Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:20
Static task
static1
Behavioral task
behavioral1
Sample
e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll
-
Size
508KB
-
MD5
e59070776d78df670acd8041cc7e93ec
-
SHA1
52864889f16f8ea9651a152223ec8194cf669576
-
SHA256
e1bd03bb2f8bbef5e3d5b649b6abfee4170b36016ea6213a4229cb933199f97b
-
SHA512
b3f919ee4b476a1cefc62c1a97ff345d19ba25cf9c5d8371067179295c1424f1da89c50638bc5b90f2454982a4cad42691f575daf9ba3626dcc8ebd424e7e969
-
SSDEEP
6144:NfzganSY2TDXg/SWvAuHKCLFT6QrMRqETEqbemgBVWrUOyjnZ/X5eOlM:Nfzej3FHuTLFeQbqiOrUOyZz
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\15k9r0.sys rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\{C5269DD294477B0D4626EE6427258751}\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\470F.tmp" rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 1248 regsvr32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 112 wrote to memory of 1164 112 rundll32.exe 28 PID 112 wrote to memory of 1164 112 rundll32.exe 28 PID 112 wrote to memory of 1164 112 rundll32.exe 28 PID 112 wrote to memory of 1164 112 rundll32.exe 28 PID 112 wrote to memory of 1164 112 rundll32.exe 28 PID 112 wrote to memory of 1164 112 rundll32.exe 28 PID 112 wrote to memory of 1164 112 rundll32.exe 28 PID 1164 wrote to memory of 1248 1164 rundll32.exe 29 PID 1164 wrote to memory of 1248 1164 rundll32.exe 29 PID 1164 wrote to memory of 1248 1164 rundll32.exe 29 PID 1164 wrote to memory of 1248 1164 rundll32.exe 29 PID 1164 wrote to memory of 1248 1164 rundll32.exe 29 PID 1164 wrote to memory of 1248 1164 rundll32.exe 29 PID 1164 wrote to memory of 1248 1164 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll,#12⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\275E.tmp3⤵
- Loads dropped DLL
PID:1248
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD59fc47b32c3156af49540e82ad8c961b4
SHA11d3947a5c4504b7a89f83f5d808876134557550d
SHA256171489c75400149f90ee67cb98f15a33af8ee6301d10e71807d53356cfd325c3
SHA5121ac5b31c1f2f532595a7729071588a4c2975df22529a362d741d9c5f45788f7a912260c7ded6b228d6618e8a9bfb84b57f269ccb225ffdd4fd7011df9de30276