Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 01:39
Behavioral task
behavioral1
Sample
JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe
-
Size
194KB
-
MD5
1ccfa7176d202069491a7f360756cfa2
-
SHA1
ae6c848d2d31cd916a14445cb13344c589e53038
-
SHA256
c180c6ba9f85cd3820a4400b1dcad7e156b55733c548e2cea4221e7f77acce2c
-
SHA512
931081031d6d0205ef0bcb02e06f1302fecaa4491b71c10ab56b28671b739c24d274bb059f508a28f96586adcb276df7485bef673c412738762104b817b2bcfc
-
SSDEEP
1536:bm8xOWWrs/wNYw8sE/2VP+sEM35ny/fUix:bm1TrNwudRTNYci
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2996 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe 1732 JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/1732-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1732-3-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0009000000016dd0-4.dat upx behavioral1/memory/2996-13-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1732-11-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2996-14-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2996-16-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2996-18-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2996-42-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\WMPSideShowGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\hxdsui.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\wlsrvc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html svchost.exe File opened for modification C:\Program Files\DVD Maker\OmdProject.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\hprof.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEODBCI.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\CsiSoap.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\libvlccore.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html svchost.exe File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\jnwdui.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpAsDesc.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpnssci.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmono_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2996 WaterMark.exe 2996 WaterMark.exe 2996 WaterMark.exe 2996 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2996 WaterMark.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2996 1732 JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe 30 PID 1732 wrote to memory of 2996 1732 JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe 30 PID 1732 wrote to memory of 2996 1732 JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe 30 PID 1732 wrote to memory of 2996 1732 JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe 30 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31 PID 2996 wrote to memory of 2444 2996 WaterMark.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2444
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html
Filesize401KB
MD55c1e358333c4d961605afa3b250e2d01
SHA11593bbd3c89a389eaa76bd93707899136c47a1cd
SHA2561ffae8f105b06bf4845485ded9c31def0b776fd81592bfef81f06aea7bbdedaf
SHA5129aa8e9d98b1b7ac004cdd3ea75d53c2b90c4c335ce23b37dafc8f53b9e966cde1e4f8ab79d56e59ab1f1138784eb4f95ea89790950eeb1955ee00d5f79656da6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html
Filesize398KB
MD57e9d12ee9fcb192eaad471fc776b8fd0
SHA1d57e9d3ba522141b5c8fee94a68d0d62be39cccc
SHA256466ff7e135d68fb676e9f4b18ec506a6ece207402783adb8e9725a29c4ccc02c
SHA512ec3c10482aa497b05ee1852259435339154fdbbd8605aa090de413a45e5f0677b63f0e8db4da2c634d6ac608ce74ac7a9d673fb929f8f64a469489143927960d
-
Filesize
194KB
MD51ccfa7176d202069491a7f360756cfa2
SHA1ae6c848d2d31cd916a14445cb13344c589e53038
SHA256c180c6ba9f85cd3820a4400b1dcad7e156b55733c548e2cea4221e7f77acce2c
SHA512931081031d6d0205ef0bcb02e06f1302fecaa4491b71c10ab56b28671b739c24d274bb059f508a28f96586adcb276df7485bef673c412738762104b817b2bcfc