Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 06:26
Behavioral task
behavioral1
Sample
3332d48869a748ea708b00706277e400_JaffaCakes118.dll
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
3332d48869a748ea708b00706277e400_JaffaCakes118.dll
-
Size
3.2MB
-
MD5
3332d48869a748ea708b00706277e400
-
SHA1
add4d2914a06aef97385f212e75994430d92aeb5
-
SHA256
8027f64cfb0177e7dbd26c5e0c5b2f850903d3a3747bec6a1831c3ebeb4e4892
-
SHA512
52f098f37cc434a3fbf46771f9f545a2f9853ac4e0844f8042ef900bc61e153f559b8b83970619a7081f3f20a174829bd6939d7c8383d8e8a1dc4e448fbb7372
-
SSDEEP
49152:SIfC8oGD3PzkRGN1yQMGfsdlg4J37YICsr4U0FXMXSo2YSBSK+Y/uX6w6Vg0liS2:SIq854UlM2s04l7Yvel0C4NzBGuVnk
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/memory/2684-3-0x0000000010000000-0x00000000107ED000-memory.dmp family_blackmoon -
resource yara_rule behavioral1/memory/2684-0-0x0000000010000000-0x00000000107ED000-memory.dmp vmprotect behavioral1/memory/2684-2-0x0000000010000000-0x00000000107ED000-memory.dmp vmprotect behavioral1/memory/2684-1-0x0000000010000000-0x00000000107ED000-memory.dmp vmprotect behavioral1/memory/2684-3-0x0000000010000000-0x00000000107ED000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2684 rundll32.exe Token: SeIncreaseQuotaPrivilege 2676 WMIC.exe Token: SeSecurityPrivilege 2676 WMIC.exe Token: SeTakeOwnershipPrivilege 2676 WMIC.exe Token: SeLoadDriverPrivilege 2676 WMIC.exe Token: SeSystemProfilePrivilege 2676 WMIC.exe Token: SeSystemtimePrivilege 2676 WMIC.exe Token: SeProfSingleProcessPrivilege 2676 WMIC.exe Token: SeIncBasePriorityPrivilege 2676 WMIC.exe Token: SeCreatePagefilePrivilege 2676 WMIC.exe Token: SeBackupPrivilege 2676 WMIC.exe Token: SeRestorePrivilege 2676 WMIC.exe Token: SeShutdownPrivilege 2676 WMIC.exe Token: SeDebugPrivilege 2676 WMIC.exe Token: SeSystemEnvironmentPrivilege 2676 WMIC.exe Token: SeRemoteShutdownPrivilege 2676 WMIC.exe Token: SeUndockPrivilege 2676 WMIC.exe Token: SeManageVolumePrivilege 2676 WMIC.exe Token: 33 2676 WMIC.exe Token: 34 2676 WMIC.exe Token: 35 2676 WMIC.exe Token: SeIncreaseQuotaPrivilege 2676 WMIC.exe Token: SeSecurityPrivilege 2676 WMIC.exe Token: SeTakeOwnershipPrivilege 2676 WMIC.exe Token: SeLoadDriverPrivilege 2676 WMIC.exe Token: SeSystemProfilePrivilege 2676 WMIC.exe Token: SeSystemtimePrivilege 2676 WMIC.exe Token: SeProfSingleProcessPrivilege 2676 WMIC.exe Token: SeIncBasePriorityPrivilege 2676 WMIC.exe Token: SeCreatePagefilePrivilege 2676 WMIC.exe Token: SeBackupPrivilege 2676 WMIC.exe Token: SeRestorePrivilege 2676 WMIC.exe Token: SeShutdownPrivilege 2676 WMIC.exe Token: SeDebugPrivilege 2676 WMIC.exe Token: SeSystemEnvironmentPrivilege 2676 WMIC.exe Token: SeRemoteShutdownPrivilege 2676 WMIC.exe Token: SeUndockPrivilege 2676 WMIC.exe Token: SeManageVolumePrivilege 2676 WMIC.exe Token: 33 2676 WMIC.exe Token: 34 2676 WMIC.exe Token: 35 2676 WMIC.exe Token: SeIncreaseQuotaPrivilege 2640 WMIC.exe Token: SeSecurityPrivilege 2640 WMIC.exe Token: SeTakeOwnershipPrivilege 2640 WMIC.exe Token: SeLoadDriverPrivilege 2640 WMIC.exe Token: SeSystemProfilePrivilege 2640 WMIC.exe Token: SeSystemtimePrivilege 2640 WMIC.exe Token: SeProfSingleProcessPrivilege 2640 WMIC.exe Token: SeIncBasePriorityPrivilege 2640 WMIC.exe Token: SeCreatePagefilePrivilege 2640 WMIC.exe Token: SeBackupPrivilege 2640 WMIC.exe Token: SeRestorePrivilege 2640 WMIC.exe Token: SeShutdownPrivilege 2640 WMIC.exe Token: SeDebugPrivilege 2640 WMIC.exe Token: SeSystemEnvironmentPrivilege 2640 WMIC.exe Token: SeRemoteShutdownPrivilege 2640 WMIC.exe Token: SeUndockPrivilege 2640 WMIC.exe Token: SeManageVolumePrivilege 2640 WMIC.exe Token: 33 2640 WMIC.exe Token: 34 2640 WMIC.exe Token: 35 2640 WMIC.exe Token: SeIncreaseQuotaPrivilege 2640 WMIC.exe Token: SeSecurityPrivilege 2640 WMIC.exe Token: SeTakeOwnershipPrivilege 2640 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2684 2168 rundll32.exe 28 PID 2168 wrote to memory of 2684 2168 rundll32.exe 28 PID 2168 wrote to memory of 2684 2168 rundll32.exe 28 PID 2168 wrote to memory of 2684 2168 rundll32.exe 28 PID 2168 wrote to memory of 2684 2168 rundll32.exe 28 PID 2168 wrote to memory of 2684 2168 rundll32.exe 28 PID 2168 wrote to memory of 2684 2168 rundll32.exe 28 PID 2684 wrote to memory of 2580 2684 rundll32.exe 29 PID 2684 wrote to memory of 2580 2684 rundll32.exe 29 PID 2684 wrote to memory of 2580 2684 rundll32.exe 29 PID 2684 wrote to memory of 2580 2684 rundll32.exe 29 PID 2580 wrote to memory of 2676 2580 cmd.exe 31 PID 2580 wrote to memory of 2676 2580 cmd.exe 31 PID 2580 wrote to memory of 2676 2580 cmd.exe 31 PID 2580 wrote to memory of 2676 2580 cmd.exe 31 PID 2684 wrote to memory of 2600 2684 rundll32.exe 33 PID 2684 wrote to memory of 2600 2684 rundll32.exe 33 PID 2684 wrote to memory of 2600 2684 rundll32.exe 33 PID 2684 wrote to memory of 2600 2684 rundll32.exe 33 PID 2600 wrote to memory of 2640 2600 cmd.exe 35 PID 2600 wrote to memory of 2640 2600 cmd.exe 35 PID 2600 wrote to memory of 2640 2600 cmd.exe 35 PID 2600 wrote to memory of 2640 2600 cmd.exe 35 PID 2684 wrote to memory of 2556 2684 rundll32.exe 36 PID 2684 wrote to memory of 2556 2684 rundll32.exe 36 PID 2684 wrote to memory of 2556 2684 rundll32.exe 36 PID 2684 wrote to memory of 2556 2684 rundll32.exe 36 PID 2556 wrote to memory of 1724 2556 cmd.exe 38 PID 2556 wrote to memory of 1724 2556 cmd.exe 38 PID 2556 wrote to memory of 1724 2556 cmd.exe 38 PID 2556 wrote to memory of 1724 2556 cmd.exe 38 PID 2684 wrote to memory of 2856 2684 rundll32.exe 39 PID 2684 wrote to memory of 2856 2684 rundll32.exe 39 PID 2684 wrote to memory of 2856 2684 rundll32.exe 39 PID 2684 wrote to memory of 2856 2684 rundll32.exe 39 PID 2856 wrote to memory of 788 2856 cmd.exe 41 PID 2856 wrote to memory of 788 2856 cmd.exe 41 PID 2856 wrote to memory of 788 2856 cmd.exe 41 PID 2856 wrote to memory of 788 2856 cmd.exe 41
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3332d48869a748ea708b00706277e400_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3332d48869a748ea708b00706277e400_JaffaCakes118.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic BASEBOARD get product/value3⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BASEBOARD get product/value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value3⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic Path Win32_DisplayConfiguration get DeviceName/value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic cpu get ProcessorId/value3⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get ProcessorId/value4⤵PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic DISKDRIVE get Signature/value3⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic DISKDRIVE get Signature/value4⤵PID:788
-
-
-