Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2025, 02:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_276687275f0f9d19ecab6b15e4af797b.dll
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_276687275f0f9d19ecab6b15e4af797b.dll
-
Size
258KB
-
MD5
276687275f0f9d19ecab6b15e4af797b
-
SHA1
a3da367a3845e706d029252c4d73bfd151989072
-
SHA256
19e943df00936e368c89f5441771930c885ec4404470cfbec3c69bab1dff4948
-
SHA512
09301fab68593d612ad5f0ff903648e79497d62b78836687b437fec66f6383f70d0b4201bce4d78efab881464ba86fa1407499be81da6186909f6bd0f678f707
-
SSDEEP
3072:aCuuNCRs/Pj03pJEEC9ti9pocimFFVW6E1fZim4v5TRRJBYeBTg4vRPW9vc/Bm6g:aCIGPj038tAgFMldWNX+Ejtujg
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 4632 rundll32mgr.exe 1600 WaterMark.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/memory/4632-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4632-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4632-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4632-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4632-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4632-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4632-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1600-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1600-34-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/1600-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1600-40-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px278B.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4064 2448 WerFault.exe 86 2736 5064 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BC52F7F0-DAC3-11EF-9361-CAFD856C81B1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2438116879" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444536943" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157968" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2430617336" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157968" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe 1600 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1600 WaterMark.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1500 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1500 iexplore.exe 1500 iexplore.exe 4724 IEXPLORE.EXE 4724 IEXPLORE.EXE 4724 IEXPLORE.EXE 4724 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4632 rundll32mgr.exe 1600 WaterMark.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4984 wrote to memory of 5064 4984 rundll32.exe 82 PID 4984 wrote to memory of 5064 4984 rundll32.exe 82 PID 4984 wrote to memory of 5064 4984 rundll32.exe 82 PID 5064 wrote to memory of 4632 5064 rundll32.exe 83 PID 5064 wrote to memory of 4632 5064 rundll32.exe 83 PID 5064 wrote to memory of 4632 5064 rundll32.exe 83 PID 4632 wrote to memory of 1600 4632 rundll32mgr.exe 85 PID 4632 wrote to memory of 1600 4632 rundll32mgr.exe 85 PID 4632 wrote to memory of 1600 4632 rundll32mgr.exe 85 PID 1600 wrote to memory of 2448 1600 WaterMark.exe 86 PID 1600 wrote to memory of 2448 1600 WaterMark.exe 86 PID 1600 wrote to memory of 2448 1600 WaterMark.exe 86 PID 1600 wrote to memory of 2448 1600 WaterMark.exe 86 PID 1600 wrote to memory of 2448 1600 WaterMark.exe 86 PID 1600 wrote to memory of 2448 1600 WaterMark.exe 86 PID 1600 wrote to memory of 2448 1600 WaterMark.exe 86 PID 1600 wrote to memory of 2448 1600 WaterMark.exe 86 PID 1600 wrote to memory of 2448 1600 WaterMark.exe 86 PID 1600 wrote to memory of 1500 1600 WaterMark.exe 91 PID 1600 wrote to memory of 1500 1600 WaterMark.exe 91 PID 1600 wrote to memory of 4124 1600 WaterMark.exe 92 PID 1600 wrote to memory of 4124 1600 WaterMark.exe 92 PID 1500 wrote to memory of 4724 1500 iexplore.exe 93 PID 1500 wrote to memory of 4724 1500 iexplore.exe 93 PID 1500 wrote to memory of 4724 1500 iexplore.exe 93
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_276687275f0f9d19ecab6b15e4af797b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_276687275f0f9d19ecab6b15e4af797b.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:2448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 2046⤵
- Program crash
PID:4064
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4724
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
PID:4124
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 6083⤵
- Program crash
PID:2736
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2448 -ip 24481⤵PID:3584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5064 -ip 50641⤵PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ce36378334f2edb4e728e0632afebb70
SHA189d54efcb8c7bbe532e5ad91b38468279d3f5c93
SHA2566be47a3ecfbf81a123c297ee65d70177b4010bfbe728b94b4337453683b9a6e1
SHA5123e09cc9ece1907c072f02f768ec749ceef3b8913f394bb075b1948d0409b7910670b91da7d35160c211d0bf8df05e83409a1ad7493ea53864c41f37305f75aa2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD517d88c0b0206def8528ce057cc3f0e18
SHA193457e1e867629f7741fa812ee3cf506cdc2710b
SHA2562518052c88b3661734d3b0e1ddf6441dbf7cf2615f371468b20842f792b3c624
SHA512f35c0ab1b591673bf7b44af1386de6b89a265802187b62346b60a2307c726a56a2ec61ceb3e78e1882d859184961e226478a5e99429c9f990ef045d13eb2f5b0
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
92KB
MD57ee724f57cd50cc251c9640919b5469e
SHA1f46cf7427e3519358ce354265a7226abb157cf15
SHA256caffeddde0516e982f2adc315190b9a55b67a2646d113f5f892533489307edce
SHA512f6fe974490da9c753f61c455c0efdceebb0d2af46519fbc15843d79aca7c1ef3fb33c77644e977cc0ade60e60e4f72c6a6cf552d1bdfada11abeb29d9c899c32