Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 10:01
Behavioral task
behavioral1
Sample
eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
-
Size
318KB
-
MD5
eb18c10daec2052a035420c3866ca62f
-
SHA1
4b3cee088f397e4d9f774c5c4a4f3c81d1a221d8
-
SHA256
dfc157b611233ffb1037d4af638866e89f1d5504b10f86827de79a42cd4fa1ae
-
SHA512
bf4202edc0f28ba4fe52e741aea6e6e96f2240e39a74d097ff9df349a37113e2b52b51d1d0eb463a413442b78086651c3f67d9450f2983223f2712200246c1a5
-
SSDEEP
6144:I1zSIqrkISRfXfpY+0yFdADAc74eJpTWCy2vd/BuiRoG:/4ISRPfu+TmZ77Rku1Buyo
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll" eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe -
Loads dropped DLL 12 IoCs
pid Process 2188 svchost.exe 2720 svchost.exe 2820 svchost.exe 2672 svchost.exe 2600 svchost.exe 484 svchost.exe 2320 svchost.exe 1932 svchost.exe 2332 svchost.exe 1548 svchost.exe 852 svchost.exe 2632 svchost.exe -
resource yara_rule behavioral1/memory/1868-0-0x0000000000940000-0x000000000098E000-memory.dmp upx behavioral1/files/0x000800000001612f-4.dat upx behavioral1/memory/2188-6-0x0000000074A00000-0x0000000074A4E000-memory.dmp upx behavioral1/memory/2720-11-0x00000000744D0000-0x000000007451E000-memory.dmp upx behavioral1/memory/2720-12-0x00000000744D0000-0x000000007451E000-memory.dmp upx behavioral1/memory/2820-16-0x0000000074A00000-0x0000000074A4E000-memory.dmp upx behavioral1/memory/1548-39-0x0000000074A00000-0x0000000074A4E000-memory.dmp upx behavioral1/memory/1868-46-0x0000000000940000-0x000000000098E000-memory.dmp upx -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Irmon.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\NWCWorkstation.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\helpsvc.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Nla.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WmdmPmSp.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\PCAudit.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Ntmssvc.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Nwsapagent.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\SRService.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uploadmgr.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Ias.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Wmi.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\LogonHours.dll eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1868 eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1868
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2188
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2720
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2820
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2672
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2600
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:484
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2320
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- System Location Discovery: System Language Discovery
PID:704
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1932
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2332
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1548
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:852
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
318KB
MD5bd8eb49e33037565c72209d7c6cb2e51
SHA1b276e5619d7dad7b015d55788ab61a2af2990e97
SHA2568eba2c13cacaecb719ae7582e9fa9469e7e2d260e7a96f6854b636e243636798
SHA512af99d898a3b37412696905f3705d834ad5f4de48ee3180637b3d04278cab997466f5e76ba90fe2fe7fe4994756c450bbe50868f0ca6b0319fb10531d4db28048