Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe
-
Size
408KB
-
MD5
34c7259db30d7a03d2e33ba8d7f915c6
-
SHA1
a54336f8ccc4fa0f74d46a25cd587dde8e40f18a
-
SHA256
f27d941a91c3c809a07aa6d3312a3ff98370ff2286ed9141ae71fab8a0b581c8
-
SHA512
a5ae1bc351aafdd24bb1b3e5c21b07128381b076f9bbb864e7106c3379969fbb107d8754e0e950f17eb81a4dc751c20eef7789d962e0c91c3ed0325404110526
-
SSDEEP
6144:23e9whpxK+1bAo0xGvF2idZecnl20lHRxp3galk9ihl0/srEQpPK+e1FtEuxF+Uh:23Y+1MoZF3Z4mxx1oEtlK+kt9T2M7
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WINS\Parameters\ServiceDll = "%SystemRoot%\\System32\\eefueh.dll" PCÃâ·Ñ°æ.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WINS\Parameters\ServiceDll = "%SystemRoot%\\System32\\eefueh.dll" PCÃâ·Ñ°æ.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\WINS\Parameters\ServiceDll = "%SystemRoot%\\System32\\eefueh.dll" PCÃâ·Ñ°æ.exe -
Executes dropped EXE 1 IoCs
pid Process 2772 PCÃâ·Ñ°æ.exe -
Loads dropped DLL 4 IoCs
pid Process 1732 34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe 1732 34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe 2772 PCÃâ·Ñ°æ.exe 3020 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\0003d656.ini PCÃâ·Ñ°æ.exe File created C:\Windows\SysWOW64\eefueh.dll PCÃâ·Ñ°æ.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3020 svchost.exe 3020 svchost.exe 3020 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2772 1732 34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe 30 PID 1732 wrote to memory of 2772 1732 34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe 30 PID 1732 wrote to memory of 2772 1732 34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe 30 PID 1732 wrote to memory of 2772 1732 34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PCÃâ·Ñ°æ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PCÃâ·Ñ°æ.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2772
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k WINS1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5e02d478a305449ed4280b0b6d2d402dd
SHA19d7e580d64271d4a3c3e8ab4ca27f02da2ab8700
SHA256224d0b1a071c19ce46a50ca11f53b44fa7023621903b7ba71edb3acbf49ed510
SHA512f786c638b16a7edc3d0894a1961ad2e04e1af59acc0913e9c2df198915e645e07ecc3818b5fbf11aad8321d3fc109b542a21355cbf5225946716313eb120fc69
-
Filesize
89KB
MD57f8fdac62c2de4ab0f70a6d598a0afee
SHA10b4e6377efb0ca17279bd16e78dd85cd266da8f0
SHA256ad4cc4817d1f5a9a049cb13d49a87d427df5762791223eebecb1a4a365af29d1
SHA512a0e0686e55c1230d6241d04876bb4c2ba33ed033893008cc9e6e404e7d2999d8964c8c434502005f9413938e9c092aefec41666faa587ae9eff45c81688f73c1