Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61249740d1ecb3a12f4652e17c745802_JaffaCakes118.dll
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
61249740d1ecb3a12f4652e17c745802_JaffaCakes118.dll
-
Size
211KB
-
MD5
61249740d1ecb3a12f4652e17c745802
-
SHA1
7052e7962eab69ab2e6425a10931a008d4736284
-
SHA256
ab08d113bb0f4fb6aa96997d03853aac162f93d8e6926de224186ab35255f310
-
SHA512
90f56a0534297b6aaacc40573121e8c46e06ad4b3be8ce1a1eaf9ac788589a00f52cc6f1939b4dfde7c278e2d18fc80ddd84a2a01a05773487ba4912b1f11338
-
SSDEEP
6144:6ZLw/yyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4N:6ZLw/yyHadIBkLIi8dTL2SvguYOO1mkN
Malware Config
Extracted
Family
icedid
C2
ldrstar.casa
Signatures
-
IcedID First Stage Loader 1 IoCs
resource yara_rule behavioral1/memory/2700-1-0x0000000074A70000-0x0000000074AFC000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 36 IoCs
flow pid Process 3 2700 rundll32.exe 4 2700 rundll32.exe 6 2700 rundll32.exe 7 2700 rundll32.exe 9 2700 rundll32.exe 10 2700 rundll32.exe 12 2700 rundll32.exe 13 2700 rundll32.exe 17 2700 rundll32.exe 18 2700 rundll32.exe 19 2700 rundll32.exe 20 2700 rundll32.exe 22 2700 rundll32.exe 23 2700 rundll32.exe 25 2700 rundll32.exe 26 2700 rundll32.exe 28 2700 rundll32.exe 29 2700 rundll32.exe 31 2700 rundll32.exe 32 2700 rundll32.exe 33 2700 rundll32.exe 34 2700 rundll32.exe 36 2700 rundll32.exe 37 2700 rundll32.exe 39 2700 rundll32.exe 40 2700 rundll32.exe 42 2700 rundll32.exe 43 2700 rundll32.exe 45 2700 rundll32.exe 46 2700 rundll32.exe 47 2700 rundll32.exe 48 2700 rundll32.exe 50 2700 rundll32.exe 51 2700 rundll32.exe 53 2700 rundll32.exe 54 2700 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2700 2368 rundll32.exe 28 PID 2368 wrote to memory of 2700 2368 rundll32.exe 28 PID 2368 wrote to memory of 2700 2368 rundll32.exe 28 PID 2368 wrote to memory of 2700 2368 rundll32.exe 28 PID 2368 wrote to memory of 2700 2368 rundll32.exe 28 PID 2368 wrote to memory of 2700 2368 rundll32.exe 28 PID 2368 wrote to memory of 2700 2368 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61249740d1ecb3a12f4652e17c745802_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61249740d1ecb3a12f4652e17c745802_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
PID:2700
-