Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 01:30
Static task
static1
Behavioral task
behavioral1
Sample
768ed5436356b89ebbc561a41af13231_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
768ed5436356b89ebbc561a41af13231_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
768ed5436356b89ebbc561a41af13231_JaffaCakes118.dll
-
Size
1.1MB
-
MD5
768ed5436356b89ebbc561a41af13231
-
SHA1
57ccaee0a155928d41b47cb2e378a74313f3fec4
-
SHA256
e2fd441f589ab222ee61ad0125804926170d2377d5b9f4f947c3a24fd8f1364c
-
SHA512
389e2b6e97e797ef514c27257da11cd0c70877717fb48f61ef7973a574de27d79269b633142f839f0303b82ae5f78c400f0bb734b9b5e7455e60eef6d5f49889
-
SSDEEP
24576:SMpZ4OxwR1QcQq/W7ihb4bPWmBLXvPmVpTrdzjs00z:SuNZ7Ib8ZBL2/X0
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\768ed5436356b89ebbc561a41af13231_JaffaCakes118.dll" regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\8ed0ed5b33.dll svchost.exe File opened for modification C:\Windows\SysWOW64\8ed0ed5b33.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2052 2504 regsvr32.exe 29 PID 2504 wrote to memory of 2052 2504 regsvr32.exe 29 PID 2504 wrote to memory of 2052 2504 regsvr32.exe 29 PID 2504 wrote to memory of 2052 2504 regsvr32.exe 29 PID 2504 wrote to memory of 2052 2504 regsvr32.exe 29 PID 2504 wrote to memory of 2052 2504 regsvr32.exe 29 PID 2504 wrote to memory of 2052 2504 regsvr32.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\768ed5436356b89ebbc561a41af13231_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\768ed5436356b89ebbc561a41af13231_JaffaCakes118.dll2⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k dtcGep1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135B
MD57349901648f34a35dab92cc19a4f39c6
SHA10b047a1712be72691df1c16f5468f5dd32a42151
SHA25647e0c0a832caf8ad976864a45b0368e5baf19a0a0bbd8c5cd4d6a4a886eb4920
SHA512695fb981eba7bce6f409da263cdc3c9d1ef9c5362e03fff718cce99e92d2d99f40c37e8335b4b80d1cbab1f235d6fcc2a6fd72302a597a2cc76a8990662166bb
-
Filesize
114B
MD5f373fc6f607b16dc095ab4e4f90e19fd
SHA1354d05bf8e3ba356d9ca64be7630bd0a5f081675
SHA256ea0c8345a9d5958a931b8fa6e88285296b57cd076c91802b662e4ee8c6a70dd8
SHA5123dcaf1c8c00eedc74fb4d6613b2d19069cd282e195045f9ef934dbc797e0193679012969dbf2db85fe5bbb448f3dee1526692c1dceb64000447f37eaf972f4fd