Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 21:37

General

  • Target

    367ca5b03d61725c0d88ae4e7e340611_JaffaCakes118.dll

  • Size

    12KB

  • MD5

    367ca5b03d61725c0d88ae4e7e340611

  • SHA1

    ab621d31f54100f9c516299ef6217dbb17561fec

  • SHA256

    118cdf73d1a1f4ddeaecabc4f83669551600c6fed9ef53acc106108700459ba9

  • SHA512

    53f42cd8a8b840d9add29ed3f5609d77f76f46f3be1aab9b168b66115bb341784a0d1caaa7aa755540afb8719127b4c34dfda9bc32ca9c80cd2342140d640ca4

  • SSDEEP

    384:6+iiK3Zy0MRZTR5i/ofmY6i22pKCVEIDXefA:NK3Zy0L/QU2TmIDZ

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\System32\smss.exe
    \SystemRoot\System32\smss.exe
    1⤵
      PID:256
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
        PID:336
      • C:\Windows\system32\wininit.exe
        wininit.exe
        1⤵
          PID:384
          • C:\Windows\system32\services.exe
            C:\Windows\system32\services.exe
            2⤵
              PID:480
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k DcomLaunch
                3⤵
                  PID:596
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    4⤵
                      PID:2040
                    • C:\Windows\system32\wbem\wmiprvse.exe
                      C:\Windows\system32\wbem\wmiprvse.exe
                      4⤵
                        PID:1660
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k RPCSS
                      3⤵
                        PID:676
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                        3⤵
                          PID:740
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          3⤵
                            PID:808
                            • C:\Windows\system32\Dwm.exe
                              "C:\Windows\system32\Dwm.exe"
                              4⤵
                                PID:1160
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs
                              3⤵
                                PID:840
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService
                                3⤵
                                  PID:964
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k NetworkService
                                  3⤵
                                    PID:112
                                  • C:\Windows\System32\spoolsv.exe
                                    C:\Windows\System32\spoolsv.exe
                                    3⤵
                                      PID:376
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                      3⤵
                                        PID:1068
                                      • C:\Windows\system32\taskhost.exe
                                        "taskhost.exe"
                                        3⤵
                                          PID:1112
                                        • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                          "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                          3⤵
                                            PID:1464
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                            3⤵
                                              PID:2368
                                            • C:\Windows\system32\sppsvc.exe
                                              C:\Windows\system32\sppsvc.exe
                                              3⤵
                                                PID:1156
                                            • C:\Windows\system32\lsass.exe
                                              C:\Windows\system32\lsass.exe
                                              2⤵
                                                PID:488
                                              • C:\Windows\system32\lsm.exe
                                                C:\Windows\system32\lsm.exe
                                                2⤵
                                                  PID:496
                                              • C:\Windows\system32\csrss.exe
                                                %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                                1⤵
                                                  PID:392
                                                • C:\Windows\system32\winlogon.exe
                                                  winlogon.exe
                                                  1⤵
                                                    PID:432
                                                  • C:\Windows\Explorer.EXE
                                                    C:\Windows\Explorer.EXE
                                                    1⤵
                                                      PID:1204
                                                      • C:\Windows\system32\rundll32.exe
                                                        rundll32.exe C:\Users\Admin\AppData\Local\Temp\367ca5b03d61725c0d88ae4e7e340611_JaffaCakes118.dll,#1
                                                        2⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:2316
                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                          rundll32.exe C:\Users\Admin\AppData\Local\Temp\367ca5b03d61725c0d88ae4e7e340611_JaffaCakes118.dll,#1
                                                          3⤵
                                                          • Drops file in System32 directory
                                                          • Drops file in Windows directory
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:2084

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/256-5-0x0000000000110000-0x0000000000111000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/384-14-0x0000000000160000-0x0000000000161000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2084-2-0x000000001000E000-0x000000001000F000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2084-1-0x0000000010000000-0x0000000010028000-memory.dmp

                                                      Filesize

                                                      160KB

                                                    • memory/2084-0-0x0000000010000000-0x0000000010028000-memory.dmp

                                                      Filesize

                                                      160KB