Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 14:30
Static task
static1
Behavioral task
behavioral1
Sample
3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll
Resource
win10v2004-20241007-en
General
-
Target
3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll
-
Size
255KB
-
MD5
3a859a262b2b4dd3102456071c9c90cc
-
SHA1
cee9f7333eaea7e9d9a477022de2c7547a41ef52
-
SHA256
3993b3fec8f692c079736b6751927695f4c72e0ebd5982469014caa89e776239
-
SHA512
c7799e1a586a212aa90d545d929e1026580c06850b3df848a3675e8345512d2664e093e1792fb0d881ac72cfee1de8f1c0ce9abadb1c671f552f8143acf3578c
-
SSDEEP
3072:dwiiaFspa8tnGzeeMIqcFnnPgOBTil8lVWPt+uS0YJH08c1:dGEknGzeeMIqcFYwilr+ueJ
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SENS\Parameters\ServiceDll = "C:\\PROGRA~3\\qwetemhumlo.dat" regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\PROGRA~3\olmuhmetewq.dat regsvr32.exe File created C:\PROGRA~3\qwetemhumlo.dat regsvr32.exe File opened for modification C:\PROGRA~3\qwetemhumlo.dat regsvr32.exe File created C:\PROGRA~3\olmuhmetewq.dat regsvr32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06AB1B1A-FBD4-4055-B1CD-586C969A67AC}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06AB1B1A-FBD4-4055-B1CD-586C969A67AC}.crmlog dllhost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4256 2536 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2536 regsvr32.exe 2536 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2536 regsvr32.exe Token: SeDebugPrivilege 2536 regsvr32.exe Token: SeDebugPrivilege 2536 regsvr32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2536 2452 regsvr32.exe 83 PID 2452 wrote to memory of 2536 2452 regsvr32.exe 83 PID 2452 wrote to memory of 2536 2452 regsvr32.exe 83 PID 2536 wrote to memory of 804 2536 regsvr32.exe 10 PID 2536 wrote to memory of 2020 2536 regsvr32.exe 87 PID 2536 wrote to memory of 2020 2536 regsvr32.exe 87 PID 2536 wrote to memory of 2020 2536 regsvr32.exe 87 PID 2020 wrote to memory of 4004 2020 cmd.exe 89 PID 2020 wrote to memory of 4004 2020 cmd.exe 89 PID 2020 wrote to memory of 4004 2020 cmd.exe 89 PID 4004 wrote to memory of 2164 4004 net.exe 90 PID 4004 wrote to memory of 2164 4004 net.exe 90 PID 4004 wrote to memory of 2164 4004 net.exe 90 PID 2536 wrote to memory of 2816 2536 regsvr32.exe 92 PID 2536 wrote to memory of 2816 2536 regsvr32.exe 92 PID 2536 wrote to memory of 2816 2536 regsvr32.exe 92 PID 2816 wrote to memory of 2544 2816 cmd.exe 94 PID 2816 wrote to memory of 2544 2816 cmd.exe 94 PID 2816 wrote to memory of 2544 2816 cmd.exe 94 PID 2544 wrote to memory of 2784 2544 net.exe 95 PID 2544 wrote to memory of 2784 2544 net.exe 95 PID 2544 wrote to memory of 2784 2544 net.exe 95
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:804
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\3a859a262b2b4dd3102456071c9c90cc_JaffaCakes118.dll2⤵
- Server Software Component: Terminal Services DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net start COMSysApp3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\net.exenet start COMSysApp4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start COMSysApp5⤵
- System Location Discovery: System Language Discovery
PID:2164
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net start SENS3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\net.exenet start SENS4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SENS5⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 6203⤵
- Program crash
PID:4256
-
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:1452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2536 -ip 25361⤵PID:5104
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5a41e8878cc7a707bb9ca0bd7b15b13d3
SHA14652e837ddbd17a51e53eb37348c2829f57f5961
SHA2566aca35351f34dd5fb5751325bae7b11ead93cdc09ade98073028d8059b4b92ae
SHA51283cf4b2bd36b45df7217c1af0f04d460718f350c7f3ed4edf2de80f4180e19655f8160b8afb5a12019e7d9037a8496b94acc99487cd8ea0e86fc3ea86099c070