Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 07:15
Static task
static1
Behavioral task
behavioral1
Sample
5f867aa22c9d54c649df7a071ef89d2c_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5f867aa22c9d54c649df7a071ef89d2c_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
5f867aa22c9d54c649df7a071ef89d2c_JaffaCakes118.dll
-
Size
1.1MB
-
MD5
5f867aa22c9d54c649df7a071ef89d2c
-
SHA1
adbb31854dca4c0d443bbad122d5e9eb14f2a647
-
SHA256
5644729142753f30e83e3f5a58520e6f28ae135dc496188b3b7310a9226103c2
-
SHA512
831ba0f692392ffe3c0dc98022332ebca97a98af2f2968dd076047f5d0bfe30d2fc2a429f801084498848d64da72163e6e906c38314adbb642e637d451259fb3
-
SSDEEP
24576:SMpZ4OxwR1QcQq/W7ihb4bPWmBLXvPmVpTrdzjs00r:SuNZ7Ib8ZBL2/Xg
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5f867aa22c9d54c649df7a071ef89d2c_JaffaCakes118.dll" regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\aaa1a2ec81.dll svchost.exe File opened for modification C:\Windows\SysWOW64\aaa1a2ec81.dll svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2460 wrote to memory of 1944 2460 regsvr32.exe 30 PID 2460 wrote to memory of 1944 2460 regsvr32.exe 30 PID 2460 wrote to memory of 1944 2460 regsvr32.exe 30 PID 2460 wrote to memory of 1944 2460 regsvr32.exe 30 PID 2460 wrote to memory of 1944 2460 regsvr32.exe 30 PID 2460 wrote to memory of 1944 2460 regsvr32.exe 30 PID 2460 wrote to memory of 1944 2460 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\5f867aa22c9d54c649df7a071ef89d2c_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\5f867aa22c9d54c649df7a071ef89d2c_JaffaCakes118.dll2⤵
- Server Software Component: Terminal Services DLL
PID:1944
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k dtcGep1⤵
- Drops file in System32 directory
PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135B
MD5394fe5df42be8d2dd4ee0c646329cbf2
SHA1990daa36b1fcfc0253148977e8bd889808db25e1
SHA2566382424db08c320002973cf2fd87adf3a05cb5e2723e0e0d5f4653d6c3f7d974
SHA51268299dc9577597a6533bf394b70190a3d69e9dc38afae91726a3f676609b7b93fce27255cf08b7dd7a0b6e6c11f6dfc4316856f4834b14d984782fdd29325111
-
Filesize
114B
MD50e6d2e5a2eef6207d0612a7cd62719d0
SHA14b6af519deae6d86a735d36393590b7ea52ab949
SHA2566a5fdb1979a2b6be86bd5ba8214c7d3df3a3eef80b414f5a648a468e9429fc4f
SHA51284fa4a0a35810b0eefa89ca80af0e710c8958f55655deee16cbbaac56ce25882d20f95b733c73df91cfdd2c0b48263128d4d001eab653ffea33f999a08e9b359