Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 01:47
Static task
static1
Behavioral task
behavioral1
Sample
2e9406fe44340b2b104a334bf07cddf6_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2e9406fe44340b2b104a334bf07cddf6_JaffaCakes118.dll
Resource
win10v2004-20240704-en
General
-
Target
2e9406fe44340b2b104a334bf07cddf6_JaffaCakes118.dll
-
Size
1.1MB
-
MD5
2e9406fe44340b2b104a334bf07cddf6
-
SHA1
63632dd3db89fff9962ff63676dfc6123cf80f54
-
SHA256
557f0d2bfccadefa4bc53d12eddbf0b791cb51adcc04869999fcd2bb0e1f10e3
-
SHA512
ba0cdcee0e0a00c5eb51c231eb432a8924411b96978d5a6b157427ee15073264e9badf0ab4ca0297382a3e797c30ca1f6fc48f87d8b0a2652af044038e998643
-
SSDEEP
24576:SMpZ4OxwR1QcQq/W7ihb4bPWmBLXvPmVpTrdzjs00E:SuNZ7Ib8ZBL2/Xj
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2e9406fe44340b2b104a334bf07cddf6_JaffaCakes118.dll" regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\faa8fb871f.dll svchost.exe File opened for modification C:\Windows\SysWOW64\faa8fb871f.dll svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2748 2708 regsvr32.exe 31 PID 2708 wrote to memory of 2748 2708 regsvr32.exe 31 PID 2708 wrote to memory of 2748 2708 regsvr32.exe 31 PID 2708 wrote to memory of 2748 2708 regsvr32.exe 31 PID 2708 wrote to memory of 2748 2708 regsvr32.exe 31 PID 2708 wrote to memory of 2748 2708 regsvr32.exe 31 PID 2708 wrote to memory of 2748 2708 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\2e9406fe44340b2b104a334bf07cddf6_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\2e9406fe44340b2b104a334bf07cddf6_JaffaCakes118.dll2⤵
- Server Software Component: Terminal Services DLL
PID:2748
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k dtcGep1⤵
- Drops file in System32 directory
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114B
MD5d681025555fb00b34c9f5edfff15d7ce
SHA1ad2afa0091491cd26887b2a0d4dde41d7a031c37
SHA25630d8b0b1d100dd62990b07888375e48dae779ac8aab9a504f642c4d58a1e1b36
SHA51210b6b2844f901b0fcf4538dcf63a4412ed2770fb9609c49af069a4820bd22a76fd98d991d2d93da5b902a70287ac4b9609a53d145060120368ddbd1d348fa5a5