Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 06:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_07fd27c6fb75e536791b2ed198731580.dll
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_07fd27c6fb75e536791b2ed198731580.dll
-
Size
518KB
-
MD5
07fd27c6fb75e536791b2ed198731580
-
SHA1
af8364513906b738a40be70c15b2d20d7407b53c
-
SHA256
b76c839e5d5e62af94fb460ed05241699d19f60a3ec55dbf8b36e9728fd7322f
-
SHA512
d4290bc52a59d6a7326a33ee5c5f18abf54cacea0e847709eeabab45d4cab378be44de0d3e8a051c51eb58e5b3861a5d711df4b81de036a592be3b45a13d94eb
-
SSDEEP
12288:g5nLZdcEFsC9xj7FC98/NbEDHHvKCyeFNRV7XNxNxftOoeBYR7YrbqFv:g5LZd9FsC9xj7898tEDHPKCyeFNRPxND
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 2408 rundll32Srv.exe 1104 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2060 rundll32.exe 2408 rundll32Srv.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
resource yara_rule behavioral1/files/0x000e000000012267-3.dat upx behavioral1/memory/2408-8-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2408-11-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1104-24-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1104-23-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1104-21-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2408-18-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxCED3.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32Srv.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441787142" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{909FB971-C73D-11EF-B666-DEF96DC0BBD1} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1104 DesktopLayer.exe 1104 DesktopLayer.exe 1104 DesktopLayer.exe 1104 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2108 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2108 iexplore.exe 2108 iexplore.exe 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2060 1740 rundll32.exe 30 PID 1740 wrote to memory of 2060 1740 rundll32.exe 30 PID 1740 wrote to memory of 2060 1740 rundll32.exe 30 PID 1740 wrote to memory of 2060 1740 rundll32.exe 30 PID 1740 wrote to memory of 2060 1740 rundll32.exe 30 PID 1740 wrote to memory of 2060 1740 rundll32.exe 30 PID 1740 wrote to memory of 2060 1740 rundll32.exe 30 PID 2060 wrote to memory of 2408 2060 rundll32.exe 31 PID 2060 wrote to memory of 2408 2060 rundll32.exe 31 PID 2060 wrote to memory of 2408 2060 rundll32.exe 31 PID 2060 wrote to memory of 2408 2060 rundll32.exe 31 PID 2408 wrote to memory of 1104 2408 rundll32Srv.exe 32 PID 2408 wrote to memory of 1104 2408 rundll32Srv.exe 32 PID 2408 wrote to memory of 1104 2408 rundll32Srv.exe 32 PID 2408 wrote to memory of 1104 2408 rundll32Srv.exe 32 PID 1104 wrote to memory of 2108 1104 DesktopLayer.exe 33 PID 1104 wrote to memory of 2108 1104 DesktopLayer.exe 33 PID 1104 wrote to memory of 2108 1104 DesktopLayer.exe 33 PID 1104 wrote to memory of 2108 1104 DesktopLayer.exe 33 PID 2108 wrote to memory of 2768 2108 iexplore.exe 34 PID 2108 wrote to memory of 2768 2108 iexplore.exe 34 PID 2108 wrote to memory of 2768 2108 iexplore.exe 34 PID 2108 wrote to memory of 2768 2108 iexplore.exe 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07fd27c6fb75e536791b2ed198731580.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07fd27c6fb75e536791b2ed198731580.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c1fb452cc015fd31bd2a7c4daa1848c4
SHA19b8c3bf25e492384231a99bfd3fd2ee924b3c629
SHA25645faae8ce334b2dc81e3c6e76478c7cfdcb839cfdcc314497155371e9fcad7a2
SHA51218cdc044d2bd42cdf4129551c2ccf643e509d80926f3416734cc9921528f7b91f00682e87212ee7880e0b0674503819c0e9d719668eca715c721d7cdb1fa15d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547eaeb2fa53f4b22d118b78814ec8235
SHA19d979fbbe7d4c121bf3f2654ae6b29a4be0cc207
SHA256dd94bb42001cd3f44ea7e5cbd6e876d6f5e3fe2d1b050d7158d97a9b7d9c09d4
SHA5129e13b4f9ba30fd95a6d81983d054caf22eb80fcd2acff9359e6eda0b0fdef14d86a86fcd040ef5f42dfa66e7b7a17f13e6a13972dddf33095d0d88bbe905ecd3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD568060a81d597f5d7d1083d6c2c33ee08
SHA1ea5199526dbd46f37980310a91e42a50031d525b
SHA256ef146c2b4222ef66dd79bd352feb3102cac116050f4cfeec3ff3f74641a47368
SHA51262dae26bd9c61b3da23e3369536499e0a21f96ddc5f8dcf0520be1e0e8da600ef371aebf92bb6f769b7127f4ea7a51fcfd43092eeb2026b0b4515e2df87f5fbd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a7524d7b5e2f545b64b89da16c93f7d
SHA16b8794361a874ac27cbce10c2e625e8844cc0347
SHA25631b50d4b267360520c0397d344fe191cafd47fff8ce53ed2183a40e6ce52ead5
SHA51228881632926eb920cb3145a0785683972225c5068ffbf8847e1100a1da94e01002d08ef3d68e88afd41716d07688b2f4d5ab96c1ec64a4848a07b18213b03cd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a426b599b8797f71862a28b582b751b8
SHA11d9d96550cefecf5077b3a6ec19e0679555b760c
SHA256e978dd25db57a74025c5cd42cdf9e4266b8adcdad4ed8eee8d4485867023eff7
SHA5124faf9d0ff7b8d7edfae5a84e8b8f93c4f7f74572c5994135678b40acf9506b96d9916b6d1d92519f0e63104ed2ccb58dab37d43a74a1a956f6309eb62b684c1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508572eef857ce2657502ae598d11998e
SHA198211a688ded426fac68725fb8b6033488961e6a
SHA256b4d46aba331b683fb66408d732cfd1ce99dabb3ce64f5d3ea4688d266fe42669
SHA51242da301c39abd5d52f94d9730d4696910d9d6522655df6d1bb41d8ea7c03f4d40020b4d671a4cf27caeb4405da73fa4220c58bf64c34148eb03eda9f7b6aa948
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54319397ed1ffea677d6fd3427069ce4d
SHA139e212b7f0f7f34c0e106a58f390cb9b989a2e20
SHA25630223291f8c1293115d28aae430d3cc98a9c8f3e108354efa5eae98e5f65df17
SHA512873b7b2ac50b9b51965feb4312acdf0ab1e57cadb0a82a6fa1861d8cb16967efa4029b48dfad270589634cc0149993399b763d6a51806dbac85f192ed2c0e9e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5656a4c9c97ec7a1ed6600e6547760b75
SHA1095b02c426cd0f01d328921c8c774c563f9d7d34
SHA2566e08a168ab9d379cb34b57df09db15a974327eeb15af271972b86c39e1833d8a
SHA51257cdf804e59b70b06a8f329c263c9a80533d580d5e167115d42b7a8a8b57e2bab4731d08a5ec8299c6a10f672950fb2c7fb107f0c70a22d5132508894ef9a2e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56825c979f2e3b8742dfc7b5ff4c7be47
SHA1749c9e3ff2a6441b506ec03b8a2eea28576641eb
SHA25605f002fe96ad3597ae952b8c97c5c9289d8827d1d843ee40ab86165cd3e5c9bd
SHA5125076b5c768695d73e7ee78858e3f81a4ace5d2139779060114ef0ec82c4341f9b5c5ae3ca0da6ab699788a929d16b6b3c6b3a517193ba53dd109d0c5cb90ca10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bf9adaed8bee881983f2ca64b45756cb
SHA193e745cd93c8a14825ccb908d57acf29d5832a5d
SHA2560a25611d8a28e88131f9a61e03a03d1c8fe300abc41462da9d2befa65aba054d
SHA5120714c48a0160c42cb238759eacd119a8c1046aca680d3404fec4db6f4a4aa3019329145a77c7225ced6befa6e5c5a863d04bea30a01653ec8bf958003eb87e26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a93578657ece35a319743a8c2101db0c
SHA1d7da0415285c3ba3f2f9e16804d95ffd8356cf39
SHA25677648f2b57b30e8c8cb2fb4bc4d0485c3f4ec77ede5f1364106168b1604bead0
SHA51238717bfb752fddca62a78dd1ed072b9452fd567f80f4238f8be8fe477049c2a0c32675e3a35d8e20f66a233d2ec15f31942aa5c63a172e720c02a9b377fe2c06
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ff9f0b4b4eda6b97e5bb11f63f96178
SHA169d2ddcf397d4e4a6c307d2fe63d2eb6feda1d93
SHA256748c142acf2d9b43b600edb9f065f16d6ac3824545e377d4bb2bd810d4b57e38
SHA512c970a7da2b32d0cd0d2ab25dc649585dd2608e6df324f166a35e1dc86e37e30b97ea90b7b71b7d16b9acfbc0320bc1fe90c4c01a74b80991ef56c0b0d3a2c42b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d6ba34409f32de2ee1c8a15ddd43469e
SHA1ded9e894c934cee6e53b2b17dab934a0cec8ff0c
SHA2561438a3c20663890cef5d18ecbf0ce41b5b9031664384f58635c6ac1cdc81d324
SHA512fcb01b5d7501b40468aa0cc34fc4fc792c1f6388001a855d7e2a796b298e4439589d558930a0974a401321b3e5eae97fdc386b0fbdd445a5353b66ca7b7fa8b2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a