Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll
-
Size
358KB
-
MD5
f4de3d851eb7dd7c361282901a5fa088
-
SHA1
9d8905df11662f6c1b4f39af47c1c8bb391f81c7
-
SHA256
ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9
-
SHA512
7c55f49c9a5f2cc0b7dfcf56cb7af1d4a9ba9186cbe34e3a2d43cd2013247500e043e8f13e28a0a42b40fa89c8f81c52546db9b6ef5b164e0f24b89c6996b2dd
-
SSDEEP
6144:mm8HFmf2Ee5apzeJ4DSY7Dh6LUr+nxQNBO0fS:GjEuuDC1o
Malware Config
Extracted
qakbot
402.343
tr
1632730751
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
109.12.111.14:443
105.198.236.99:443
73.77.87.137:443
41.248.239.221:995
182.176.112.182:443
96.37.113.36:993
75.66.88.33:443
162.244.227.34:443
24.229.150.54:995
216.201.162.158:443
92.59.35.196:2222
196.218.227.241:995
24.139.72.117:443
68.207.102.78:443
72.252.201.69:443
2.188.27.77:443
177.130.82.197:2222
68.204.7.158:443
189.210.115.207:443
181.163.96.53:443
24.55.112.61:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Qakbot family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ymcpd = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ihriiknez = "0" reg.exe -
Loads dropped DLL 1 IoCs
pid Process 2820 regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\4a156683 = daf76550375ec7276a7b86ce6783aacaf40598221ec526a5e214dd explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\8fa14e6c = af74beb4707fe81a9bfcb51ac51c78e50f0a3d8cceb653e1e581dd2c9538fad311c65369d6c6c3b1fa9724c38d9bbcb492fd32879731e4dc5df0244f99db5760dd3222b3ab6c explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\f0e8219a = e9a9f4db06acec4235c3123f9aad545bb876261eb43fb7a39514beea27743d4806e47d8275f83f39dcbf05 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\7dcb96b1 = 335e5c4badb171806f20acaa996497ca2abc364115063ac45df836b5c4a698baea199392f436cc01faaf explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\485446ff = 6b6c3c4bf6232a516a30a80800e4433b527eddc04a3f3a99cf1ae9c948c2746cc427b232fcf7dc95ddba9fa5c5671301709d4ab4dc08663c96afa8338108faebdf7826c4448b316bf644f1fb3736c6c5443b01faaca63e3137c73c0614350a28f5ad27509a361f1e1d27cb68ea9a51d34435e9bd explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\371d2909 = f93c6a9fc0211c0e4b6d6c22478d81579db45ebf23b287f1981591ceda895d9f61b4c02bdee7db644c3bc01e7cebd4f92043e53334fb443d4bb79e49c418690c776559bc29e4cff5c2a8db4e28861188636f8ecfcdccf5c5bc8370ab2f556760cd61a648c9d9f7f59a779c explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\282f947 = af3b03bf2d9a5b20b8f230427e7dcffcf6 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\7dcb96b1 = 335e4b4badb14480478c31cea03c065fde209f03ea5c58733b8f9a6fc05b3c8c9d417fe74e3081b4c6323f1180d8f5515bc6fe197748374f12cb160b31811c explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uizrrvguucki explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\f2a901e6 = dccc74586c1868467ef541872c9abc50b5c5b7c14482fc98ba0376b3974c1095255563f1eece147ee1f81868bfbb320bbac6c28ccba05682aeb42a93dad3d7144b620834bccba6f80f00e806e63074ec4e437c87ef7198b5bcb005a466b0b4b2c4c035eab0a38ef1af23 explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1980 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1268 rundll32.exe 2820 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1268 rundll32.exe 2820 regsvr32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1300 wrote to memory of 1268 1300 rundll32.exe 30 PID 1300 wrote to memory of 1268 1300 rundll32.exe 30 PID 1300 wrote to memory of 1268 1300 rundll32.exe 30 PID 1300 wrote to memory of 1268 1300 rundll32.exe 30 PID 1300 wrote to memory of 1268 1300 rundll32.exe 30 PID 1300 wrote to memory of 1268 1300 rundll32.exe 30 PID 1300 wrote to memory of 1268 1300 rundll32.exe 30 PID 1268 wrote to memory of 1796 1268 rundll32.exe 31 PID 1268 wrote to memory of 1796 1268 rundll32.exe 31 PID 1268 wrote to memory of 1796 1268 rundll32.exe 31 PID 1268 wrote to memory of 1796 1268 rundll32.exe 31 PID 1268 wrote to memory of 1796 1268 rundll32.exe 31 PID 1268 wrote to memory of 1796 1268 rundll32.exe 31 PID 1796 wrote to memory of 1980 1796 explorer.exe 32 PID 1796 wrote to memory of 1980 1796 explorer.exe 32 PID 1796 wrote to memory of 1980 1796 explorer.exe 32 PID 1796 wrote to memory of 1980 1796 explorer.exe 32 PID 2648 wrote to memory of 2728 2648 taskeng.exe 36 PID 2648 wrote to memory of 2728 2648 taskeng.exe 36 PID 2648 wrote to memory of 2728 2648 taskeng.exe 36 PID 2648 wrote to memory of 2728 2648 taskeng.exe 36 PID 2648 wrote to memory of 2728 2648 taskeng.exe 36 PID 2728 wrote to memory of 2820 2728 regsvr32.exe 37 PID 2728 wrote to memory of 2820 2728 regsvr32.exe 37 PID 2728 wrote to memory of 2820 2728 regsvr32.exe 37 PID 2728 wrote to memory of 2820 2728 regsvr32.exe 37 PID 2728 wrote to memory of 2820 2728 regsvr32.exe 37 PID 2728 wrote to memory of 2820 2728 regsvr32.exe 37 PID 2728 wrote to memory of 2820 2728 regsvr32.exe 37 PID 2820 wrote to memory of 1388 2820 regsvr32.exe 38 PID 2820 wrote to memory of 1388 2820 regsvr32.exe 38 PID 2820 wrote to memory of 1388 2820 regsvr32.exe 38 PID 2820 wrote to memory of 1388 2820 regsvr32.exe 38 PID 2820 wrote to memory of 1388 2820 regsvr32.exe 38 PID 2820 wrote to memory of 1388 2820 regsvr32.exe 38 PID 1388 wrote to memory of 1352 1388 explorer.exe 39 PID 1388 wrote to memory of 1352 1388 explorer.exe 39 PID 1388 wrote to memory of 1352 1388 explorer.exe 39 PID 1388 wrote to memory of 1352 1388 explorer.exe 39 PID 1388 wrote to memory of 1648 1388 explorer.exe 41 PID 1388 wrote to memory of 1648 1388 explorer.exe 41 PID 1388 wrote to memory of 1648 1388 explorer.exe 41 PID 1388 wrote to memory of 1648 1388 explorer.exe 41
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn oxdtxvlq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll\"" /SC ONCE /Z /ST 02:45 /ET 02:574⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1980
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BFD0FAF1-31B5-448B-B5C8-2FF418B1AFEE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ymcpd" /d "0"5⤵
- Windows security bypass
PID:1352
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ihriiknez" /d "0"5⤵
- Windows security bypass
PID:1648
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
358KB
MD5f4de3d851eb7dd7c361282901a5fa088
SHA19d8905df11662f6c1b4f39af47c1c8bb391f81c7
SHA256ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9
SHA5127c55f49c9a5f2cc0b7dfcf56cb7af1d4a9ba9186cbe34e3a2d43cd2013247500e043e8f13e28a0a42b40fa89c8f81c52546db9b6ef5b164e0f24b89c6996b2dd