Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe
-
Size
73KB
-
MD5
482aef37f51ece3e4253bd0360fd3b31
-
SHA1
b22a1a190c698226aa868ec4901f841ea224e77f
-
SHA256
713baf2ec55a14db2f2d30ba3729a24100ef2bdfcb2cd3b9bda4b2dbc35105d6
-
SHA512
e2dafb7822b912a5afae72cce2de18ae10acd6c0b83f40a4d0d21b72a63cc1dc7e8ec908b05f267af730d53b836c42863b51d55abdb98db2ebffe48cf58d2065
-
SSDEEP
768:JQxkwifBsIqHpcrkMEYEhA7P4RhAtmaZFb79U9MKAjBEig6/1k21m3uHRdMNDj2Y:J8kwilTEhU4HDa1KkjWXUa21mc/Mue9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2784 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2144 JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe 2144 JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2144-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-57-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-566-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javafx-iio.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libadummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Tools.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IO.Log.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadrh15.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\More Games\MoreGames.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\wlsrvc.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html svchost.exe File opened for modification C:\Program Files\Windows Journal\jnwdui.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\libxslt.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2784 WaterMark.exe 2784 WaterMark.exe 2784 WaterMark.exe 2784 WaterMark.exe 2784 WaterMark.exe 2784 WaterMark.exe 2784 WaterMark.exe 2784 WaterMark.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2784 WaterMark.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2784 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2784 2144 JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe 30 PID 2144 wrote to memory of 2784 2144 JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe 30 PID 2144 wrote to memory of 2784 2144 JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe 30 PID 2144 wrote to memory of 2784 2144 JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe 30 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2008 2784 WaterMark.exe 31 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2784 wrote to memory of 2624 2784 WaterMark.exe 32 PID 2624 wrote to memory of 256 2624 svchost.exe 1 PID 2624 wrote to memory of 256 2624 svchost.exe 1 PID 2624 wrote to memory of 256 2624 svchost.exe 1 PID 2624 wrote to memory of 256 2624 svchost.exe 1 PID 2624 wrote to memory of 256 2624 svchost.exe 1 PID 2624 wrote to memory of 336 2624 svchost.exe 2 PID 2624 wrote to memory of 336 2624 svchost.exe 2 PID 2624 wrote to memory of 336 2624 svchost.exe 2 PID 2624 wrote to memory of 336 2624 svchost.exe 2 PID 2624 wrote to memory of 336 2624 svchost.exe 2 PID 2624 wrote to memory of 384 2624 svchost.exe 3 PID 2624 wrote to memory of 384 2624 svchost.exe 3 PID 2624 wrote to memory of 384 2624 svchost.exe 3 PID 2624 wrote to memory of 384 2624 svchost.exe 3 PID 2624 wrote to memory of 384 2624 svchost.exe 3 PID 2624 wrote to memory of 392 2624 svchost.exe 4 PID 2624 wrote to memory of 392 2624 svchost.exe 4 PID 2624 wrote to memory of 392 2624 svchost.exe 4 PID 2624 wrote to memory of 392 2624 svchost.exe 4 PID 2624 wrote to memory of 392 2624 svchost.exe 4 PID 2624 wrote to memory of 432 2624 svchost.exe 5 PID 2624 wrote to memory of 432 2624 svchost.exe 5 PID 2624 wrote to memory of 432 2624 svchost.exe 5 PID 2624 wrote to memory of 432 2624 svchost.exe 5 PID 2624 wrote to memory of 432 2624 svchost.exe 5 PID 2624 wrote to memory of 476 2624 svchost.exe 6 PID 2624 wrote to memory of 476 2624 svchost.exe 6 PID 2624 wrote to memory of 476 2624 svchost.exe 6 PID 2624 wrote to memory of 476 2624 svchost.exe 6 PID 2624 wrote to memory of 476 2624 svchost.exe 6 PID 2624 wrote to memory of 492 2624 svchost.exe 7 PID 2624 wrote to memory of 492 2624 svchost.exe 7 PID 2624 wrote to memory of 492 2624 svchost.exe 7 PID 2624 wrote to memory of 492 2624 svchost.exe 7 PID 2624 wrote to memory of 492 2624 svchost.exe 7 PID 2624 wrote to memory of 500 2624 svchost.exe 8 PID 2624 wrote to memory of 500 2624 svchost.exe 8 PID 2624 wrote to memory of 500 2624 svchost.exe 8 PID 2624 wrote to memory of 500 2624 svchost.exe 8 PID 2624 wrote to memory of 500 2624 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:612
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1532
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:352
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:496
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:692
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:772
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1172
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:864
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:284
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:356
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1064
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1104
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:768
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2080
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2932
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_482aef37f51ece3e4253bd0360fd3b31.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2008
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize160KB
MD5cb87be8e628baccb999611f33ba75828
SHA17ef3d9aed8bee7379438b243354e4adca7ea4e76
SHA256f85e523b2fb5514ca7f32109ed09f48f525c6cf2c49fdf43d0ea822db9ae4e44
SHA5125280dceab0c6740b3b153db1677bff36185a33b3eb82df644847ea4289073197fc317d6882702037bdd994193a9ce610235689518990d7effe5c1131c8dd4e3d
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize156KB
MD5f6264ca62ed1bfefb66f8c4358e78aa0
SHA153de44fba439f33760bd59f4853dd487a065a46c
SHA2562e9733bd47e10af4ec73e1c99c998a3872e490afbb5a25755833b57df5d7a999
SHA5125c4155fa2e007cba8be9c787f792b3ce301ea76cf5157f1796eddb7b38211baa7e3ae003a0a458bdafc01257320968efdf9a74e04cef0a3e6197f089c475a6c2
-
Filesize
73KB
MD5482aef37f51ece3e4253bd0360fd3b31
SHA1b22a1a190c698226aa868ec4901f841ea224e77f
SHA256713baf2ec55a14db2f2d30ba3729a24100ef2bdfcb2cd3b9bda4b2dbc35105d6
SHA512e2dafb7822b912a5afae72cce2de18ae10acd6c0b83f40a4d0d21b72a63cc1dc7e8ec908b05f267af730d53b836c42863b51d55abdb98db2ebffe48cf58d2065