Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe
-
Size
659KB
-
MD5
1a706d5383c7092d51ca8e7f12530649
-
SHA1
4aa83450fdc8e594697ea541518949c2a04bb7b0
-
SHA256
81d522b210d792d32e3d44735e3c7c39a57eae172f5520fa4b55ed1007efdea0
-
SHA512
406626bb597e60325fcd168eeaca763b27cf7bd206ecf3cc2a253d54a80934d0b10616a3cb92fd67c91bfa04417ede23c07054f0d3a8d87f210cc5d958330cf4
-
SSDEEP
12288:d5RdOR3PHKhGLxe0DA8PSTRK8AYHv1L8qKtZTln7NEakAR8+JU/w:H3OR3PHKux7DA8PMfrHUtZhnxEa9R8tY
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.Net CLR\Parameters\ServiceDll = "C:\\Windows\\system32\\f7605cb.dll" 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2652 cmd.exe -
Loads dropped DLL 6 IoCs
pid Process 2104 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 2600 svchost.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe -
resource yara_rule behavioral1/memory/2708-27-0x0000000074760000-0x00000000748E9000-memory.dmp vmprotect behavioral1/files/0x000500000000b309-26.dat vmprotect behavioral1/memory/2600-18-0x0000000074760000-0x00000000748E9000-memory.dmp vmprotect behavioral1/memory/2104-14-0x0000000074760000-0x00000000748E9000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\f7605cb.dll 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2708 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2104 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2652 2104 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 29 PID 2104 wrote to memory of 2652 2104 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 29 PID 2104 wrote to memory of 2652 2104 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 29 PID 2104 wrote to memory of 2652 2104 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 29 PID 2600 wrote to memory of 2708 2600 svchost.exe 30 PID 2600 wrote to memory of 2708 2600 svchost.exe 30 PID 2600 wrote to memory of 2708 2600 svchost.exe 30 PID 2600 wrote to memory of 2708 2600 svchost.exe 30 PID 2600 wrote to memory of 2708 2600 svchost.exe 30 PID 2600 wrote to memory of 2708 2600 svchost.exe 30 PID 2600 wrote to memory of 2708 2600 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\1A706D~1.EXE" > nul2⤵
- Deletes itself
PID:2652
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ".Net CLR"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\f7605cb.dll, Launch2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
371KB
MD5e4060e2410ea64e00f85d83bfb137bfb
SHA1f230ecb9b0d8bc88ec0f82ce74c80143b2e5458a
SHA256fe30c3f8c5e47e7a9b51404357dd96281062f08ff6a2230f1edf5f807bd43c75
SHA51283a518435605bd7b7150539061dfb8b63da24cbc59c9d4db909120314e4eae24a0cb1e675b52c4567365f261d9bc6cda54a6a901b243d40b0f3238ad1e3175dd