Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
899f7a7e45a4da66ddd2be41d57ff085_JaffaCakes118.dll
Resource
win7-20240704-en
General
-
Target
899f7a7e45a4da66ddd2be41d57ff085_JaffaCakes118.dll
-
Size
670KB
-
MD5
899f7a7e45a4da66ddd2be41d57ff085
-
SHA1
4409693bbe1a94c939589d0086552f7327755994
-
SHA256
9567fe10e815c505de5d83bc33b02e8f28d7379caa6e5599f7acd8444d897d52
-
SHA512
e3583b5742d833f31fd16669b7788c0476662f70996e23386364dd1ad4b79aa0d96c60e59d179150954f331872148ad7e892b3073e51ec7e6730f7749e372e30
-
SSDEEP
12288:jbg04agUYlothAbgr1sya/vdnx1MHQbRLSnvB:jbnGshAUr1EHRmQbRLSvB
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2156 rundll32mgr.exe 2940 rundll32mgrmgr.exe -
Loads dropped DLL 4 IoCs
pid Process 2688 rundll32.exe 2688 rundll32.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe -
resource yara_rule behavioral1/memory/2156-36-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2156-32-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2156-31-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2156-30-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2156-29-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2156-28-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2156-27-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2940-49-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2940 rundll32mgrmgr.exe 2940 rundll32mgrmgr.exe -
Suspicious behavior: MapViewOfSection 26 IoCs
pid Process 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe 2156 rundll32mgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2156 rundll32mgr.exe Token: SeDebugPrivilege 2156 rundll32mgr.exe Token: SeDebugPrivilege 2940 rundll32mgrmgr.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2156 rundll32mgr.exe 2940 rundll32mgrmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2688 1600 rundll32.exe 30 PID 1600 wrote to memory of 2688 1600 rundll32.exe 30 PID 1600 wrote to memory of 2688 1600 rundll32.exe 30 PID 1600 wrote to memory of 2688 1600 rundll32.exe 30 PID 1600 wrote to memory of 2688 1600 rundll32.exe 30 PID 1600 wrote to memory of 2688 1600 rundll32.exe 30 PID 1600 wrote to memory of 2688 1600 rundll32.exe 30 PID 2688 wrote to memory of 2156 2688 rundll32.exe 31 PID 2688 wrote to memory of 2156 2688 rundll32.exe 31 PID 2688 wrote to memory of 2156 2688 rundll32.exe 31 PID 2688 wrote to memory of 2156 2688 rundll32.exe 31 PID 2156 wrote to memory of 2940 2156 rundll32mgr.exe 32 PID 2156 wrote to memory of 2940 2156 rundll32mgr.exe 32 PID 2156 wrote to memory of 2940 2156 rundll32mgr.exe 32 PID 2156 wrote to memory of 2940 2156 rundll32mgr.exe 32 PID 2156 wrote to memory of 384 2156 rundll32mgr.exe 3 PID 2156 wrote to memory of 384 2156 rundll32mgr.exe 3 PID 2156 wrote to memory of 384 2156 rundll32mgr.exe 3 PID 2156 wrote to memory of 384 2156 rundll32mgr.exe 3 PID 2156 wrote to memory of 384 2156 rundll32mgr.exe 3 PID 2156 wrote to memory of 384 2156 rundll32mgr.exe 3 PID 2156 wrote to memory of 384 2156 rundll32mgr.exe 3 PID 2156 wrote to memory of 392 2156 rundll32mgr.exe 4 PID 2156 wrote to memory of 392 2156 rundll32mgr.exe 4 PID 2156 wrote to memory of 392 2156 rundll32mgr.exe 4 PID 2156 wrote to memory of 392 2156 rundll32mgr.exe 4 PID 2156 wrote to memory of 392 2156 rundll32mgr.exe 4 PID 2156 wrote to memory of 392 2156 rundll32mgr.exe 4 PID 2156 wrote to memory of 392 2156 rundll32mgr.exe 4 PID 2156 wrote to memory of 432 2156 rundll32mgr.exe 5 PID 2156 wrote to memory of 432 2156 rundll32mgr.exe 5 PID 2156 wrote to memory of 432 2156 rundll32mgr.exe 5 PID 2156 wrote to memory of 432 2156 rundll32mgr.exe 5 PID 2156 wrote to memory of 432 2156 rundll32mgr.exe 5 PID 2156 wrote to memory of 432 2156 rundll32mgr.exe 5 PID 2156 wrote to memory of 432 2156 rundll32mgr.exe 5 PID 2156 wrote to memory of 476 2156 rundll32mgr.exe 6 PID 2156 wrote to memory of 476 2156 rundll32mgr.exe 6 PID 2156 wrote to memory of 476 2156 rundll32mgr.exe 6 PID 2156 wrote to memory of 476 2156 rundll32mgr.exe 6 PID 2156 wrote to memory of 476 2156 rundll32mgr.exe 6 PID 2156 wrote to memory of 476 2156 rundll32mgr.exe 6 PID 2156 wrote to memory of 476 2156 rundll32mgr.exe 6 PID 2156 wrote to memory of 492 2156 rundll32mgr.exe 7 PID 2156 wrote to memory of 492 2156 rundll32mgr.exe 7 PID 2156 wrote to memory of 492 2156 rundll32mgr.exe 7 PID 2156 wrote to memory of 492 2156 rundll32mgr.exe 7 PID 2156 wrote to memory of 492 2156 rundll32mgr.exe 7 PID 2156 wrote to memory of 492 2156 rundll32mgr.exe 7 PID 2156 wrote to memory of 492 2156 rundll32mgr.exe 7 PID 2156 wrote to memory of 500 2156 rundll32mgr.exe 8 PID 2156 wrote to memory of 500 2156 rundll32mgr.exe 8 PID 2156 wrote to memory of 500 2156 rundll32mgr.exe 8 PID 2156 wrote to memory of 500 2156 rundll32mgr.exe 8 PID 2156 wrote to memory of 500 2156 rundll32mgr.exe 8 PID 2156 wrote to memory of 500 2156 rundll32mgr.exe 8 PID 2156 wrote to memory of 500 2156 rundll32mgr.exe 8 PID 2156 wrote to memory of 592 2156 rundll32mgr.exe 9 PID 2156 wrote to memory of 592 2156 rundll32mgr.exe 9 PID 2156 wrote to memory of 592 2156 rundll32mgr.exe 9 PID 2156 wrote to memory of 592 2156 rundll32mgr.exe 9 PID 2156 wrote to memory of 592 2156 rundll32mgr.exe 9 PID 2156 wrote to memory of 592 2156 rundll32mgr.exe 9 PID 2156 wrote to memory of 592 2156 rundll32mgr.exe 9
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:864
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1744
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1180
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:108
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:348
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1036
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1116
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1624
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:3024
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1996
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\899f7a7e45a4da66ddd2be41d57ff085_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\899f7a7e45a4da66ddd2be41d57ff085_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2940
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD55f8951eba93c310639727b49bc888558
SHA152a0e98ad6276293f9094cd0c7d2767ab25ace2e
SHA256192b1e73eb1d9dde9751887445a5af57ec8b7a8e89a744053d9c42cd133cc63c
SHA51269c443e095739209960dcfe54929962c10687028a3c2224afcb2eaaf9dc547af0ccd1c7a0c2df88ef2195b932aab771ae7b7e2901f24ffed8e7484d8d340c0f4
-
Filesize
143KB
MD5357a495e970dc3466ff982f52ff8eb84
SHA12851fd90e8c194099e0ca8eeb6511b4273a7a821
SHA256f4dea7059898534cb61e0d63217c50ef4eda751e153ba9d1faa5bacf4202e42f
SHA5125a819cf9e917d865e8e3d7ffc90b709debb3134a1c253beb9e3f1627073c32141925008d6ab103f0577c1cc3cf731b27b0053d1d7a04bc9b52ef4d77e6ac2f18