Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 07:09
Static task
static1
Behavioral task
behavioral1
Sample
65eedb07a6f749ad69bd6a937505442f_JaffaCakes118.dll
Resource
win7-20240729-en
General
-
Target
65eedb07a6f749ad69bd6a937505442f_JaffaCakes118.dll
-
Size
816KB
-
MD5
65eedb07a6f749ad69bd6a937505442f
-
SHA1
8a37ca00b017b63c3d231302419d2e89a06d5b7d
-
SHA256
de08365e362b2d95838d2a3a7a3bcae93cde512cbcc6e0cdbf60f2588350a572
-
SHA512
d9b1bcdd1c5d0f6ee6f8ec326a7a1cf5370241475204d3fc31f91f31ab76b42e3e5b5fec7402335b46405d2fa47ccdab5e719b71502b3075f6802d0a35551512
-
SSDEEP
12288:XdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:tMIJxSDX3bqjhcfHk7MzH6z
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1172-4-0x0000000002D70000-0x0000000002D71000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/2264-0-0x0000000140000000-0x00000001400CC000-memory.dmp dridex_payload behavioral1/memory/1172-46-0x0000000140000000-0x00000001400CC000-memory.dmp dridex_payload behavioral1/memory/1172-59-0x0000000140000000-0x00000001400CC000-memory.dmp dridex_payload behavioral1/memory/1172-58-0x0000000140000000-0x00000001400CC000-memory.dmp dridex_payload behavioral1/memory/2264-66-0x0000000140000000-0x00000001400CC000-memory.dmp dridex_payload behavioral1/memory/3024-75-0x0000000140000000-0x00000001400CD000-memory.dmp dridex_payload behavioral1/memory/3024-79-0x0000000140000000-0x00000001400CD000-memory.dmp dridex_payload behavioral1/memory/1260-91-0x0000000140000000-0x00000001400CE000-memory.dmp dridex_payload behavioral1/memory/1260-96-0x0000000140000000-0x00000001400CE000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 3024 spinstall.exe 1260 UI0Detect.exe 1496 Netplwiz.exe -
Loads dropped DLL 7 IoCs
pid Process 1172 Process not Found 3024 spinstall.exe 1172 Process not Found 1260 UI0Detect.exe 1172 Process not Found 1496 Netplwiz.exe 1172 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\eQoo9\\UI0DET~1.EXE" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spinstall.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UI0Detect.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 1172 Process not Found 3024 spinstall.exe 3024 spinstall.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1172 wrote to memory of 2280 1172 Process not Found 30 PID 1172 wrote to memory of 2280 1172 Process not Found 30 PID 1172 wrote to memory of 2280 1172 Process not Found 30 PID 1172 wrote to memory of 3024 1172 Process not Found 31 PID 1172 wrote to memory of 3024 1172 Process not Found 31 PID 1172 wrote to memory of 3024 1172 Process not Found 31 PID 1172 wrote to memory of 1520 1172 Process not Found 32 PID 1172 wrote to memory of 1520 1172 Process not Found 32 PID 1172 wrote to memory of 1520 1172 Process not Found 32 PID 1172 wrote to memory of 1260 1172 Process not Found 33 PID 1172 wrote to memory of 1260 1172 Process not Found 33 PID 1172 wrote to memory of 1260 1172 Process not Found 33 PID 1172 wrote to memory of 2812 1172 Process not Found 34 PID 1172 wrote to memory of 2812 1172 Process not Found 34 PID 1172 wrote to memory of 2812 1172 Process not Found 34 PID 1172 wrote to memory of 1496 1172 Process not Found 35 PID 1172 wrote to memory of 1496 1172 Process not Found 35 PID 1172 wrote to memory of 1496 1172 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65eedb07a6f749ad69bd6a937505442f_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
C:\Windows\system32\spinstall.exeC:\Windows\system32\spinstall.exe1⤵PID:2280
-
C:\Users\Admin\AppData\Local\0l9H\spinstall.exeC:\Users\Admin\AppData\Local\0l9H\spinstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
C:\Windows\system32\UI0Detect.exeC:\Windows\system32\UI0Detect.exe1⤵PID:1520
-
C:\Users\Admin\AppData\Local\1mu8nfV\UI0Detect.exeC:\Users\Admin\AppData\Local\1mu8nfV\UI0Detect.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1260
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:2812
-
C:\Users\Admin\AppData\Local\M6H96Ry72\Netplwiz.exeC:\Users\Admin\AppData\Local\M6H96Ry72\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
820KB
MD5679c7d289c0d4be8ddab283fac2c51aa
SHA1c10c3a4233a220a38d45190c749992dfee117c2d
SHA2567d45955ae5d47186799814734d4f4942eba0828cdd635e6139645b8a0b7026cb
SHA51204d64ccc94196090f44d0c26f6aca5a6737a7685c1aa47b9e6dbabf89ce64f4a0e9bda008d8697c4353d527327293b763d369d30264dbc1138a21b1a73f9558b
-
Filesize
824KB
MD5496f5ba0fd4978b7d39c19b9b2532145
SHA1c28eb6aa6bb19be7ec7fe8df71cbc361e80bb3d3
SHA2568fcde2c5f7740ea435d6bfa18eb78449a0beb58a69123161cc15e5adde973b4a
SHA5125f01f3a8d15760acc0a722e3fcc828dd0bde2ec0781f12521ce1c03aef76223cc1747acde6f00b8222baf876664f67542f3303ade58c0b41a620d28c44f66a2f
-
Filesize
820KB
MD5ddc13a25d444bbc6fcc8e7c724e19d54
SHA1594637f4da45862d1e9a1f8383f2421e3afd2dd9
SHA256097478d4440acc5245081e70fa5fb1f732310e395cd9c610017a00f4d7a87530
SHA512ca88b48abcbc278160b350c52205251c0a3ebb633b66ceaaab26c07d144329433174b854cb6bcc8ce4ca95201c3fce21432100ac50d2fde7e28af98f5e4b589a
-
Filesize
26KB
MD5e43ec3c800d4c0716613392e81fba1d9
SHA137de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08
-
Filesize
1KB
MD56ce6a0d4df3fd34ba9d10343891c8a15
SHA120baf0a51d1f047bc4c6da219ae29d53c29312df
SHA256985f3e74ce8fd22a7916a34dc475d1df88e01debc5ee6d7da012aa5464db3d71
SHA512564035119736f23b08a68b514270eec77ba2231458e599f1e65652bb750a74c957cc3e13a7d61c6c30929c2279c95dd16c802b3290067131d29457a3d0b9298c
-
Filesize
584KB
MD529c1d5b330b802efa1a8357373bc97fe
SHA190797aaa2c56fc2a667c74475996ea1841bc368f
SHA256048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA51266f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee
-
Filesize
40KB
MD53cbdec8d06b9968aba702eba076364a1
SHA16e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d