Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 11:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
17f647529e3e79fb98eb9cad9c596a11
-
SHA1
4c51c79616540d3b9e4c0e55067a5ad622174354
-
SHA256
0b7c260e6406f5d8b6e668e5eab50923d46da309615f853ed0a69f4e29045531
-
SHA512
138d5a7a33df7ac434cf0e5ff809e9fb12a79009c105eeab78cdea00f24481d7b491b497ce40abc3a4e2846b1fd985bd0bde7438edcc74912c1c7086ce5be7ec
-
SSDEEP
12288:fAmuvkO22JUMDLq28CEJLuaZL/2F963PQCQa0qtT4lpuQYeDyj9bdIDPUFOyc:YnP22KgzreLGI3Qd2+zjyBbd8w
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2288 bgProgram.exe -
Loads dropped DLL 1 IoCs
pid Process 2456 regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows×ÀÃæ³ÌÐò = "c:\\Program Files\\bgProgram\\bgProgram.exe" 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} regsvr32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\Program Files\bgProgram\bgProgram.exe 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe File created \??\c:\Program Files\bgProgram\XXY.DLL 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bgProgram.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe -
Modifies registry class 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "c:\\Program Files\\bgProgram\\XXY.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "BhoApp Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CurVer\ = "BhoNew.BhoApp.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1\ = "BhoApp Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CLSID\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "c:\\Program Files\\bgProgram\\XXY.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1\CLSID\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\ = "BhoApp Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "c:\\Program Files\\bgProgram" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "BhoNew 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "BhoNew.BhoApp.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID\ = "BhoNew.BhoApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib\ = "{d27cdb6e-ae6d-11cf-96b8-444553540000}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4856 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe 4856 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4856 wrote to memory of 2288 4856 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe 86 PID 4856 wrote to memory of 2288 4856 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe 86 PID 4856 wrote to memory of 2288 4856 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe 86 PID 4856 wrote to memory of 3424 4856 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe 87 PID 4856 wrote to memory of 3424 4856 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe 87 PID 4856 wrote to memory of 3424 4856 17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe 87 PID 3424 wrote to memory of 2456 3424 cmd.exe 90 PID 3424 wrote to memory of 2456 3424 cmd.exe 90 PID 3424 wrote to memory of 2456 3424 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17f647529e3e79fb98eb9cad9c596a11_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\Program Files\bgProgram\bgProgram.exe"c:\\Program Files\\bgProgram\\bgProgram.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32 "c:\Program Files\bgProgram\XXY.DLL" /i /s2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 "c:\Program Files\bgProgram\XXY.DLL" /i /s3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2456
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
552KB
MD505573657d07792be6223ebe34f50c3c3
SHA1a307334e2cb2cb44c258df9b98aa69f681676e30
SHA256ba769011044fc45b27e0fec8129662c127309d5ab3604585e307b5347deedabb
SHA512f88ac8dc624cb74ba96b5b6207d622dafe1abdb1e92314c77b99852510b2767295b72ef253bce71a56ff2699870fc08de6d841b1ea24dd07f8b64b4e4d91a3ef
-
Filesize
77KB
MD52b9a9c473462ea508acaed3b11ae38c0
SHA166382be9fa2237467a3e06d05e227768b5d6a548
SHA256fc7f80f119d0b36a915c1f587fa1ea017c8da85fc912bcca2f8d9d750371b63e
SHA512453b4e032c9ab47a2af3e2a02e78ac6bde012ebee2f77c41cc42b20658daac005ff0258d121b467bb609ded04bc480933f828b4a4bda99c93d0fbdd2b280e105