Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01/01/2025, 16:54
General
-
Target
JaffaCakes118_5cf81624d2492b71ae0f3d298eab1bab.dll
-
Size
572KB
-
MD5
5cf81624d2492b71ae0f3d298eab1bab
-
SHA1
a0e9537f9bcd84515c26c796cb5f4230b93cc6b6
-
SHA256
7e8108814cece759ca212c07585ac24abccacecf96c9527ab457b47642261099
-
SHA512
fd9a71f09eea3ce1d810b50e637a2bf52b0bacfa0746bdc6437402e973583cb0a74d92e9efde8e10bf567c29fb06df834661819bb9f9d256db8245be0f7be3a2
-
SSDEEP
12288:aehnaNPpSVZmNxRCwnwm3W3OHIIf5fIBlcjOQ/qqq9jW3+xkt:aeh0PpS6NxNnwYeOHXuBLQMVxkt
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 55 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cf81624d2492b71ae0f3d298eab1bab.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cf81624d2492b71ae0f3d298eab1bab.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3708 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3592 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 6083⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5112 -ip 51121⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD530f59b20e935520badc298242cb4cff1
SHA100622b2054eb148a8459c2ccd0b22606c2d5c7f6
SHA2564a981d199e551f2b8c8fa22f0e3fbc264e876e5ed243d83331b2a6083a753e3c
SHA512f22ca09eb3266cee3f363e4f3f955745382679d136d61e7c27f81081cd77efa5f82f82220526928f73049e692b7c060f64032dfae0f967c579c6e6acfd2e8d21
-
Filesize
404B
MD500f9f3cb27b78a352abe67dd1c95442a
SHA1c69b78cdd6bf521f878af800c4069a6641c0816b
SHA2568e68b740aeb590c9074e5eaca6a83488e12e11c269caef8f38930998d5956771
SHA5122004e16bd9aee0361056ee9992ffd868565d68cca9a2943b6c978cf61ef32d1e99b0240b7bcf66963bd012c85da66c531422e8387797a206cdcef657b5f22aae
-
Filesize
5KB
MD5eaad97570f0253a7c34e5f271988093f
SHA14e90502cd2670e99d0f88bf7dc40a00400ed43cd
SHA256d12f919627d5966ea033f4977c8b5f29f0d587ef262378f0e6f92f6a5bc7d23b
SHA512297c61db3f248879a5ffe7867b75c460c6db258149a79b71cd8d22c39d6b396f43a31c40956ca7a59611c060cfd1c37a9f8d80d2ca10a3aed9bb1400a19d3b40
-
Filesize
3KB
MD54f1f7e611d386f3630c49e4d50e66d7a
SHA1bc162e24e571749407ac28ad41e873fd4f80d1e3
SHA256f43e53e00b43521042a6b812e6f73e70886407d4f4204e0e507bae9d8e627f08
SHA5123c002374dc220a67f501df5b9a871b5f2c42e12d530eb2200ab57f4ec847d5d5f58503a57821ddca4cac1103b032b6b829748efa8a73a98aa9fef58a6ed067d2
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
186KB
MD5d1cf33b3fb134d96475c1e6d3df0f341
SHA126cb92871856fc3e903e432e638cd09f7d64fca5
SHA25652515cc80821a94d293e12fa06b546b90e1c66dcfc7af74beacfb5e97ca2c6fa
SHA5121df8810ab5948813eefef7264c8dfb7b40f8ddb6f7d21ce203c4afef8ef28748fc80d3dc1560c16a05fcae543b8cd1e7655cd6102286accc6865c47b69ad54a1
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
132KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
16.2MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
16.2MB
-
Filesize
232KB
-
Filesize
580KB
-
Filesize
580KB