Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 18:20
Static task
static1
Behavioral task
behavioral1
Sample
e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll
-
Size
508KB
-
MD5
e59070776d78df670acd8041cc7e93ec
-
SHA1
52864889f16f8ea9651a152223ec8194cf669576
-
SHA256
e1bd03bb2f8bbef5e3d5b649b6abfee4170b36016ea6213a4229cb933199f97b
-
SHA512
b3f919ee4b476a1cefc62c1a97ff345d19ba25cf9c5d8371067179295c1424f1da89c50638bc5b90f2454982a4cad42691f575daf9ba3626dcc8ebd424e7e969
-
SSDEEP
6144:NfzganSY2TDXg/SWvAuHKCLFT6QrMRqETEqbemgBVWrUOyjnZ/X5eOlM:Nfzej3FHuTLFeQbqiOrUOyZz
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\15k9r0.sys rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\{C5269DD294477B0D4626EE6427258751}\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\55E1.tmp" rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 1040 regsvr32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4280 wrote to memory of 3244 4280 rundll32.exe 86 PID 4280 wrote to memory of 3244 4280 rundll32.exe 86 PID 4280 wrote to memory of 3244 4280 rundll32.exe 86 PID 3244 wrote to memory of 1040 3244 rundll32.exe 93 PID 3244 wrote to memory of 1040 3244 rundll32.exe 93 PID 3244 wrote to memory of 1040 3244 rundll32.exe 93
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e59070776d78df670acd8041cc7e93ec_JaffaCakes118.dll,#12⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3633.tmp3⤵
- Loads dropped DLL
PID:1040
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD59fc47b32c3156af49540e82ad8c961b4
SHA11d3947a5c4504b7a89f83f5d808876134557550d
SHA256171489c75400149f90ee67cb98f15a33af8ee6301d10e71807d53356cfd325c3
SHA5121ac5b31c1f2f532595a7729071588a4c2975df22529a362d741d9c5f45788f7a912260c7ded6b228d6618e8a9bfb84b57f269ccb225ffdd4fd7011df9de30276