Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
312e9927d52...18.exe
windows7-x64
712e9927d52...18.exe
windows10-2004-x64
7$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 10:14
Static task
static1
Behavioral task
behavioral1
Sample
12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
General
-
Target
12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
-
Size
1005KB
-
MD5
12e9927d52006fdfb16919e0ccdfb670
-
SHA1
128643ef042e58f53b0d493441afb5ef6fa61bc5
-
SHA256
23914f9b9807d142ea60691ea70e16fd8237bb1e3544faaecd78e114537416fa
-
SHA512
76dae07dd4b99f1bffb9bdbe79b07a2246f31271a288562adff5e6d9af4587c1234895ac651c55025d27de4e4d623adf266aaabaf0735791900a628c8d981ad1
-
SSDEEP
24576:5aK/eDpS1eAR+XTQeZaSyYE5Qs+B9Kfyl/QlrnRdyNCMNqL1Xi:3/e9jCST5ZHyYE5hboir91Xi
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2364 svchost.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 2444 svchost.exe -
Loads dropped DLL 14 IoCs
pid Process 2364 svchost.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x00070000000186e4-10.dat nsis_installer_1 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1956 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2364 2332 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 30 PID 2332 wrote to memory of 2364 2332 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 30 PID 2332 wrote to memory of 2364 2332 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 30 PID 2332 wrote to memory of 2364 2332 12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe 30 PID 2364 wrote to memory of 1956 2364 svchost.exe 31 PID 2364 wrote to memory of 1956 2364 svchost.exe 31 PID 2364 wrote to memory of 1956 2364 svchost.exe 31 PID 2364 wrote to memory of 1956 2364 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1956
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD5196a035a4b877d0fa9c3fa082919f65d
SHA109ae3fb430a11970424c643a4e1dd85e3bac6d95
SHA25619908ebd28db7e4c75d37b98112970f8ac468403b62bdaad4d519f03f352438f
SHA5121483c0a6ae96a2707480bedcf5f0c656e2b1627f21127750957df12aefd284abe3d94e5dce8e64a4ec7513a161fc75d8997f9e938d20703d4f8b92e355825cd6
-
Filesize
688B
MD5a37c37be21f83f2831a05fa029b469d2
SHA1873ebb0e4fd1b00ae11e8eebdb31469e56811726
SHA25601e04d0e0571c0387d73129f1e44e09608d3375d31012fc744183e66701ab70b
SHA51289fc5899a8b845cb58eebd95e7e8ecd9b28732183406926205d318719c0d1f9d4d8a3a03ed7fd56cca07ec73cc335b6980099ed1cd469bfae1a3ae3aab667c72
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
969KB
MD54aa7b3644724f2da70054eb3c4f92c78
SHA1e18fbb8ca40ed86c3793474cc35f427e669cddea
SHA2560ba8d7841aa524ef55b0c9ce4557b7286e0bb5eb2195ef1bd03c7dab8da9f10c
SHA5127b703024d6328b20ea4bd27885a6cdcfdaef14a4d48df998e9eed80c3b04e0171d2c87cc36a8277e3d599c6529df8c4635c59a5503113a6bbc6344e010a08e05
-
Filesize
2KB
MD56c20819f7b1b3c25b4cc2aab38bdc6c3
SHA1005c475c579cee2c60d77642d6d9586e0884964e
SHA256156719e9b9f965f0e205aeb9e4f07254ea0576fd422f7e90e8f1d90e5fc51050
SHA512635b602c451a8f29e6618670ebc08753d0008025fc3f0ca7619eaa578a76acaad1a88f86df9be64a3dd50db849e6513e465b1a3eda006da16b9ec03c566de2ea
-
Filesize
14KB
MD5296a5f3179fa8d7a7a855eaf696ede44
SHA157aa5b71553ed282dd22c768e039a187f5c13f63
SHA256ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960
SHA512bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6
-
Filesize
14KB
MD51413350c401e65ee4666fa36c9d8997c
SHA1acab76b047c0512125de49fead6b84e92da0b0f6
SHA256aff65714ba229568469a9addf9b2b58e4bb169ee94ac423523e12afa9ec28365
SHA5129b46512941e2ad8ef47f0024a0f0e069743c714dd5c525bbbfc9dd871696a121b53236757225257495ba8a1a71f68ea79a324a84503a6f0a3d3c40990aa1f160
-
Filesize
35KB
MD52cfba79d485cf441c646dd40d82490fc
SHA183e51ac1115a50986ed456bd18729653018b9619
SHA25686b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
SHA512cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043
-
Filesize
7KB
MD54973362a84e11dd8541387ab1694afcc
SHA1b78a0fe67c07713c7abd9668b881c4bc808d9a7a
SHA2567757518466b21ce175607f10599f26fff127d59a16dc10bf4ba4b7d83d13d47d
SHA51265c305eced5cd81fe3a573827d62a33e400f03d5bfcb3b3a503927bc0decaedef5d74e6d1ba25a0601fe812f8d2424887d58211c3f3cea1442643f5d1c23c2fb
-
Filesize
10KB
MD586b5a07a43b7cbc5c49263b8d974b736
SHA178388286a311810d812c13d87dea12d581713e60
SHA2565897fb00be38e502fb5dfd047d97e5e4da6387a7a6259633dc31c2427612901b
SHA512dcbe379c28302bb3472339cd24949b16548fa0003882a920df6839078cc7b2563f058a0524bf25df0a5ec8b08e302ebc9e646033109958669d8af883af959ffe
-
Filesize
16KB
MD5acfb66ee6fc1f4266229ec6098fe1740
SHA1e1aeb31b11996015d7f17308e2f2bbe69d4e1476
SHA2566d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e
SHA512bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303