Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 02:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_62110f9f0a012c01928c8ef91393794e.dll
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_62110f9f0a012c01928c8ef91393794e.dll
-
Size
260KB
-
MD5
62110f9f0a012c01928c8ef91393794e
-
SHA1
bae0d181461204d9fcf968cf83947439c577edf3
-
SHA256
7f7fe1795449083d02818dade798dcbebbf7a44e792b20ce5d1050b4aa0e479b
-
SHA512
8b6e3c1af11746b38a47c8c49dc175995e69a39f714076092be68aa0af4eabf7dd5a7af18a3bb035db58f76f4edf6224de7237bf6d44c517d731bd5a88d2742b
-
SSDEEP
3072:+m07c4fHCp/AZX/AGUBUpV7Os2kKerYVSrfishHwJjocVFEnT2XDd48bf29UV6:U7dHCc/ASsad1rasdUVUT2TTf2B
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1704 regsvr32mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 2596 regsvr32.exe 2596 regsvr32.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2056 1704 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32mgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2596 2140 regsvr32.exe 29 PID 2140 wrote to memory of 2596 2140 regsvr32.exe 29 PID 2140 wrote to memory of 2596 2140 regsvr32.exe 29 PID 2140 wrote to memory of 2596 2140 regsvr32.exe 29 PID 2140 wrote to memory of 2596 2140 regsvr32.exe 29 PID 2140 wrote to memory of 2596 2140 regsvr32.exe 29 PID 2140 wrote to memory of 2596 2140 regsvr32.exe 29 PID 2596 wrote to memory of 1704 2596 regsvr32.exe 30 PID 2596 wrote to memory of 1704 2596 regsvr32.exe 30 PID 2596 wrote to memory of 1704 2596 regsvr32.exe 30 PID 2596 wrote to memory of 1704 2596 regsvr32.exe 30 PID 1704 wrote to memory of 2056 1704 regsvr32mgr.exe 31 PID 1704 wrote to memory of 2056 1704 regsvr32mgr.exe 31 PID 1704 wrote to memory of 2056 1704 regsvr32mgr.exe 31 PID 1704 wrote to memory of 2056 1704 regsvr32mgr.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62110f9f0a012c01928c8ef91393794e.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62110f9f0a012c01928c8ef91393794e.dll2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 924⤵
- Loads dropped DLL
- Program crash
PID:2056
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5fba9053e3a7f286a68a072f5d1b57b42
SHA119c4800e8de1e83ff7bf0b96a96563e8430ce9f3
SHA2565675295a26c3839803fd25fb667f2be09c2b6bf3412202a09c3dfc9a46eb4ca4
SHA512ee53bbd9531801df780279da49bd34863513db67fbacbd6b0abb844d02cb76f5e86ed39ad28585b27aa42d3659a8fc9f3d1459f92f81eca970e69bac7c403c64