Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/12/2024, 08:13
Static task
static1
Behavioral task
behavioral1
Sample
e095a92627d97f748616bcf4643facac_JaffaCakes118.dll
Resource
win7-20240729-en
General
-
Target
e095a92627d97f748616bcf4643facac_JaffaCakes118.dll
-
Size
120KB
-
MD5
e095a92627d97f748616bcf4643facac
-
SHA1
3b0a78fd998a23fd51f69884e2e294b21ee9e722
-
SHA256
3e5d723d2671fa761cc9fe681929ed6ffd2a4cb9b6f24be0b9f06c8adc15af88
-
SHA512
81c514755449a8eefee5cc04c81efad05734bc582c9e2cc757ae2f2d343e7966b11cc032b4f42ebcc3517a681eb89dd5395cd012451e57b56e525838010c6ccc
-
SSDEEP
3072:xlqdfRCFbxOD0dFONaI4HIpboGCYuWn5OLn/:xno0mNv4opboG+C52/
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f772368.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f772368.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7720e9.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772368.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f772368.exe -
Executes dropped EXE 3 IoCs
pid Process 2720 f7720e9.exe 2700 f772368.exe 3036 f773cb2.exe -
Loads dropped DLL 6 IoCs
pid Process 2268 rundll32.exe 2268 rundll32.exe 2268 rundll32.exe 2268 rundll32.exe 2268 rundll32.exe 2268 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f772368.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7720e9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7720e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772368.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: f7720e9.exe File opened (read-only) \??\J: f7720e9.exe File opened (read-only) \??\O: f7720e9.exe File opened (read-only) \??\Q: f7720e9.exe File opened (read-only) \??\H: f7720e9.exe File opened (read-only) \??\I: f7720e9.exe File opened (read-only) \??\L: f7720e9.exe File opened (read-only) \??\M: f7720e9.exe File opened (read-only) \??\N: f7720e9.exe File opened (read-only) \??\G: f7720e9.exe File opened (read-only) \??\K: f7720e9.exe File opened (read-only) \??\S: f7720e9.exe File opened (read-only) \??\E: f7720e9.exe File opened (read-only) \??\R: f7720e9.exe -
resource yara_rule behavioral1/memory/2720-12-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-18-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-15-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-14-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-26-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-21-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-20-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-19-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-17-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-16-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-62-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-63-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-64-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-65-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-67-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-68-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-69-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-82-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-83-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-87-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-88-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2720-151-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2700-153-0x00000000009B0000-0x0000000001A6A000-memory.dmp upx behavioral1/memory/2700-187-0x00000000009B0000-0x0000000001A6A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f7720e9.exe File created C:\Windows\f7772cf f772368.exe File created C:\Windows\f772175 f7720e9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7720e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f772368.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2720 f7720e9.exe 2720 f7720e9.exe 2700 f772368.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2720 f7720e9.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe Token: SeDebugPrivilege 2700 f772368.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2268 2668 rundll32.exe 30 PID 2668 wrote to memory of 2268 2668 rundll32.exe 30 PID 2668 wrote to memory of 2268 2668 rundll32.exe 30 PID 2668 wrote to memory of 2268 2668 rundll32.exe 30 PID 2668 wrote to memory of 2268 2668 rundll32.exe 30 PID 2668 wrote to memory of 2268 2668 rundll32.exe 30 PID 2668 wrote to memory of 2268 2668 rundll32.exe 30 PID 2268 wrote to memory of 2720 2268 rundll32.exe 31 PID 2268 wrote to memory of 2720 2268 rundll32.exe 31 PID 2268 wrote to memory of 2720 2268 rundll32.exe 31 PID 2268 wrote to memory of 2720 2268 rundll32.exe 31 PID 2720 wrote to memory of 1052 2720 f7720e9.exe 18 PID 2720 wrote to memory of 1160 2720 f7720e9.exe 20 PID 2720 wrote to memory of 1180 2720 f7720e9.exe 21 PID 2720 wrote to memory of 1468 2720 f7720e9.exe 23 PID 2720 wrote to memory of 2668 2720 f7720e9.exe 29 PID 2720 wrote to memory of 2268 2720 f7720e9.exe 30 PID 2720 wrote to memory of 2268 2720 f7720e9.exe 30 PID 2268 wrote to memory of 2700 2268 rundll32.exe 32 PID 2268 wrote to memory of 2700 2268 rundll32.exe 32 PID 2268 wrote to memory of 2700 2268 rundll32.exe 32 PID 2268 wrote to memory of 2700 2268 rundll32.exe 32 PID 2268 wrote to memory of 3036 2268 rundll32.exe 33 PID 2268 wrote to memory of 3036 2268 rundll32.exe 33 PID 2268 wrote to memory of 3036 2268 rundll32.exe 33 PID 2268 wrote to memory of 3036 2268 rundll32.exe 33 PID 2720 wrote to memory of 1052 2720 f7720e9.exe 18 PID 2720 wrote to memory of 1160 2720 f7720e9.exe 20 PID 2720 wrote to memory of 1180 2720 f7720e9.exe 21 PID 2720 wrote to memory of 1468 2720 f7720e9.exe 23 PID 2720 wrote to memory of 2700 2720 f7720e9.exe 32 PID 2720 wrote to memory of 2700 2720 f7720e9.exe 32 PID 2720 wrote to memory of 3036 2720 f7720e9.exe 33 PID 2720 wrote to memory of 3036 2720 f7720e9.exe 33 PID 2700 wrote to memory of 1052 2700 f772368.exe 18 PID 2700 wrote to memory of 1160 2700 f772368.exe 20 PID 2700 wrote to memory of 1180 2700 f772368.exe 21 PID 2700 wrote to memory of 1468 2700 f772368.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772368.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7720e9.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1052
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e095a92627d97f748616bcf4643facac_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e095a92627d97f748616bcf4643facac_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\f7720e9.exeC:\Users\Admin\AppData\Local\Temp\f7720e9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\f772368.exeC:\Users\Admin\AppData\Local\Temp\f772368.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\f773cb2.exeC:\Users\Admin\AppData\Local\Temp\f773cb2.exe4⤵
- Executes dropped EXE
PID:3036
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1468
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5337667276b1d59c04c9e2cd9ed8f593d
SHA1399f34f2390d24edc3e38277a1e2d5a6f9c7807b
SHA256e2b281190d9bbf28faf66fadbd468308abff201b7918bb8ce9a716c244392960
SHA51207e1157f0a08a9172c958190ab7d9c8fc6e1953b07d0e849b38547b619b31ad83fd0d1815937ed47fa91900b933a33f897f4221d061c64ece7d39975ce7cb884
-
Filesize
97KB
MD5c4df1617d0df36fd155247a6615e6e80
SHA17c918d4692fcf11a741baf284770ae76622b4288
SHA256ba4659a660f39c5861dc61ac9a149ac2e4b7c55d50d88b45fd86b0c5f0ceaba8
SHA5128eb62138d691fbe1c560c7ebda2188aeb9d475b5b2d759214878f44b83fa8ef986d11b2dcbe487d708a864c6c3ab5062e366f5f6a9cff1689066da2a7ca1992a