Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
66f1c60cbffe0d19f4b0459ef14628ab_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
66f1c60cbffe0d19f4b0459ef14628ab_JaffaCakes118.dll
-
Size
800KB
-
MD5
66f1c60cbffe0d19f4b0459ef14628ab
-
SHA1
a1a37181f922c11159a5ea45272973e85563c7bc
-
SHA256
45e0689c0505e4d32d651eeabac3c15072558c57fa8ed3403bdc3ffbb7197f2a
-
SHA512
bf87f0a585bc271b99d3b4d2b966a40b70b147646489a730700f6ecd5fe095040ad0334955ff0845c00e6625e91a2726122b40f9a75530dcdfde7efef595b446
-
SSDEEP
12288:HdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:9MIJxSDX3bqjhcfHk7MzH6z
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1152-4-0x0000000002E80000-0x0000000002E81000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/1792-1-0x0000000140000000-0x00000001400C8000-memory.dmp dridex_payload behavioral1/memory/1152-44-0x0000000140000000-0x00000001400C8000-memory.dmp dridex_payload behavioral1/memory/1792-50-0x0000000140000000-0x00000001400C8000-memory.dmp dridex_payload behavioral1/memory/1152-56-0x0000000140000000-0x00000001400C8000-memory.dmp dridex_payload behavioral1/memory/1152-57-0x0000000140000000-0x00000001400C8000-memory.dmp dridex_payload behavioral1/memory/1468-73-0x0000000140000000-0x00000001400FC000-memory.dmp dridex_payload behavioral1/memory/1468-77-0x0000000140000000-0x00000001400FC000-memory.dmp dridex_payload behavioral1/memory/1760-90-0x0000000140000000-0x00000001400C9000-memory.dmp dridex_payload behavioral1/memory/1760-94-0x0000000140000000-0x00000001400C9000-memory.dmp dridex_payload behavioral1/memory/3048-111-0x0000000140000000-0x00000001400C9000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 1468 Utilman.exe 1760 p2phost.exe 3048 SystemPropertiesHardware.exe -
Loads dropped DLL 7 IoCs
pid Process 1152 Process not Found 1468 Utilman.exe 1152 Process not Found 1760 p2phost.exe 1152 Process not Found 3048 SystemPropertiesHardware.exe 1152 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\GMhS\\p2phost.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA p2phost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesHardware.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1468 Utilman.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2852 1152 Process not Found 30 PID 1152 wrote to memory of 2852 1152 Process not Found 30 PID 1152 wrote to memory of 2852 1152 Process not Found 30 PID 1152 wrote to memory of 1468 1152 Process not Found 31 PID 1152 wrote to memory of 1468 1152 Process not Found 31 PID 1152 wrote to memory of 1468 1152 Process not Found 31 PID 1152 wrote to memory of 1568 1152 Process not Found 33 PID 1152 wrote to memory of 1568 1152 Process not Found 33 PID 1152 wrote to memory of 1568 1152 Process not Found 33 PID 1152 wrote to memory of 1760 1152 Process not Found 34 PID 1152 wrote to memory of 1760 1152 Process not Found 34 PID 1152 wrote to memory of 1760 1152 Process not Found 34 PID 1152 wrote to memory of 3060 1152 Process not Found 35 PID 1152 wrote to memory of 3060 1152 Process not Found 35 PID 1152 wrote to memory of 3060 1152 Process not Found 35 PID 1152 wrote to memory of 3048 1152 Process not Found 36 PID 1152 wrote to memory of 3048 1152 Process not Found 36 PID 1152 wrote to memory of 3048 1152 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66f1c60cbffe0d19f4b0459ef14628ab_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1792
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:2852
-
C:\Users\Admin\AppData\Local\S7qCdw\Utilman.exeC:\Users\Admin\AppData\Local\S7qCdw\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1468
-
C:\Windows\system32\p2phost.exeC:\Windows\system32\p2phost.exe1⤵PID:1568
-
C:\Users\Admin\AppData\Local\BAeu1\p2phost.exeC:\Users\Admin\AppData\Local\BAeu1\p2phost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1760
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵PID:3060
-
C:\Users\Admin\AppData\Local\U9dNc\SystemPropertiesHardware.exeC:\Users\Admin\AppData\Local\U9dNc\SystemPropertiesHardware.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3048
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
804KB
MD52f9e155cd46ebc1a2eda4e0ad6b61dc7
SHA111a07a81dc8be42118199ac622822cbe797eb5b3
SHA2562ae2549a123c8cf25c8b53713f748148ec3fce2a02b850e238423de79a55957a
SHA5123cad872f64cb258a4a92f62c57ee118775b2cca0a8256771de23f0e0deef1826d110d21b2f551cb9d4c0330cdd33eea902ead0ebad81c80b167ef18fea0c20ec
-
Filesize
1008KB
MD5bcb9270d71a7fe2587e0cc41e72b7a18
SHA1055db1f5ee33bde737eba4b5655f8399b1039e46
SHA256ec35ca39c07a57289bc815ba90c42d1c6641850c26a63465d6d8e6c52852d930
SHA512a3249c15a8f8a9f06c9f7ef3c9c15993a4915188de8975aa2bbf3581fa270fc6b7eb56aa9ef296197a0db89a30c2855ca7ea4fde46205feec4dc3c03121c72e4
-
Filesize
804KB
MD5046484b36ae189890e780b34d93577a0
SHA15f3cba7cf1e99754c8d2edf674a8e187052fac1f
SHA2560539eed267e9587475ce7c02603f69c31b0510db6d177e481df2cf11dab83f19
SHA512edda9bfa17c31b4b3d7278c0bd18af4831b5396919f28111a6718d47860187b841035231b1be2f3772c292ad0ee9206a88678f846655aaede2db0bc28ced86b6
-
Filesize
1KB
MD598355e05afb151507fbc4e509f188f0d
SHA1c5fdbaab239b4045706174d53f9d61f1630a0f06
SHA2568ad1931f9296b65f902100102d7f5222aa7a241396a274ec29e0b0fa82a991ec
SHA5127d1a4952ee67fb96e2649b62b67bd42f634a289fa280364769c0cd19902e56a3fe24259343b09a6da2bf53501f969d229a02936d68f1627d0b1f44b746b37e1d
-
Filesize
172KB
MD50dbd420477352b278dfdc24f4672b79c
SHA1df446f25be33ac60371557717073249a64e04bb2
SHA2561baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA51284014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1
-
Filesize
1.3MB
MD532c5ee55eadfc071e57851e26ac98477
SHA18f8d0aee344e152424143da49ce2c7badabb8f9d
SHA2567ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea
SHA512e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975
-
Filesize
80KB
MD5c63d722641c417764247f683f9fb43be
SHA1948ec61ebf241c4d80efca3efdfc33fe746e3b98
SHA2564759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2
SHA5127223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be