Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 21:19
Static task
static1
Behavioral task
behavioral1
Sample
964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
-
Size
748KB
-
MD5
964be19e477b57d85aceb7648e2c105d
-
SHA1
6c8ab56853218f28ac11c16b050ad589ea14bafe
-
SHA256
9843ceaca2b9173d3a1f9b24ba85180a40884dbf78dd7298b0c57008fa36e33d
-
SHA512
60379f9bf7f4e59f81f95898d1b0c10ea82abd306dbdf4dfef921e873bf4c3d2c4914d498efa16d60c52171a1802099c3c61289a12c64f13ea9457cd807ce4ca
-
SSDEEP
12288:0EI6h2sJXCB1joFX4HcTHQPviK5qXOlL29huNghWdLzqCTz0MDNhmku02k//m1:0EPXCzoXPQR5qXfDsghWxnTz0eNhFn2c
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\SystemFile" wserver.exe -
Deletes itself 1 IoCs
pid Process 2876 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2896 wserver.exe -
Loads dropped DLL 4 IoCs
pid Process 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\SystemFile.dll wserver.exe File opened for modification C:\Windows\SystemFile.dll wserver.exe File created C:\Windows\SystemFile wserver.exe File opened for modification C:\Windows\SystemFile wserver.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell\open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\wserver.exe" rundll32.exe Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell\open\command rundll32.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2728 PING.EXE 1816 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2896 wserver.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2572 svchost.exe 2600 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2896 wserver.exe Token: SeDebugPrivilege 2572 svchost.exe Token: SeDebugPrivilege 2600 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2072 rundll32.exe 2072 rundll32.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2072 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2072 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2072 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2072 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2072 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2072 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2072 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 28 PID 2072 wrote to memory of 3052 2072 rundll32.exe 29 PID 2072 wrote to memory of 3052 2072 rundll32.exe 29 PID 2072 wrote to memory of 3052 2072 rundll32.exe 29 PID 2072 wrote to memory of 3052 2072 rundll32.exe 29 PID 3052 wrote to memory of 2740 3052 cmd.exe 32 PID 3052 wrote to memory of 2740 3052 cmd.exe 32 PID 3052 wrote to memory of 2740 3052 cmd.exe 32 PID 2740 wrote to memory of 2756 2740 cmd.exe 33 PID 2740 wrote to memory of 2756 2740 cmd.exe 33 PID 2740 wrote to memory of 2756 2740 cmd.exe 33 PID 2756 wrote to memory of 2664 2756 CompMgmtLauncher.exe 34 PID 2756 wrote to memory of 2664 2756 CompMgmtLauncher.exe 34 PID 2756 wrote to memory of 2664 2756 CompMgmtLauncher.exe 34 PID 2664 wrote to memory of 2896 2664 cmd.exe 36 PID 2664 wrote to memory of 2896 2664 cmd.exe 36 PID 2664 wrote to memory of 2896 2664 cmd.exe 36 PID 2664 wrote to memory of 2896 2664 cmd.exe 36 PID 2896 wrote to memory of 2584 2896 wserver.exe 38 PID 2896 wrote to memory of 2584 2896 wserver.exe 38 PID 2896 wrote to memory of 2584 2896 wserver.exe 38 PID 2896 wrote to memory of 2584 2896 wserver.exe 38 PID 2584 wrote to memory of 2728 2584 cmd.exe 39 PID 2584 wrote to memory of 2728 2584 cmd.exe 39 PID 2584 wrote to memory of 2728 2584 cmd.exe 39 PID 2584 wrote to memory of 2728 2584 cmd.exe 39 PID 2572 wrote to memory of 2812 2572 svchost.exe 40 PID 2572 wrote to memory of 2812 2572 svchost.exe 40 PID 2572 wrote to memory of 2812 2572 svchost.exe 40 PID 2572 wrote to memory of 2812 2572 svchost.exe 40 PID 2572 wrote to memory of 2812 2572 svchost.exe 40 PID 2600 wrote to memory of 2260 2600 svchost.exe 42 PID 2600 wrote to memory of 2260 2600 svchost.exe 42 PID 2600 wrote to memory of 2260 2600 svchost.exe 42 PID 2600 wrote to memory of 2260 2600 svchost.exe 42 PID 2600 wrote to memory of 2260 2600 svchost.exe 42 PID 1728 wrote to memory of 2876 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 43 PID 1728 wrote to memory of 2876 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 43 PID 1728 wrote to memory of 2876 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 43 PID 1728 wrote to memory of 2876 1728 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 43 PID 2876 wrote to memory of 1816 2876 cmd.exe 45 PID 2876 wrote to memory of 1816 2876 cmd.exe 45 PID 2876 wrote to memory of 1816 2876 cmd.exe 45 PID 2876 wrote to memory of 1816 2876 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\NetWork\dat.dll" IncrementPageCount [303]2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\CompMgmtLauncher.exeC:\Windows\system32\CompMgmtLauncher.exe5⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wserver.exe6⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\wserver.exeC:\Users\Admin\AppData\Local\Temp\wserver.exe7⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\writeservice.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.19⤵
- Runs ping.exe
PID:2728
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\delself.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1816
-
-
-
C:\Windows\system32\ctfmon.exectfmon.exe1⤵PID:2408
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe Nwsapagent 25722⤵PID:2812
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe Nwsapagent 26002⤵PID:2260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5fff3c03e6c455eaba70ec816a4439b95
SHA1e102a2ff536d2df93ec9c507e52c04bba773b550
SHA2569969fc3043ed2917b76b6dbae36bd2e0846b90e9d93df4fc4f490fdf153da435
SHA512c07edbc760e769dc0dc6adcd83f2b9b7fa3e845286f19dfbfe8bb8df56bbdbc8b4e5f0e794834d3ecfcf37ea7de8011f86d9153dfec6603f2fa4fc0d5c1414d9
-
Filesize
261KB
MD5ae755e20cd3a6f2721096736c5c3aed5
SHA153ab54c2c3ea3d6921fa2bf5fde69255dc41fbed
SHA2561687af091d38108eeed634c0539b9639c6128aed9588a370f51a957bee534f39
SHA51273b68961457b2525a4703ea8486f37d4beabdb4f85c65971cfa953e0a3dd36724811a12a933b291b34f11a5d8b4cb11d4af3747e2506c345ab81bcae3fb8f810
-
Filesize
2KB
MD512547deaeccf3c2089669889787a3fe8
SHA17ad71ad103d41f596c934c8b7be39561a9f908d9
SHA256e935dd62556538f08b020d5b2246702f08fd08880a99704466b9a852c23d073a
SHA512a0c416efe352fc704491ea2d82334155b1b79449857baf72edfb8e7a36730b571c17e38f4ac9815a413b2add2dcdcc58ebfe9aa0df51cc18b28c07b93e1f2f9a
-
Filesize
299B
MD513aaf8bf3813fac2b81c80abf3302911
SHA1fd8f5360af4ca87da0f09558b9c09b04adcf6141
SHA2565ec581b64d2091415e6e3a6e0bb846e634a7f83918a965ef129dfb97bf210e9f
SHA512dab8bd87a22cb4397c0196d05a97783fc7b442faa5d485dbdce0d02f6496a2f3e1147897019f5cfc185f8c0a413a667508ddc6cc02863c65800bf3a201ab6e40
-
Filesize
226B
MD5aff6285257f73b114174b04102c04735
SHA19e4a561dd7c8b8161a2720e375fc99ab02fc1b9b
SHA2560ce4e59a2763ae7a92bd0e13d8716bf550085f0ac9f4cec0702a9c0ce30c03a3
SHA5120c612f4cebcc0c319dc46e31111a78bde9a6a8d6700c6066bec679f8fa1cc813d819b8dc26de7a1f7f6a3407c73999814798c12c2e3507d9350686eeea48fada
-
Filesize
36KB
MD518ea3d4c9639a696b96e49f53af2b161
SHA15c1d4af865b4d514340d6a2dbb42523a142ab5d8
SHA256690f5bd392269d80061e8e90a9aedac4f9bb2e898db4211b76a6e27a1ed95462
SHA512fd6d79a533cb3fe255053e962fac882864be708b19b1c8922652e2bef4eda01ef209220ab06503adbbca047b833fb50ffac8fb66e490ce93e42d34cb9e51a892
-
Filesize
56KB
MD589de9c0ce214d2e437e2ce6d266ab100
SHA1cebabb80844c823df4539f4db29d7bca27e1f50a
SHA2567bd1016b5f3a5004166de5cf7f1846024684979de413417d83321c931c1b5929
SHA512ed8ad8bb8b4e065fb890acf0dadaa494a2f03b8c76dca17c15141cfa9129fdd63b5f3e099195c806ef37c1f55ff5b8b82728c44b165bc06bdc270e3fdba8eeed