Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 01:34
Static task
static1
Behavioral task
behavioral1
Sample
0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
-
Size
49KB
-
MD5
0d513ceac4decc4d06e35ad3a951256c
-
SHA1
60735cdca1f6610552c17cb6f058c5d9c42c2191
-
SHA256
af68f476140d51931caa9b605442477b894d7cfa83b6a36165f818b91297d707
-
SHA512
953b6d091b9fdbf45d2f3d3766a3bd4d2cebadaffc6222dc138bf236cd54495b9fff316bfeebed745eab950acbbc3f01ef5e75f0575969a1b2d11dc7bc91d92f
-
SSDEEP
768:If6EsU/CR16uhtTmbDRFZ8hjZlKFoak2BbWzsRxJn02WXpJobj6/4BMOljVQbrCx:dEs169ZwlioSWYnJ0FXpSq6MOTQH1
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2864 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2864 rundll32.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\SysWOW64\yuksuser.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yuksuser.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File created C:\Windows\SysWOW64\YU0x4.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File created C:\Windows\SysWOW64\ksuser.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\ksuser.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File created C:\Windows\SysWOW64\yumidimap.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File created C:\Windows\SysWOW64\midimap.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File created C:\Windows\SysWOW64\yucomres.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File created C:\Windows\SysWOW64\comres.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\comres.dll 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2940 sc.exe 2720 sc.exe 2956 sc.exe 2416 sc.exe 2104 sc.exe 2300 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 2864 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 480 Process not Found 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2376 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2376 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2376 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2376 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2416 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2416 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2416 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2416 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2104 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 33 PID 2504 wrote to memory of 2104 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 33 PID 2504 wrote to memory of 2104 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 33 PID 2504 wrote to memory of 2104 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 33 PID 2504 wrote to memory of 1840 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 34 PID 2504 wrote to memory of 1840 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 34 PID 2504 wrote to memory of 1840 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 34 PID 2504 wrote to memory of 1840 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 34 PID 2504 wrote to memory of 2300 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 35 PID 2504 wrote to memory of 2300 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 35 PID 2504 wrote to memory of 2300 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 35 PID 2504 wrote to memory of 2300 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 35 PID 2504 wrote to memory of 2940 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 36 PID 2504 wrote to memory of 2940 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 36 PID 2504 wrote to memory of 2940 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 36 PID 2504 wrote to memory of 2940 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 36 PID 2504 wrote to memory of 2332 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 38 PID 2504 wrote to memory of 2332 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 38 PID 2504 wrote to memory of 2332 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 38 PID 2504 wrote to memory of 2332 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 38 PID 2504 wrote to memory of 2720 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 40 PID 2504 wrote to memory of 2720 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 40 PID 2504 wrote to memory of 2720 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 40 PID 2504 wrote to memory of 2720 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 40 PID 2504 wrote to memory of 2956 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 41 PID 2504 wrote to memory of 2956 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 41 PID 2504 wrote to memory of 2956 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 41 PID 2504 wrote to memory of 2956 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 41 PID 2504 wrote to memory of 2864 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 48 PID 2504 wrote to memory of 2864 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 48 PID 2504 wrote to memory of 2864 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 48 PID 2504 wrote to memory of 2864 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 48 PID 2504 wrote to memory of 2864 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 48 PID 2504 wrote to memory of 2864 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 48 PID 2504 wrote to memory of 2864 2504 0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe 48 PID 1840 wrote to memory of 2796 1840 net.exe 49 PID 1840 wrote to memory of 2796 1840 net.exe 49 PID 1840 wrote to memory of 2796 1840 net.exe 49 PID 1840 wrote to memory of 2796 1840 net.exe 49 PID 2376 wrote to memory of 2784 2376 net.exe 50 PID 2376 wrote to memory of 2784 2376 net.exe 50 PID 2376 wrote to memory of 2784 2376 net.exe 50 PID 2376 wrote to memory of 2784 2376 net.exe 50 PID 2332 wrote to memory of 2856 2332 net.exe 51 PID 2332 wrote to memory of 2856 2332 net.exe 51 PID 2332 wrote to memory of 2856 2332 net.exe 51 PID 2332 wrote to memory of 2856 2332 net.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\net.exenet stop cryptsvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cryptsvc3⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
-
C:\Windows\SysWOW64\sc.exesc config cryptsvc start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Windows\SysWOW64\sc.exesc delete cryptsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\SysWOW64\net.exenet stop cryptsvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cryptsvc3⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
-
C:\Windows\SysWOW64\sc.exesc config cryptsvc start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\SysWOW64\sc.exesc delete cryptsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\net.exenet stop cryptsvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cryptsvc3⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
C:\Windows\SysWOW64\sc.exesc config cryptsvc start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\sc.exesc delete cryptsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2956
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Users\Admin\AppData\Local\Temp\Aupbc7a3.dat, ServerMain2⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD555e3d398a50d93d046009571413bd55c
SHA189fad6b96211616a25c3924924d23b09cc5a140d
SHA2569e211f728d6ac7f045181b40b0581a87e3bf260fbbdeb10d4444cbcdff5c0f56
SHA512d193028704826a0ae56ac1b0dfa5b9998462da2315adaa819b92212f6ea86f690a2c6e788bcfe82520bb7241e572d640eb88bf71dd2b36f328692cff889db31d
-
Filesize
105B
MD50570d8f868e535c11763800457edf292
SHA175edbca748cf036763b32f2063b61ef44c37b971
SHA256b3bab904030b990d70ef8c1a15870346f811fa58efcdc1f56bf97324bb8f4e1b
SHA51203fb35d252af61d9f8c1c3f1c59b5c11c4b2e713b30342ceba2c0c5a79a16ada4f1eba414caf187191eef23ecf2c31783dc0a6b6d625702393dcaeb8aa08c8d6