Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 22:41
Static task
static1
Behavioral task
behavioral1
Sample
e5b1ffd2ecd7e610d07d093d65639da9_JaffaCakes118.dll
Resource
win7-20240708-en
General
-
Target
e5b1ffd2ecd7e610d07d093d65639da9_JaffaCakes118.dll
-
Size
498KB
-
MD5
e5b1ffd2ecd7e610d07d093d65639da9
-
SHA1
0ed01c2424e6fbfa6650d1c4ffd22b68bb19f9a5
-
SHA256
066bf4cca227eae7a9e46e65fa518c08673ae7cc19e9563d36a7e4a1325f14af
-
SHA512
930d36dcfc41415ee872d2f9ef20f7643e93b2dcda5a60b146184df7c7eb548c121fa2b60c0dd9df36a0701c2ee28cbc64725723c288e47ab27f0a3c3a871424
-
SSDEEP
6144:MmoZkbtQmb25Zh18hqJbDqSB7Lvq2XsjYiVmOf7Yp4jOa9Upx:MmoZkmmCVRtPvq2+d/
Malware Config
Extracted
gozi
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" net.exe -
Executes dropped EXE 3 IoCs
pid Process 3008 ~A776.tmp 1672 temp.exe 2848 net.exe -
Loads dropped DLL 3 IoCs
pid Process 2968 rundll32.exe 3008 ~A776.tmp 2612 svchost.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\system32\sysprep\Panther\diagerr.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagwrn.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\setupact.log sysprep.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\system32\sysprep\Panther\setuperr.log sysprep.exe File created C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll net.exe File created C:\Windows\SysWOW64\system_t.dll svchost.exe File opened for modification C:\Windows\SysWOW64\system_t.dll svchost.exe File created C:\Windows\SysWOW64\enumfs.ini svchost.exe File opened for modification C:\Windows\SysWOW64\dnlist.ini svchost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system\config_t.dat net.exe File opened for modification C:\Windows\system\config_t.dat svchost.exe File created C:\Windows\system\config_t.dat net.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~A776.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1992 ipconfig.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00af000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9174E6ED-9E4B-4C4D-B99A-77BD2D1DE58C}\WpadDecisionTime = 70b7f6bd8908db01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9174E6ED-9E4B-4C4D-B99A-77BD2D1DE58C}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9174E6ED-9E4B-4C4D-B99A-77BD2D1DE58C}\WpadNetworkName = "Network 3" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9174E6ED-9E4B-4C4D-B99A-77BD2D1DE58C}\fe-29-98-08-e9-ca svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-29-98-08-e9-ca\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9174E6ED-9E4B-4C4D-B99A-77BD2D1DE58C} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-29-98-08-e9-ca\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9174E6ED-9E4B-4C4D-B99A-77BD2D1DE58C}\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-29-98-08-e9-ca svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-29-98-08-e9-ca\WpadDecisionTime = 70b7f6bd8908db01 svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1672 temp.exe 2612 svchost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2968 2196 rundll32.exe 30 PID 2196 wrote to memory of 2968 2196 rundll32.exe 30 PID 2196 wrote to memory of 2968 2196 rundll32.exe 30 PID 2196 wrote to memory of 2968 2196 rundll32.exe 30 PID 2196 wrote to memory of 2968 2196 rundll32.exe 30 PID 2196 wrote to memory of 2968 2196 rundll32.exe 30 PID 2196 wrote to memory of 2968 2196 rundll32.exe 30 PID 2968 wrote to memory of 3008 2968 rundll32.exe 31 PID 2968 wrote to memory of 3008 2968 rundll32.exe 31 PID 2968 wrote to memory of 3008 2968 rundll32.exe 31 PID 2968 wrote to memory of 3008 2968 rundll32.exe 31 PID 3008 wrote to memory of 1672 3008 ~A776.tmp 32 PID 3008 wrote to memory of 1672 3008 ~A776.tmp 32 PID 3008 wrote to memory of 1672 3008 ~A776.tmp 32 PID 3008 wrote to memory of 1672 3008 ~A776.tmp 32 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1672 wrote to memory of 1200 1672 temp.exe 21 PID 1200 wrote to memory of 2828 1200 Explorer.EXE 34 PID 1200 wrote to memory of 2828 1200 Explorer.EXE 34 PID 1200 wrote to memory of 2828 1200 Explorer.EXE 34 PID 2828 wrote to memory of 2848 2828 sysprep.exe 35 PID 2828 wrote to memory of 2848 2828 sysprep.exe 35 PID 2828 wrote to memory of 2848 2828 sysprep.exe 35 PID 2828 wrote to memory of 2848 2828 sysprep.exe 35 PID 2612 wrote to memory of 1992 2612 svchost.exe 38 PID 2612 wrote to memory of 1992 2612 svchost.exe 38 PID 2612 wrote to memory of 1992 2612 svchost.exe 38 PID 2612 wrote to memory of 1992 2612 svchost.exe 38
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5b1ffd2ecd7e610d07d093d65639da9_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5b1ffd2ecd7e610d07d093d65639da9_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\~A776.tmpC:\Users\Admin\AppData\Local\Temp\~A776.tmp4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
-
-
-
-
-
C:\Windows\system32\sysprep\sysprep.exe"C:\Windows\system32\sysprep\sysprep.exe" "C:\Users\Admin\AppData\Local\Temp\net.exe" "C:\Windows\system32" ""2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\net.exe"C:\Users\Admin\AppData\Local\Temp\net.exe"3⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2848
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5a0e350787e4134ea91ccb26d17cdf167
SHA18e7e89865b73424151c148d1341ce5de935c176a
SHA25623f765758b3071fd7f0a36b2040148cf637fd08e6a62fa7d9abf785480673bd0
SHA51289ba5f1e5d5014953f20b19fbcf008ec89d25cbfd63380e267e343b2c9c580a2d88f2e5c5092225947f99bc06bf2270ca28c63e1918093063bc1391aa5028036
-
Filesize
492KB
MD5b990752f8266d7648070bea7e24d326f
SHA1cc221465dac981f4934fef39d41ddb2e1d26299f
SHA2565b3e07ff6d930392b8749e68a54b1e04062794d1dafff226fb61ba4baf8bbfc6
SHA5128be894f68eaa0f0393ea85fe9008da95c244b2f0f8c157fa0487b22c6d249dd98ce3d21d631792b0dc8109a7f152f336bfab423031c2a724ca2606a716aca613
-
Filesize
60B
MD58b85f1eaed63f13d1166ae1e6c9f99b3
SHA1a371b5feb47256cff158c0069955f4443a2ed1b5
SHA256cd01a8cc40a88ccd60fe952349077ca238736f3979a6846a357da3b439a543ab
SHA5120a5da969449fe515ddce213621639e6748fd4c6b44e308bd5dddd375840bb49a5c944c4bf2cf5c72e4858e2f976af52235119dee7c6f6e892d5f59381fb9b867
-
Filesize
62B
MD51cb2bd0b87e183ad83f62f063bed5d97
SHA19a781b008af6d73ce028a330f27585916b0b8dbf
SHA2568655efa5d1fb64221c84ffd02d9b1fa48f4b9994a15e6e6069af0e7963ef7db7
SHA512125871840f4f9f685799da8fa02ee6fbf2599b367d821f2d15d08a9395492bbd292e47048f40aecdce2ee179b30ce2170f95c36fc6f48e8dc28d5ae421a4c21f
-
Filesize
854B
MD592479c7beb463e01e82d1f82be2915c5
SHA14c3f7ecf6378c216eafbeabdb5a90347bdf4f647
SHA256c2e6b34b1e9db0ad8154231f5ea49b4e9cdea64b822232e8fd0ad882c8bbc405
SHA51243668f93623905f6d279e06e25b8d1507e51d34b84592bf28aeefec2a68c96405aa7931b6abe7f592636c62bfe390a9fd32a56cb31710c992d87a6eecbe2dab0
-
Filesize
155B
MD5ec9f5e4fca22eb66886fd4465c9253ef
SHA1409f5160da72ff9e31a03b52a2a198163001edca
SHA2566d668b8daed87cb6e4486086af367d2b655c15706d2d0dc1c9ee846dba3b13b2
SHA512acaef1ab8663aa48489cafd3b89d1fc61e43b3078d8caec77b66a89ec1afe4e4201ef2677c7651da1ec4ed408afaeb2d9d2fa265ab6a1cd92891fb872b78d4d3
-
Filesize
200KB
MD5150a2c1b800c6370f9c8a3781568ef83
SHA16cc2aed29b672b7026c0fabd3285984488aaeaf3
SHA256e5f0e0a014e19a8aef99286e6bfd04b7c1258f5a2a5ce2b3ef5d96ec0ac60be3
SHA51254ffa28ccfcfe3f16078a4a7eaf8f9b10718082bbdb5148c0a2219ff556002105e49c3e88605ef11bbab45f0a704777c10195bfbe93179d6d27c616ea7b37538
-
Filesize
86KB
MD5425609a2c35081730982a01d72a76cbe
SHA164f95fe985a7ef7ee4f396e36279aa31498ac3cc
SHA256e03145fefe7fef82c2a476d7dec03305d7da79cd3c8fe1578177580175febbd3
SHA5126ede1415ac51d588a71bfb5697a599eb777e9530240b7a3524626d2a230bb51017c9b3d05923c5cb41800cca9818f2d99484310390a0425ef8e48984c4c9cfd4