Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1184f38a5a...18.dll

windows7-x64

7

1184f38a5a...18.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1184f38a5ab591929c39dc6af3012d50_JaffaCakes118.dll

  • Size

    383KB

  • MD5

    1184f38a5ab591929c39dc6af3012d50

  • SHA1

    28d5e8bcfa8967ec69265fd851f948e185c541de

  • SHA256

    ae3de70319b20534d219ae86900c2d54498b91078f76aa4f1a86c6cdb12e6cc9

  • SHA512

    1d89eff0e925426e0deaa312c86e6286fcd6ea8e820caab1dbba8e3fdd43d66029e9b4df18115b5cbdb37f227c14ec1eda658ecc97b1539fbfc654ce23817263

  • SSDEEP

    6144:IRD4MlqMABEN37jt9ZA3H8DaLCw0w6LhMA8aF8pVqEDFqf1b/3C:IRZQOrcHwwH6tMzaFg8EDcf1r3C

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1184f38a5ab591929c39dc6af3012d50_JaffaCakes118.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2060
  • C:\Windows\system32\wimserv.exe
    C:\Windows\system32\wimserv.exe
    1⤵
      PID:1172
    • C:\Windows\system32\gpscript.exe
      C:\Windows\system32\gpscript.exe
      1⤵
        PID:2448
      • C:\Windows\system32\odbcad32.exe
        C:\Windows\system32\odbcad32.exe
        1⤵
          PID:2668
        • C:\Windows\system32\raserver.exe
          C:\Windows\system32\raserver.exe
          1⤵
            PID:2672
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1k6c512.cmd
            1⤵
              PID:2436
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{496a1bfb-bb00-6ae2-db67-52874c80023b}"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2228
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{496a1bfb-bb00-6ae2-db67-52874c80023b}"
                2⤵
                  PID:2652
              • C:\Windows\system32\rrinstaller.exe
                C:\Windows\system32\rrinstaller.exe
                1⤵
                  PID:2272
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\vHO5HbD.cmd
                  1⤵
                  • Drops file in System32 directory
                  PID:1956
                • C:\Windows\System32\eventvwr.exe
                  "C:\Windows\System32\eventvwr.exe"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2724
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\EsMKWo.cmd
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2736
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Create /F /TN "Awbvuqtgexjqq" /SC minute /MO 60 /TR "C:\Windows\system32\5299\rrinstaller.exe" /RL highest
                      3⤵
                      • Creates scheduled task(s)
                      PID:1748

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\1k6c512.cmd
                  Filesize

                  237B

                  MD5

                  7ef2c7b93d85e274143192806a5dba67

                  SHA1

                  ebbd019ef12cc8e9c6d4ba43f0ffb0b5a7c5ba7a

                  SHA256

                  2c3ec5c44918f8a7cbb1a91065164e07a9b5bcc5f69acd5093e2ed1458f90985

                  SHA512

                  a711bae48b297f09662a80ea8b91399bc39ab63ad71420e16b7aee25ed826236c3789a9dcb54afe1ac214e35b7df80acafd62f4b8db5727adebfa015f0c3d6cd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\EsMKWo.cmd
                  Filesize

                  135B

                  MD5

                  d3cdeca099e73cebb801c0a83665d690

                  SHA1

                  9d04dfccc38f822a1daff4fd1f97295c7b775536

                  SHA256

                  8502d35d5f2b1974691e8e13dd773cda87389f9e922cee802ac3f4e0347706ad

                  SHA512

                  59510dc0cecb112b409a89dfcb9dad167b065207af64ac98b7f518577293117493d2b6fc409c4af52b31494b997d8a02d49a23351de9a27258c2ee71ac656aad

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\J5A8F.tmp
                  Filesize

                  389KB

                  MD5

                  71326cc6b3f30822699ce524676757b7

                  SHA1

                  d67ffe3688e5735a25d240904dbacdf151d443f7

                  SHA256

                  503c32559d1099e0d84fdc9a17d5d576b0a45655a891ec28ce5bcd4244a88913

                  SHA512

                  5339749d731f984f2c82d0ab575d9496c433e90444d679b5bf90392a4124387cb8e4a921e8dac8d536494b314e2dafffd2c8db558a849b9d366ae7210d665ef1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\fg5679.tmp
                  Filesize

                  385KB

                  MD5

                  519e68480286e14a0c5fda293afbe6ef

                  SHA1

                  08ce35b09345912c8e683791e46e5be9e37584b5

                  SHA256

                  1da5fb31642f2cf4e8fe15d29aab3a3977b961f38729ed874bc5209d0936ac48

                  SHA512

                  d8938b7647c230964d39b9da1ddedc551202a8249ccc9e3c2a63db6b80baa02663f8b033c5a920be71fbe643d9b9718a62d6b0305a5bd0817da7791d1800be40

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\vHO5HbD.cmd
                  Filesize

                  195B

                  MD5

                  254307a96e0b7e73e915b92b51ee8eb2

                  SHA1

                  74eaeff0b202945dd0ed994aff8302056d48d524

                  SHA256

                  3a3ce79f35675d925710313847ba319aa7cea50a7a8525bb4586f676e6ed8e36

                  SHA512

                  e8728621e62a50abe43dbf3df56c90c390c8000ca0818f73add86c250bf77f15366173fa36e537426d32094eb1099cc1f66af104e96a68261eb1cf17a92fa4bc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\1I7ATgK\raserver.exe
                  Filesize

                  123KB

                  MD5

                  cd0bc0b6b8d219808aea3ecd4e889b19

                  SHA1

                  9f8f4071ce2484008e36fdfd963378f4ebad703f

                  SHA256

                  16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

                  SHA512

                  84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wmbdcrujqsagqwc.lnk
                  Filesize

                  894B

                  MD5

                  3b3a4895ea2b10f27108379f306186e2

                  SHA1

                  cc7b57d58d0e808f840db32496cfd5d3f4185e59

                  SHA256

                  fa5f1a69f4262c1e063e84ca46affb6f68c6c9640441fac44127b63de45ac50d

                  SHA512

                  bda103e488fb45bf9079ea7a7b74ec34d25e0f900462ed22c2f1af4050cf74eb1283e64118ec42080992bcb7f0a13b02bdb791358cc942f63363dcba559868bd

                  Download Submit

                • memory/1224-9-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-33-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-11-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-12-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-13-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-14-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-15-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-16-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-17-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-23-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-24-0x0000000077171000-0x0000000077172000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1224-10-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-34-0x00000000772D0000-0x00000000772D2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1224-40-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-84-0x0000000076F66000-0x0000000076F67000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1224-8-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-7-0x000000007C000000-0x000000007C065000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/1224-3-0x0000000076F66000-0x0000000076F67000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1224-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2060-6-0x0000000074AE0000-0x0000000074B45000-memory.dmp

                  Filesize

                  404KB

                  Download

                • memory/2060-2-0x0000000000380000-0x0000000000383000-memory.dmp

                  Filesize

                  12KB

                  Download

                • memory/2060-0-0x0000000074AE0000-0x0000000074B45000-memory.dmp

                  Filesize

                  404KB

                  Download