Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll
-
Size
241KB
-
MD5
e2c13d654e1397bf110f8ead50de5212
-
SHA1
33da95025432683cb4410bbb966700fed3dcc319
-
SHA256
7120e79a70b7545173221fd56857dec216d457a9560cc75dcb64ba2c87984409
-
SHA512
aca8d47394249846ae666f884aa0b89cfc6e35b8872888f6bed787e36fabbb606a7bb7f2614d92f21b8971563ded4ffebf05805a8ea704e424bd569171c92e8b
-
SSDEEP
6144:5PISNDkrK1IK3hEnkDUxc2CIoqy+utDy+htDl+hN:5PISNA8R/gxcBqy+utDy+htDl+hN
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\e2c13d654e1397bf110f8ead50de5212_JaffaCakes118\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe 2664 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeDebugPrivilege 2664 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2636 2568 regsvr32.exe 27 PID 2568 wrote to memory of 2636 2568 regsvr32.exe 27 PID 2568 wrote to memory of 2636 2568 regsvr32.exe 27 PID 2568 wrote to memory of 2636 2568 regsvr32.exe 27 PID 2568 wrote to memory of 2636 2568 regsvr32.exe 27 PID 2568 wrote to memory of 2636 2568 regsvr32.exe 27 PID 2568 wrote to memory of 2636 2568 regsvr32.exe 27
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll2⤵
- Sets DLL path for service in the registry
PID:2636
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k e2c13d654e1397bf110f8ead50de5212_JaffaCakes1181⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664