Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
1976187ba49108669682ffff927e417a_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1976187ba49108669682ffff927e417a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
1976187ba49108669682ffff927e417a_JaffaCakes118.dll
-
Size
3.7MB
-
MD5
1976187ba49108669682ffff927e417a
-
SHA1
e75394263922f301ffb9f95621343877258771e1
-
SHA256
9d9259e092e2c0d04668acff35f7dba53ced1037e3389fb457967f50454e85dc
-
SHA512
0a270686db1897d8cb82dcb5eb824162264f5298cd6eb0fc386593566a206f9bc882d5a42efe27910b097735ff9dbf16a63eb6746d4795cf6566cc493c674275
-
SSDEEP
6144:CWqcbsqA/Yiaf9qRGDfTJd9WYXmHPocXz2v/64UgP1toJI:pbsqA/zc4RG5aYIFK64UgPvoS
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2220 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ebxjeevp.dll rundll32.exe File created C:\Windows\SysWOW64\ebxjeevp.dll rundll32.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\ebxjeevp.dll" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2220 2248 rundll32.exe 28 PID 2248 wrote to memory of 2220 2248 rundll32.exe 28 PID 2248 wrote to memory of 2220 2248 rundll32.exe 28 PID 2248 wrote to memory of 2220 2248 rundll32.exe 28 PID 2248 wrote to memory of 2220 2248 rundll32.exe 28 PID 2248 wrote to memory of 2220 2248 rundll32.exe 28 PID 2248 wrote to memory of 2220 2248 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1976187ba49108669682ffff927e417a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1976187ba49108669682ffff927e417a_JaffaCakes118.dll,#12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD5667bf038e5b76d79be1300f1a73a2753
SHA11759d63594ba7504d63045bd882ae04ec88ca785
SHA256dbbbedd138db9e5e0339b77531b9caaa83215f0e1e05643ed6515f7a809b4209
SHA512cbcf7808d908f205c7960c15276139f40bb98d016aaa8cf95d320da01708bb672888cebffabfb364cd54ce5ff98cdd5917ac20cb79811187680cc9038713d65b