Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll
-
Size
241KB
-
MD5
e2c13d654e1397bf110f8ead50de5212
-
SHA1
33da95025432683cb4410bbb966700fed3dcc319
-
SHA256
7120e79a70b7545173221fd56857dec216d457a9560cc75dcb64ba2c87984409
-
SHA512
aca8d47394249846ae666f884aa0b89cfc6e35b8872888f6bed787e36fabbb606a7bb7f2614d92f21b8971563ded4ffebf05805a8ea704e424bd569171c92e8b
-
SSDEEP
6144:5PISNDkrK1IK3hEnkDUxc2CIoqy+utDy+htDl+hN:5PISNA8R/gxcBqy+utDy+htDl+hN
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\e2c13d654e1397bf110f8ead50de5212_JaffaCakes118\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4832 svchost.exe 4832 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3656 wrote to memory of 3524 3656 regsvr32.exe 85 PID 3656 wrote to memory of 3524 3656 regsvr32.exe 85 PID 3656 wrote to memory of 3524 3656 regsvr32.exe 85
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\e2c13d654e1397bf110f8ead50de5212_JaffaCakes118.dll2⤵
- Sets DLL path for service in the registry
PID:3524
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k e2c13d654e1397bf110f8ead50de5212_JaffaCakes1181⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832