Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
05507d68ea603cb822b5059c02e99f84_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05507d68ea603cb822b5059c02e99f84_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
05507d68ea603cb822b5059c02e99f84_JaffaCakes118.dll
-
Size
35KB
-
MD5
05507d68ea603cb822b5059c02e99f84
-
SHA1
aadf086507aeb380387eb8c4457360394578ff95
-
SHA256
4bc46cc8146007b60f72bc42d7d59a55abf943f50fc42dd8a8fa7475e0b775fb
-
SHA512
209f4a4df9b9bc715aa56a055a0f636296d5f56383030c3b2d1066029936428178de576471adcbf87394d675bd793d9547a0c9cc6889d3df6668bd242f40fd43
-
SSDEEP
768:K3TyjThg+N/lzvBGYds9gxmWhUERFP6DyOtR:ke5gUdzZbSgxmW35OtR
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2192 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2192 2184 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2184 2524 rundll32.exe 28 PID 2524 wrote to memory of 2184 2524 rundll32.exe 28 PID 2524 wrote to memory of 2184 2524 rundll32.exe 28 PID 2524 wrote to memory of 2184 2524 rundll32.exe 28 PID 2524 wrote to memory of 2184 2524 rundll32.exe 28 PID 2524 wrote to memory of 2184 2524 rundll32.exe 28 PID 2524 wrote to memory of 2184 2524 rundll32.exe 28 PID 2184 wrote to memory of 2192 2184 rundll32.exe 29 PID 2184 wrote to memory of 2192 2184 rundll32.exe 29 PID 2184 wrote to memory of 2192 2184 rundll32.exe 29 PID 2184 wrote to memory of 2192 2184 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05507d68ea603cb822b5059c02e99f84_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05507d68ea603cb822b5059c02e99f84_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 2323⤵
- Loads dropped DLL
- Program crash
PID:2192
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD505507d68ea603cb822b5059c02e99f84
SHA1aadf086507aeb380387eb8c4457360394578ff95
SHA2564bc46cc8146007b60f72bc42d7d59a55abf943f50fc42dd8a8fa7475e0b775fb
SHA512209f4a4df9b9bc715aa56a055a0f636296d5f56383030c3b2d1066029936428178de576471adcbf87394d675bd793d9547a0c9cc6889d3df6668bd242f40fd43