Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 10:01

General

  • Target

    eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe

  • Size

    318KB

  • MD5

    eb18c10daec2052a035420c3866ca62f

  • SHA1

    4b3cee088f397e4d9f774c5c4a4f3c81d1a221d8

  • SHA256

    dfc157b611233ffb1037d4af638866e89f1d5504b10f86827de79a42cd4fa1ae

  • SHA512

    bf4202edc0f28ba4fe52e741aea6e6e96f2240e39a74d097ff9df349a37113e2b52b51d1d0eb463a413442b78086651c3f67d9450f2983223f2712200246c1a5

  • SSDEEP

    6144:I1zSIqrkISRfXfpY+0yFdADAc74eJpTWCy2vd/BuiRoG:/4ISRPfu+TmZ77Rku1Buyo

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 14 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1868
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2188
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2720
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2820
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2672
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2600
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:484
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2320
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • System Location Discovery: System Language Discovery
    PID:704
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:1932
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2332
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:1548
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:852
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

    Filesize

    318KB

    MD5

    bd8eb49e33037565c72209d7c6cb2e51

    SHA1

    b276e5619d7dad7b015d55788ab61a2af2990e97

    SHA256

    8eba2c13cacaecb719ae7582e9fa9469e7e2d260e7a96f6854b636e243636798

    SHA512

    af99d898a3b37412696905f3705d834ad5f4de48ee3180637b3d04278cab997466f5e76ba90fe2fe7fe4994756c450bbe50868f0ca6b0319fb10531d4db28048

  • memory/1548-39-0x0000000074A00000-0x0000000074A4E000-memory.dmp

    Filesize

    312KB

  • memory/1868-0-0x0000000000940000-0x000000000098E000-memory.dmp

    Filesize

    312KB

  • memory/1868-1-0x0000000000280000-0x00000000002CE000-memory.dmp

    Filesize

    312KB

  • memory/1868-46-0x0000000000940000-0x000000000098E000-memory.dmp

    Filesize

    312KB

  • memory/2188-6-0x0000000074A00000-0x0000000074A4E000-memory.dmp

    Filesize

    312KB

  • memory/2720-11-0x00000000744D0000-0x000000007451E000-memory.dmp

    Filesize

    312KB

  • memory/2720-12-0x00000000744D0000-0x000000007451E000-memory.dmp

    Filesize

    312KB

  • memory/2820-16-0x0000000074A00000-0x0000000074A4E000-memory.dmp

    Filesize

    312KB