Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 21:37
Static task
static1
Behavioral task
behavioral1
Sample
367ca5b03d61725c0d88ae4e7e340611_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
367ca5b03d61725c0d88ae4e7e340611_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
367ca5b03d61725c0d88ae4e7e340611_JaffaCakes118.dll
-
Size
12KB
-
MD5
367ca5b03d61725c0d88ae4e7e340611
-
SHA1
ab621d31f54100f9c516299ef6217dbb17561fec
-
SHA256
118cdf73d1a1f4ddeaecabc4f83669551600c6fed9ef53acc106108700459ba9
-
SHA512
53f42cd8a8b840d9add29ed3f5609d77f76f46f3be1aab9b168b66115bb341784a0d1caaa7aa755540afb8719127b4c34dfda9bc32ca9c80cd2342140d640ca4
-
SSDEEP
384:6+iiK3Zy0MRZTR5i/ofmY6i22pKCVEIDXefA:NK3Zy0L/QU2TmIDZ
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\msosmnsf00.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\msosmnsf00.dll rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2084 rundll32.exe 2084 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2084 rundll32.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2084 2316 rundll32.exe 30 PID 2316 wrote to memory of 2084 2316 rundll32.exe 30 PID 2316 wrote to memory of 2084 2316 rundll32.exe 30 PID 2316 wrote to memory of 2084 2316 rundll32.exe 30 PID 2316 wrote to memory of 2084 2316 rundll32.exe 30 PID 2316 wrote to memory of 2084 2316 rundll32.exe 30 PID 2316 wrote to memory of 2084 2316 rundll32.exe 30 PID 2084 wrote to memory of 256 2084 rundll32.exe 1 PID 2084 wrote to memory of 336 2084 rundll32.exe 2 PID 2084 wrote to memory of 384 2084 rundll32.exe 3 PID 2084 wrote to memory of 392 2084 rundll32.exe 4 PID 2084 wrote to memory of 432 2084 rundll32.exe 5 PID 2084 wrote to memory of 480 2084 rundll32.exe 6 PID 2084 wrote to memory of 488 2084 rundll32.exe 7 PID 2084 wrote to memory of 496 2084 rundll32.exe 8 PID 2084 wrote to memory of 596 2084 rundll32.exe 9 PID 2084 wrote to memory of 676 2084 rundll32.exe 10 PID 2084 wrote to memory of 740 2084 rundll32.exe 11 PID 2084 wrote to memory of 808 2084 rundll32.exe 12 PID 2084 wrote to memory of 840 2084 rundll32.exe 13 PID 2084 wrote to memory of 964 2084 rundll32.exe 15 PID 2084 wrote to memory of 112 2084 rundll32.exe 16 PID 2084 wrote to memory of 376 2084 rundll32.exe 17 PID 2084 wrote to memory of 1068 2084 rundll32.exe 18 PID 2084 wrote to memory of 1112 2084 rundll32.exe 19 PID 2084 wrote to memory of 1160 2084 rundll32.exe 20 PID 2084 wrote to memory of 1204 2084 rundll32.exe 21 PID 2084 wrote to memory of 2040 2084 rundll32.exe 23 PID 2084 wrote to memory of 1464 2084 rundll32.exe 24 PID 2084 wrote to memory of 1660 2084 rundll32.exe 25 PID 2084 wrote to memory of 2368 2084 rundll32.exe 26 PID 2084 wrote to memory of 1156 2084 rundll32.exe 27 PID 2084 wrote to memory of 2316 2084 rundll32.exe 29
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2040
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1660
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:840
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:112
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:376
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1068
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1112
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1464
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2368
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1156
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\367ca5b03d61725c0d88ae4e7e340611_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\367ca5b03d61725c0d88ae4e7e340611_JaffaCakes118.dll,#13⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
-
-