Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
39ca789eb45...18.exe
windows7-x64
79ca789eb45...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDIR/nsURL.dll
windows7-x64
3$PLUGINSDIR/nsURL.dll
windows10-2004-x64
3$PLUGINSDI...nz.dll
windows7-x64
3$PLUGINSDI...nz.dll
windows10-2004-x64
3$PROGRAMFI...6_.exe
windows7-x64
3$PROGRAMFI...6_.exe
windows10-2004-x64
3$PROGRAMFI...32.dll
windows7-x64
1$PROGRAMFI...32.dll
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 01:58
Static task
static1
Behavioral task
behavioral1
Sample
9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsURL.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsURL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsisunz.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsisunz.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PROGRAMFILES/$_120_/$PROGRAMFILES/$_120_/$_96_.exe
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
$PROGRAMFILES/$_120_/$PROGRAMFILES/$_120_/$_96_.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$PROGRAMFILES/$_120_/Interop.Shell32.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PROGRAMFILES/$_120_/Interop.Shell32.dll
Resource
win10v2004-20240508-en
General
-
Target
9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe
-
Size
237KB
-
MD5
9ca789eb45bba46293bb8c8b58d099a1
-
SHA1
161f12c9fb7345990d56b6656d8d7b7d622a3a3b
-
SHA256
7f8ee260f5a6650c42992b658403c6db98fac6d3e552da6bef23a6a691e4bb9e
-
SHA512
eeb248726b9b952e47a52636c47b8b7977139277569e090f96dc6c90e5b372ee5883ecb0b0dba2720e08cc797a4830e383b246f7b0e59ce811052d8505246795
-
SSDEEP
6144:8e344i5MiJfhocE7dQdD3Gsbb9EqkMMiJfIocE7dUXCu:7+poSdasbhHQoECu
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2144 WMIC.exe Token: SeSecurityPrivilege 2144 WMIC.exe Token: SeTakeOwnershipPrivilege 2144 WMIC.exe Token: SeLoadDriverPrivilege 2144 WMIC.exe Token: SeSystemProfilePrivilege 2144 WMIC.exe Token: SeSystemtimePrivilege 2144 WMIC.exe Token: SeProfSingleProcessPrivilege 2144 WMIC.exe Token: SeIncBasePriorityPrivilege 2144 WMIC.exe Token: SeCreatePagefilePrivilege 2144 WMIC.exe Token: SeBackupPrivilege 2144 WMIC.exe Token: SeRestorePrivilege 2144 WMIC.exe Token: SeShutdownPrivilege 2144 WMIC.exe Token: SeDebugPrivilege 2144 WMIC.exe Token: SeSystemEnvironmentPrivilege 2144 WMIC.exe Token: SeRemoteShutdownPrivilege 2144 WMIC.exe Token: SeUndockPrivilege 2144 WMIC.exe Token: SeManageVolumePrivilege 2144 WMIC.exe Token: 33 2144 WMIC.exe Token: 34 2144 WMIC.exe Token: 35 2144 WMIC.exe Token: SeIncreaseQuotaPrivilege 2144 WMIC.exe Token: SeSecurityPrivilege 2144 WMIC.exe Token: SeTakeOwnershipPrivilege 2144 WMIC.exe Token: SeLoadDriverPrivilege 2144 WMIC.exe Token: SeSystemProfilePrivilege 2144 WMIC.exe Token: SeSystemtimePrivilege 2144 WMIC.exe Token: SeProfSingleProcessPrivilege 2144 WMIC.exe Token: SeIncBasePriorityPrivilege 2144 WMIC.exe Token: SeCreatePagefilePrivilege 2144 WMIC.exe Token: SeBackupPrivilege 2144 WMIC.exe Token: SeRestorePrivilege 2144 WMIC.exe Token: SeShutdownPrivilege 2144 WMIC.exe Token: SeDebugPrivilege 2144 WMIC.exe Token: SeSystemEnvironmentPrivilege 2144 WMIC.exe Token: SeRemoteShutdownPrivilege 2144 WMIC.exe Token: SeUndockPrivilege 2144 WMIC.exe Token: SeManageVolumePrivilege 2144 WMIC.exe Token: 33 2144 WMIC.exe Token: 34 2144 WMIC.exe Token: 35 2144 WMIC.exe Token: SeIncreaseQuotaPrivilege 2724 WMIC.exe Token: SeSecurityPrivilege 2724 WMIC.exe Token: SeTakeOwnershipPrivilege 2724 WMIC.exe Token: SeLoadDriverPrivilege 2724 WMIC.exe Token: SeSystemProfilePrivilege 2724 WMIC.exe Token: SeSystemtimePrivilege 2724 WMIC.exe Token: SeProfSingleProcessPrivilege 2724 WMIC.exe Token: SeIncBasePriorityPrivilege 2724 WMIC.exe Token: SeCreatePagefilePrivilege 2724 WMIC.exe Token: SeBackupPrivilege 2724 WMIC.exe Token: SeRestorePrivilege 2724 WMIC.exe Token: SeShutdownPrivilege 2724 WMIC.exe Token: SeDebugPrivilege 2724 WMIC.exe Token: SeSystemEnvironmentPrivilege 2724 WMIC.exe Token: SeRemoteShutdownPrivilege 2724 WMIC.exe Token: SeUndockPrivilege 2724 WMIC.exe Token: SeManageVolumePrivilege 2724 WMIC.exe Token: 33 2724 WMIC.exe Token: 34 2724 WMIC.exe Token: 35 2724 WMIC.exe Token: SeIncreaseQuotaPrivilege 2724 WMIC.exe Token: SeSecurityPrivilege 2724 WMIC.exe Token: SeTakeOwnershipPrivilege 2724 WMIC.exe Token: SeLoadDriverPrivilege 2724 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2144 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 28 PID 1904 wrote to memory of 2144 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 28 PID 1904 wrote to memory of 2144 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 28 PID 1904 wrote to memory of 2144 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 28 PID 1904 wrote to memory of 2724 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 31 PID 1904 wrote to memory of 2724 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 31 PID 1904 wrote to memory of 2724 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 31 PID 1904 wrote to memory of 2724 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 31 PID 1904 wrote to memory of 2820 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 33 PID 1904 wrote to memory of 2820 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 33 PID 1904 wrote to memory of 2820 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 33 PID 1904 wrote to memory of 2820 1904 9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9ca789eb45bba46293bb8c8b58d099a1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /namespace:\\root\cimv2 PATH Win32_BIOS Get Version, SerialNumber /FORMAT:textvaluelist.xsl2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /namespace:\\root\cimv2 PATH Win32_ComputerSystem Get Model, Manufacturer /FORMAT:textvaluelist.xsl2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct Get displayName /FORMAT:textvaluelist.xsl2⤵PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
130KB
MD58cfcad073ee407ed9d347e66ede2b0e5
SHA18ff0e4acb5eaff7dcef517bbc06f5514ce037b3a
SHA25673be46ee304981b7e5f9ece3a0222b4c53717450b630a70c997d2d63bced9ac1
SHA512d86176791f0e5f7b047add20a7c9ce03ddc881819055cc6ae98d113707b89a19ca1f7637cf2a2cc6ffdaf794b673f13a6ac933212794e5ff6c32d28b18e360ca