Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 21:46
Behavioral task
behavioral1
Sample
26e33b656bc4806821bbf6e0854f4308_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
26e33b656bc4806821bbf6e0854f4308_JaffaCakes118.dll
-
Size
805KB
-
MD5
26e33b656bc4806821bbf6e0854f4308
-
SHA1
5679e4f843f8de0125efd20ce7bb32117682a67c
-
SHA256
d64f49dc0f53e5deadaee8bf403d76bab9838effdcb6e4aff485f23745a041c5
-
SHA512
8927ad20d79e74b760bc680d54c8afd8f5e7e139ebcb5991e2f44b4ac31b2bb1767ef357cadb9930a34fae8cb842cc5ad281507c2ad90d1ed536f50c3c06ecc2
-
SSDEEP
24576:Hd/4E1TAPJZgvtbhSQhAtuRyeiQYgBE/2h9:Hd/LpMSlbPh/tBVh
Malware Config
Signatures
-
Detect Blackmoon payload 20 IoCs
resource yara_rule behavioral2/memory/3596-2-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-0-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-1-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-3-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-16-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-15-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-39-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-45-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-46-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-47-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-48-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-49-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-50-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-51-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-52-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-53-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-54-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-55-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-56-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon behavioral2/memory/3596-57-0x0000000074DB0000-0x0000000074FB0000-memory.dmp family_blackmoon -
Blocklisted process makes network request 2 IoCs
flow pid Process 7 3596 rundll32.exe 23 3596 rundll32.exe -
resource yara_rule behavioral2/memory/3596-4-0x0000000010000000-0x0000000010018000-memory.dmp upx -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3596 rundll32.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe 3596 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4264 wrote to memory of 3596 4264 rundll32.exe 83 PID 4264 wrote to memory of 3596 4264 rundll32.exe 83 PID 4264 wrote to memory of 3596 4264 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26e33b656bc4806821bbf6e0854f4308_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26e33b656bc4806821bbf6e0854f4308_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3596
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162B
MD54f8e702cc244ec5d4de32740c0ecbd97
SHA13adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA2569e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA51221047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f