Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 00:22
Static task
static1
Behavioral task
behavioral1
Sample
43ca2194f85560b30bca3d1b0c82311d_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
43ca2194f85560b30bca3d1b0c82311d_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
43ca2194f85560b30bca3d1b0c82311d_JaffaCakes118.dll
-
Size
26KB
-
MD5
43ca2194f85560b30bca3d1b0c82311d
-
SHA1
75727561171f5cb420692081a79fb79a973e1267
-
SHA256
8cdb9fb9370b435f3e3c0d7ad49b02794b9aec62cf3713c16e309eb11f3f8d9f
-
SHA512
a02b166686e76c16d3241ba6a48918f15d56737dfddc707ea630ede117b8ba96be45d7c791985e1a7aa9df78552b8a8cd0f50007a13d23e75f558f470eeb04b7
-
SSDEEP
768:jAObw06ClYt6xMgR9YqOwfdGDI5aYFp5vciq:K1ClYtzQhciq
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\MgicRc.sys rundll32.exe File opened for modification C:\Windows\SysWOW64\drivers\MgicRc.sys svchost.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\WinFastUserSwitchingCompatibilityEx.dll" rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2080 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinFastUserSwitchingCompatibilityEx.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\WinFastUserSwitchingCompatibilityEx.dll rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2360 2416 WerFault.exe 30 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2416 rundll32.exe 2416 rundll32.exe 2080 svchost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 476 Process not Found 476 Process not Found -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2416 2368 rundll32.exe 30 PID 2368 wrote to memory of 2416 2368 rundll32.exe 30 PID 2368 wrote to memory of 2416 2368 rundll32.exe 30 PID 2368 wrote to memory of 2416 2368 rundll32.exe 30 PID 2368 wrote to memory of 2416 2368 rundll32.exe 30 PID 2368 wrote to memory of 2416 2368 rundll32.exe 30 PID 2368 wrote to memory of 2416 2368 rundll32.exe 30 PID 2416 wrote to memory of 2360 2416 rundll32.exe 32 PID 2416 wrote to memory of 2360 2416 rundll32.exe 32 PID 2416 wrote to memory of 2360 2416 rundll32.exe 32 PID 2416 wrote to memory of 2360 2416 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43ca2194f85560b30bca3d1b0c82311d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43ca2194f85560b30bca3d1b0c82311d_JaffaCakes118.dll,#12⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 2603⤵
- Program crash
PID:2360
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5058bf2e0728e3d36308bf49ca10b9072
SHA1ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6
SHA2569a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70
SHA512e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2
-
Filesize
26KB
MD543ca2194f85560b30bca3d1b0c82311d
SHA175727561171f5cb420692081a79fb79a973e1267
SHA2568cdb9fb9370b435f3e3c0d7ad49b02794b9aec62cf3713c16e309eb11f3f8d9f
SHA512a02b166686e76c16d3241ba6a48918f15d56737dfddc707ea630ede117b8ba96be45d7c791985e1a7aa9df78552b8a8cd0f50007a13d23e75f558f470eeb04b7