490fc
SHA183e51ac1115a50986ed456bd18729653018b9619
SHA25686b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
SHA512cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043
-
Filesize
7KB
MD54973362a84e11dd8541387ab1694afcc
SHA1b78a0fe67c07713c7abd9668b881c4bc808d9a7a
SHA2567757518466b21ce175607f10599f26fff127d59a16dc10bf4ba4b7d83d13d47d
SHA51265c305eced5cd81fe3a573827d62a33e400f03d5bfcb3b3a503927bc0decaedef5d74e6d1ba25a0601fe812f8d2424887d58211c3f3cea1442643f5d1c23c2fb
-
Filesize
10KB
MD586b5a07a43b7cbc5c49263b8d974b736
SHA178388286a311810d812c13d87dea12d581713e60
SHA2565897fb00be38e502fb5dfd047d97e5e4da6387a7a6259633dc31c2427612901b
SHA512dcbe379c28302bb3472339cd24949b16548fa0003882a920df6839078cc7b2563f058a0524bf25df0a5ec8b08e302ebc9e646033109958669d8af883af959ffe
-
Filesize
16KB
MD5acfb66ee6fc1f4266229ec6098fe1740
SHA1e1aeb31b11996015d7f17308e2f2bbe69d4e1476
SHA2566d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e
SHA512bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303
-
Filesize
175B
MD5a2022258082809baedb031efaf5a434a
SHA12e921922c760b76d940e8655885567544d24c7a5
SHA2561f6d3e90202b97432ee508b146ec7ec1e29f8cfdc91615376fe44940f944b6a6
SHA51267648698641f4fe082d969bb14e115b63b5cbbc57aa04e55f1a7d7cf8012745eafd424dcf737a70b8b74f640c50cc5e858850344024f3c3168acb742d118214e
-
Filesize
379B
MD5a6e798c5e7b682fb8a3fb3383c23bbfb
SHA12b8081c0c8678d07bb04a9e19e8f67dfc93e13e1
SHA256c7467b47ee0a5f41af760e29ece0d32eff3dd23563fab57acb0c5b3669ed142a
SHA512e4767d502d3262d1b843c930a51c7f77f8b4b937c1836c254d8bf3b114d8bf75e125b128a93215af800af93273d54bfb1136e4a7733359a77eda807dc7d9169f
-
Filesize
688B
MD51ff433da0cd5719c49ddf0f107c67b14
SHA1442ba206611d67fe7141db1d1bf925387dfe4df6
SHA256bfeaa27a10071ddec5ff8e2cff420325ef42811a6a391231475144eb9b1e9f33
SHA51217d9258706d2bf9e00fd9a35ceef619e2e6cb2290e9f819b5b3e2bcb36497f662b8c107c1ef31616114a43e966c8c7a5e2cfcc31610680847b7623459847ba29
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b