Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 17:02
Behavioral task
behavioral1
Sample
433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
-
Size
64KB
-
MD5
433dec19a3092cad1d9ab9f22fede0aa
-
SHA1
22987372b4e3e0dd82490430e74c23669c719731
-
SHA256
930637d070ef2c085dee39591e9ef6f61b0bf92c0c8d851dfa5ea33e03462cba
-
SHA512
b4191510de2c44923ab5881d78da9a595732ca3d7e7b25b561d035b24569dbe8629d91f1a1ede43fb58b749a2619940efa09dd83aebbb34f4147ba7973c48552
-
SSDEEP
1536:mwtp3nq8LXk/4g2fOG9HDvSvICqBMvA94DK4tbwgvX:D3lYIOyjKvIvBstDHVwA
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00080000000174b4-6.dat acprotect -
Loads dropped DLL 5 IoCs
pid Process 1892 rundll32.exe 1892 rundll32.exe 1892 rundll32.exe 1892 rundll32.exe 1892 rundll32.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197" rundll32.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\myAddr.dat 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe File created C:\Windows\SysWOW64\doansm.log 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe File created C:\Windows\SysWOW64\22283.dll 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe File created C:\Windows\SysWOW64\sfc_my.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\sfc_my.dll rundll32.exe -
resource yara_rule behavioral1/memory/1728-0-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1728-5-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/files/0x00080000000174b4-6.dat upx behavioral1/memory/1892-12-0x0000000010000000-0x0000000010104000-memory.dmp upx behavioral1/memory/1892-13-0x0000000010000000-0x0000000010104000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2348 1892 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1892 1728 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe 30 PID 1728 wrote to memory of 1892 1728 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe 30 PID 1728 wrote to memory of 1892 1728 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe 30 PID 1728 wrote to memory of 1892 1728 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe 30 PID 1728 wrote to memory of 1892 1728 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe 30 PID 1728 wrote to memory of 1892 1728 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe 30 PID 1728 wrote to memory of 1892 1728 433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe 30 PID 1892 wrote to memory of 2484 1892 rundll32.exe 31 PID 1892 wrote to memory of 2484 1892 rundll32.exe 31 PID 1892 wrote to memory of 2484 1892 rundll32.exe 31 PID 1892 wrote to memory of 2484 1892 rundll32.exe 31 PID 1892 wrote to memory of 2348 1892 rundll32.exe 33 PID 1892 wrote to memory of 2348 1892 rundll32.exe 33 PID 1892 wrote to memory of 2348 1892 rundll32.exe 33 PID 1892 wrote to memory of 2348 1892 rundll32.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" 22283.dll,myImeInit C:\Users\Admin\AppData\Local\Temp\433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\sfc.exe"C:\Windows\system32\sfc.exe" /REVERT3⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 3523⤵
- Program crash
PID:2348
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD54970fabaacf313ba47c69a80ed15fe71
SHA1512ab4d130e25e2659032c582028c3f5b0d31aef
SHA256d88831cde6c76c62e4519db584f73274f8d6cd9e4ab2312734603cd5d8e89c96
SHA512b8f061c2368f8861298048f35ec53d868b2d4f104a9b482b7bc64c9803b0d22eff284c993c96fd0f107930e214026676acccfae0863e0270a83480ce88024901
-
Filesize
40KB
MD584799328d87b3091a3bdd251e1ad31f9
SHA164dbbe8210049f4d762de22525a7fe4313bf99d0
SHA256f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b
SHA5120a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4