Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 14:30
Static task
static1
Behavioral task
behavioral1
Sample
3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll
Resource
win10v2004-20241007-en
General
-
Target
3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll
-
Size
255KB
-
MD5
3a859a262b2b4dd3102456071c9c90cc
-
SHA1
cee9f7333eaea7e9d9a477022de2c7547a41ef52
-
SHA256
3993b3fec8f692c079736b6751927695f4c72e0ebd5982469014caa89e776239
-
SHA512
c7799e1a586a212aa90d545d929e1026580c06850b3df848a3675e8345512d2664e093e1792fb0d881ac72cfee1de8f1c0ce9abadb1c671f552f8143acf3578c
-
SSDEEP
3072:dwiiaFspa8tnGzeeMIqcFnnPgOBTil8lVWPt+uS0YJH08c1:dGEknGzeeMIqcFYwilr+ueJ
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SENS\Parameters\ServiceDll = "C:\\PROGRA~3\\nini32lo.dat" regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\PROGRA~3\nini32lo.dat regsvr32.exe File opened for modification C:\PROGRA~3\nini32lo.dat regsvr32.exe File created C:\PROGRA~3\ol23inin.dat regsvr32.exe File opened for modification C:\PROGRA~3\ol23inin.dat regsvr32.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7F81432A-DE33-4B08-8612-3CCAB2E45964}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7F81432A-DE33-4B08-8612-3CCAB2E45964}.crmlog dllhost.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe File opened for modification C:\Windows\Tasks\SCHEDLGU.TXT svchost.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2708 regsvr32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 1900 svchost.exe 1900 svchost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2708 regsvr32.exe Token: SeDebugPrivilege 2708 regsvr32.exe Token: SeDebugPrivilege 2708 regsvr32.exe Token: SeAuditPrivilege 1900 svchost.exe Token: SeLoadDriverPrivilege 1900 svchost.exe Token: SeTcbPrivilege 1900 svchost.exe Token: SeLoadDriverPrivilege 1900 svchost.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2708 2132 regsvr32.exe 28 PID 2132 wrote to memory of 2708 2132 regsvr32.exe 28 PID 2132 wrote to memory of 2708 2132 regsvr32.exe 28 PID 2132 wrote to memory of 2708 2132 regsvr32.exe 28 PID 2132 wrote to memory of 2708 2132 regsvr32.exe 28 PID 2132 wrote to memory of 2708 2132 regsvr32.exe 28 PID 2132 wrote to memory of 2708 2132 regsvr32.exe 28 PID 2708 wrote to memory of 616 2708 regsvr32.exe 9 PID 2708 wrote to memory of 2728 2708 regsvr32.exe 29 PID 2708 wrote to memory of 2728 2708 regsvr32.exe 29 PID 2708 wrote to memory of 2728 2708 regsvr32.exe 29 PID 2708 wrote to memory of 2728 2708 regsvr32.exe 29 PID 2728 wrote to memory of 2480 2728 cmd.exe 31 PID 2728 wrote to memory of 2480 2728 cmd.exe 31 PID 2728 wrote to memory of 2480 2728 cmd.exe 31 PID 2728 wrote to memory of 2480 2728 cmd.exe 31 PID 2480 wrote to memory of 2496 2480 net.exe 32 PID 2480 wrote to memory of 2496 2480 net.exe 32 PID 2480 wrote to memory of 2496 2480 net.exe 32 PID 2480 wrote to memory of 2496 2480 net.exe 32 PID 2708 wrote to memory of 536 2708 regsvr32.exe 35 PID 2708 wrote to memory of 536 2708 regsvr32.exe 35 PID 2708 wrote to memory of 536 2708 regsvr32.exe 35 PID 2708 wrote to memory of 536 2708 regsvr32.exe 35 PID 536 wrote to memory of 792 536 cmd.exe 37 PID 536 wrote to memory of 792 536 cmd.exe 37 PID 536 wrote to memory of 792 536 cmd.exe 37 PID 536 wrote to memory of 792 536 cmd.exe 37
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:616
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll2⤵
- Server Software Component: Terminal Services DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net start COMSysApp3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\net.exenet start COMSysApp4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start COMSysApp5⤵
- System Location Discovery: System Language Discovery
PID:2496
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net start SENS3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\net.exenet start SENS4⤵
- System Location Discovery: System Language Discovery
PID:792
-
-
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:2512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD54abb4bb82f37d466e88811e6d330efed
SHA1d8b01a7c7904341835e59bbeda05dd61739d0914
SHA256fb4f78ecb04da3321032fb19ba9a6978fb8f87951eeab19747f43ae64c68bd57
SHA51239300fb07389ebda2643e955e414db50ab304884d09000c0b4f01af989a3e43fd53d99cc1c3be4cd0527ee0fbc6c476f5881367fbcdcedb6c40064a063f43e11