Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 21:19
Static task
static1
Behavioral task
behavioral1
Sample
964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
-
Size
748KB
-
MD5
964be19e477b57d85aceb7648e2c105d
-
SHA1
6c8ab56853218f28ac11c16b050ad589ea14bafe
-
SHA256
9843ceaca2b9173d3a1f9b24ba85180a40884dbf78dd7298b0c57008fa36e33d
-
SHA512
60379f9bf7f4e59f81f95898d1b0c10ea82abd306dbdf4dfef921e873bf4c3d2c4914d498efa16d60c52171a1802099c3c61289a12c64f13ea9457cd807ce4ca
-
SSDEEP
12288:0EI6h2sJXCB1joFX4HcTHQPviK5qXOlL29huNghWdLzqCTz0MDNhmku02k//m1:0EPXCzoXPQR5qXfDsghWxnTz0eNhFn2c
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\SystemFile" wserver.exe -
Executes dropped EXE 1 IoCs
pid Process 3032 wserver.exe -
Loads dropped DLL 3 IoCs
pid Process 4564 rundll32.exe 3580 svchost.exe 2416 svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\SystemFile wserver.exe File opened for modification C:\Windows\SystemFile wserver.exe File created C:\Windows\SystemFile.dll wserver.exe File opened for modification C:\Windows\SystemFile.dll wserver.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\mscfile\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\mscfile\shell\open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\mscfile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\wserver.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ CompMgmtLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings CompMgmtLauncher.exe Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\mscfile\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\mscfile\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\mscfile rundll32.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3468 PING.EXE 1168 PING.EXE -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 3580 svchost.exe 3580 svchost.exe 2416 svchost.exe 2416 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3032 wserver.exe Token: SeDebugPrivilege 3580 svchost.exe Token: SeDebugPrivilege 2416 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 4564 rundll32.exe 4564 rundll32.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2004 wrote to memory of 4564 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 84 PID 2004 wrote to memory of 4564 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 84 PID 2004 wrote to memory of 4564 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 84 PID 4564 wrote to memory of 3152 4564 rundll32.exe 85 PID 4564 wrote to memory of 3152 4564 rundll32.exe 85 PID 3152 wrote to memory of 672 3152 cmd.exe 87 PID 3152 wrote to memory of 672 3152 cmd.exe 87 PID 672 wrote to memory of 3080 672 cmd.exe 88 PID 672 wrote to memory of 3080 672 cmd.exe 88 PID 3080 wrote to memory of 4728 3080 CompMgmtLauncher.exe 89 PID 3080 wrote to memory of 4728 3080 CompMgmtLauncher.exe 89 PID 4728 wrote to memory of 3032 4728 cmd.exe 91 PID 4728 wrote to memory of 3032 4728 cmd.exe 91 PID 4728 wrote to memory of 3032 4728 cmd.exe 91 PID 3032 wrote to memory of 1740 3032 wserver.exe 93 PID 3032 wrote to memory of 1740 3032 wserver.exe 93 PID 3032 wrote to memory of 1740 3032 wserver.exe 93 PID 3580 wrote to memory of 4156 3580 svchost.exe 94 PID 3580 wrote to memory of 4156 3580 svchost.exe 94 PID 3580 wrote to memory of 4156 3580 svchost.exe 94 PID 3580 wrote to memory of 4156 3580 svchost.exe 94 PID 2416 wrote to memory of 3260 2416 svchost.exe 96 PID 2416 wrote to memory of 3260 2416 svchost.exe 96 PID 2416 wrote to memory of 3260 2416 svchost.exe 96 PID 2416 wrote to memory of 3260 2416 svchost.exe 96 PID 1740 wrote to memory of 3468 1740 cmd.exe 97 PID 1740 wrote to memory of 3468 1740 cmd.exe 97 PID 1740 wrote to memory of 3468 1740 cmd.exe 97 PID 2004 wrote to memory of 4868 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 105 PID 2004 wrote to memory of 4868 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 105 PID 2004 wrote to memory of 4868 2004 964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe 105 PID 4868 wrote to memory of 1168 4868 cmd.exe 107 PID 4868 wrote to memory of 1168 4868 cmd.exe 107 PID 4868 wrote to memory of 1168 4868 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\NetWork\dat.dll" IncrementPageCount [303]2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe4⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\system32\CompMgmtLauncher.exeC:\Windows\system32\CompMgmtLauncher.exe5⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wserver.exe6⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\wserver.exeC:\Users\Admin\AppData\Local\Temp\wserver.exe7⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\writeservice.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.19⤵
- Runs ping.exe
PID:3468
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\delself.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1168
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe Nwsapagent 35802⤵PID:4156
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe Nwsapagent 24162⤵PID:3260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5fff3c03e6c455eaba70ec816a4439b95
SHA1e102a2ff536d2df93ec9c507e52c04bba773b550
SHA2569969fc3043ed2917b76b6dbae36bd2e0846b90e9d93df4fc4f490fdf153da435
SHA512c07edbc760e769dc0dc6adcd83f2b9b7fa3e845286f19dfbfe8bb8df56bbdbc8b4e5f0e794834d3ecfcf37ea7de8011f86d9153dfec6603f2fa4fc0d5c1414d9
-
Filesize
261KB
MD5ae755e20cd3a6f2721096736c5c3aed5
SHA153ab54c2c3ea3d6921fa2bf5fde69255dc41fbed
SHA2561687af091d38108eeed634c0539b9639c6128aed9588a370f51a957bee534f39
SHA51273b68961457b2525a4703ea8486f37d4beabdb4f85c65971cfa953e0a3dd36724811a12a933b291b34f11a5d8b4cb11d4af3747e2506c345ab81bcae3fb8f810
-
Filesize
2KB
MD512547deaeccf3c2089669889787a3fe8
SHA17ad71ad103d41f596c934c8b7be39561a9f908d9
SHA256e935dd62556538f08b020d5b2246702f08fd08880a99704466b9a852c23d073a
SHA512a0c416efe352fc704491ea2d82334155b1b79449857baf72edfb8e7a36730b571c17e38f4ac9815a413b2add2dcdcc58ebfe9aa0df51cc18b28c07b93e1f2f9a
-
Filesize
299B
MD513aaf8bf3813fac2b81c80abf3302911
SHA1fd8f5360af4ca87da0f09558b9c09b04adcf6141
SHA2565ec581b64d2091415e6e3a6e0bb846e634a7f83918a965ef129dfb97bf210e9f
SHA512dab8bd87a22cb4397c0196d05a97783fc7b442faa5d485dbdce0d02f6496a2f3e1147897019f5cfc185f8c0a413a667508ddc6cc02863c65800bf3a201ab6e40
-
Filesize
226B
MD5aff6285257f73b114174b04102c04735
SHA19e4a561dd7c8b8161a2720e375fc99ab02fc1b9b
SHA2560ce4e59a2763ae7a92bd0e13d8716bf550085f0ac9f4cec0702a9c0ce30c03a3
SHA5120c612f4cebcc0c319dc46e31111a78bde9a6a8d6700c6066bec679f8fa1cc813d819b8dc26de7a1f7f6a3407c73999814798c12c2e3507d9350686eeea48fada
-
Filesize
36KB
MD518ea3d4c9639a696b96e49f53af2b161
SHA15c1d4af865b4d514340d6a2dbb42523a142ab5d8
SHA256690f5bd392269d80061e8e90a9aedac4f9bb2e898db4211b76a6e27a1ed95462
SHA512fd6d79a533cb3fe255053e962fac882864be708b19b1c8922652e2bef4eda01ef209220ab06503adbbca047b833fb50ffac8fb66e490ce93e42d34cb9e51a892
-
Filesize
56KB
MD589de9c0ce214d2e437e2ce6d266ab100
SHA1cebabb80844c823df4539f4db29d7bca27e1f50a
SHA2567bd1016b5f3a5004166de5cf7f1846024684979de413417d83321c931c1b5929
SHA512ed8ad8bb8b4e065fb890acf0dadaa494a2f03b8c76dca17c15141cfa9129fdd63b5f3e099195c806ef37c1f55ff5b8b82728c44b165bc06bdc270e3fdba8eeed