Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 06:26
Behavioral task
behavioral1
Sample
3332d48869a748ea708b00706277e400_JaffaCakes118.dll
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
3332d48869a748ea708b00706277e400_JaffaCakes118.dll
-
Size
3.2MB
-
MD5
3332d48869a748ea708b00706277e400
-
SHA1
add4d2914a06aef97385f212e75994430d92aeb5
-
SHA256
8027f64cfb0177e7dbd26c5e0c5b2f850903d3a3747bec6a1831c3ebeb4e4892
-
SHA512
52f098f37cc434a3fbf46771f9f545a2f9853ac4e0844f8042ef900bc61e153f559b8b83970619a7081f3f20a174829bd6939d7c8383d8e8a1dc4e448fbb7372
-
SSDEEP
49152:SIfC8oGD3PzkRGN1yQMGfsdlg4J37YICsr4U0FXMXSo2YSBSK+Y/uX6w6Vg0liS2:SIq854UlM2s04l7Yvel0C4NzBGuVnk
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral2/memory/4504-1-0x0000000010000000-0x00000000107ED000-memory.dmp family_blackmoon -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 120.55.25.188 Destination IP 120.55.25.188 -
resource yara_rule behavioral2/memory/4504-0-0x0000000010000000-0x00000000107ED000-memory.dmp vmprotect behavioral2/memory/4504-1-0x0000000010000000-0x00000000107ED000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4504 rundll32.exe 4504 rundll32.exe 4504 rundll32.exe 4504 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3924 WMIC.exe Token: SeSecurityPrivilege 3924 WMIC.exe Token: SeTakeOwnershipPrivilege 3924 WMIC.exe Token: SeLoadDriverPrivilege 3924 WMIC.exe Token: SeSystemProfilePrivilege 3924 WMIC.exe Token: SeSystemtimePrivilege 3924 WMIC.exe Token: SeProfSingleProcessPrivilege 3924 WMIC.exe Token: SeIncBasePriorityPrivilege 3924 WMIC.exe Token: SeCreatePagefilePrivilege 3924 WMIC.exe Token: SeBackupPrivilege 3924 WMIC.exe Token: SeRestorePrivilege 3924 WMIC.exe Token: SeShutdownPrivilege 3924 WMIC.exe Token: SeDebugPrivilege 3924 WMIC.exe Token: SeSystemEnvironmentPrivilege 3924 WMIC.exe Token: SeRemoteShutdownPrivilege 3924 WMIC.exe Token: SeUndockPrivilege 3924 WMIC.exe Token: SeManageVolumePrivilege 3924 WMIC.exe Token: 33 3924 WMIC.exe Token: 34 3924 WMIC.exe Token: 35 3924 WMIC.exe Token: 36 3924 WMIC.exe Token: SeIncreaseQuotaPrivilege 3924 WMIC.exe Token: SeSecurityPrivilege 3924 WMIC.exe Token: SeTakeOwnershipPrivilege 3924 WMIC.exe Token: SeLoadDriverPrivilege 3924 WMIC.exe Token: SeSystemProfilePrivilege 3924 WMIC.exe Token: SeSystemtimePrivilege 3924 WMIC.exe Token: SeProfSingleProcessPrivilege 3924 WMIC.exe Token: SeIncBasePriorityPrivilege 3924 WMIC.exe Token: SeCreatePagefilePrivilege 3924 WMIC.exe Token: SeBackupPrivilege 3924 WMIC.exe Token: SeRestorePrivilege 3924 WMIC.exe Token: SeShutdownPrivilege 3924 WMIC.exe Token: SeDebugPrivilege 3924 WMIC.exe Token: SeSystemEnvironmentPrivilege 3924 WMIC.exe Token: SeRemoteShutdownPrivilege 3924 WMIC.exe Token: SeUndockPrivilege 3924 WMIC.exe Token: SeManageVolumePrivilege 3924 WMIC.exe Token: 33 3924 WMIC.exe Token: 34 3924 WMIC.exe Token: 35 3924 WMIC.exe Token: 36 3924 WMIC.exe Token: SeIncreaseQuotaPrivilege 3308 WMIC.exe Token: SeSecurityPrivilege 3308 WMIC.exe Token: SeTakeOwnershipPrivilege 3308 WMIC.exe Token: SeLoadDriverPrivilege 3308 WMIC.exe Token: SeSystemProfilePrivilege 3308 WMIC.exe Token: SeSystemtimePrivilege 3308 WMIC.exe Token: SeProfSingleProcessPrivilege 3308 WMIC.exe Token: SeIncBasePriorityPrivilege 3308 WMIC.exe Token: SeCreatePagefilePrivilege 3308 WMIC.exe Token: SeBackupPrivilege 3308 WMIC.exe Token: SeRestorePrivilege 3308 WMIC.exe Token: SeShutdownPrivilege 3308 WMIC.exe Token: SeDebugPrivilege 3308 WMIC.exe Token: SeSystemEnvironmentPrivilege 3308 WMIC.exe Token: SeRemoteShutdownPrivilege 3308 WMIC.exe Token: SeUndockPrivilege 3308 WMIC.exe Token: SeManageVolumePrivilege 3308 WMIC.exe Token: 33 3308 WMIC.exe Token: 34 3308 WMIC.exe Token: 35 3308 WMIC.exe Token: 36 3308 WMIC.exe Token: SeIncreaseQuotaPrivilege 3308 WMIC.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3264 wrote to memory of 4504 3264 rundll32.exe 91 PID 3264 wrote to memory of 4504 3264 rundll32.exe 91 PID 3264 wrote to memory of 4504 3264 rundll32.exe 91 PID 4504 wrote to memory of 3336 4504 rundll32.exe 94 PID 4504 wrote to memory of 3336 4504 rundll32.exe 94 PID 4504 wrote to memory of 3336 4504 rundll32.exe 94 PID 3336 wrote to memory of 3924 3336 cmd.exe 96 PID 3336 wrote to memory of 3924 3336 cmd.exe 96 PID 3336 wrote to memory of 3924 3336 cmd.exe 96 PID 4504 wrote to memory of 2796 4504 rundll32.exe 97 PID 4504 wrote to memory of 2796 4504 rundll32.exe 97 PID 4504 wrote to memory of 2796 4504 rundll32.exe 97 PID 2796 wrote to memory of 3308 2796 cmd.exe 99 PID 2796 wrote to memory of 3308 2796 cmd.exe 99 PID 2796 wrote to memory of 3308 2796 cmd.exe 99 PID 4504 wrote to memory of 3952 4504 rundll32.exe 100 PID 4504 wrote to memory of 3952 4504 rundll32.exe 100 PID 4504 wrote to memory of 3952 4504 rundll32.exe 100 PID 3952 wrote to memory of 540 3952 cmd.exe 102 PID 3952 wrote to memory of 540 3952 cmd.exe 102 PID 3952 wrote to memory of 540 3952 cmd.exe 102 PID 4504 wrote to memory of 4224 4504 rundll32.exe 103 PID 4504 wrote to memory of 4224 4504 rundll32.exe 103 PID 4504 wrote to memory of 4224 4504 rundll32.exe 103 PID 4224 wrote to memory of 3328 4224 cmd.exe 105 PID 4224 wrote to memory of 3328 4224 cmd.exe 105 PID 4224 wrote to memory of 3328 4224 cmd.exe 105
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3332d48869a748ea708b00706277e400_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3332d48869a748ea708b00706277e400_JaffaCakes118.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic BASEBOARD get product/value3⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BASEBOARD get product/value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value3⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic Path Win32_DisplayConfiguration get DeviceName/value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic cpu get ProcessorId/value3⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get ProcessorId/value4⤵PID:540
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic DISKDRIVE get Signature/value3⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic DISKDRIVE get Signature/value4⤵PID:3328
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3812 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:2436