Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/07/2024, 00:22

General

  • Target

    43ca2194f85560b30bca3d1b0c82311d_JaffaCakes118.dll

  • Size

    26KB

  • MD5

    43ca2194f85560b30bca3d1b0c82311d

  • SHA1

    75727561171f5cb420692081a79fb79a973e1267

  • SHA256

    8cdb9fb9370b435f3e3c0d7ad49b02794b9aec62cf3713c16e309eb11f3f8d9f

  • SHA512

    a02b166686e76c16d3241ba6a48918f15d56737dfddc707ea630ede117b8ba96be45d7c791985e1a7aa9df78552b8a8cd0f50007a13d23e75f558f470eeb04b7

  • SSDEEP

    768:jAObw06ClYt6xMgR9YqOwfdGDI5aYFp5vciq:K1ClYtzQhciq

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\43ca2194f85560b30bca3d1b0c82311d_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\43ca2194f85560b30bca3d1b0c82311d_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Drivers directory
      • Server Software Component: Terminal Services DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 260
        3⤵
        • Program crash
        PID:2360
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\drivers\MgicRc.sys

    Filesize

    2KB

    MD5

    058bf2e0728e3d36308bf49ca10b9072

    SHA1

    ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6

    SHA256

    9a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70

    SHA512

    e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2

  • \??\c:\windows\SysWOW64\winfastuserswitchingcompatibilityex.dll

    Filesize

    26KB

    MD5

    43ca2194f85560b30bca3d1b0c82311d

    SHA1

    75727561171f5cb420692081a79fb79a973e1267

    SHA256

    8cdb9fb9370b435f3e3c0d7ad49b02794b9aec62cf3713c16e309eb11f3f8d9f

    SHA512

    a02b166686e76c16d3241ba6a48918f15d56737dfddc707ea630ede117b8ba96be45d7c791985e1a7aa9df78552b8a8cd0f50007a13d23e75f558f470eeb04b7