Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 18:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7de2125eba63b36cdc4f45b008a4118b_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
7de2125eba63b36cdc4f45b008a4118b_JaffaCakes118.dll
-
Size
211KB
-
MD5
7de2125eba63b36cdc4f45b008a4118b
-
SHA1
b1c3ec138e2f104bac76852bf0d2bb4708e67922
-
SHA256
d67e1fd5d40e841c1aedbbf65d5f72a69da5ac54e48ae92da1f428c9f18d8363
-
SHA512
cbe3a45f1afde4e695f66d6bfb98e10a3fba41c1d2ecb5eee15c3a2e7d52b6d58ef878071452dab26427607c83040a18745a7f17227bac6d74add4969ff9b2fc
-
SSDEEP
6144:6ZLwQyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4N:6ZLwQyyHadIBkLIi8dTL2SvguYOO1mkN
Malware Config
Extracted
Family
icedid
C2
ldrstar.casa
Signatures
-
IcedID First Stage Loader 1 IoCs
resource yara_rule behavioral1/memory/1612-1-0x00000000748D0000-0x000000007495C000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 36 IoCs
flow pid Process 3 1612 rundll32.exe 4 1612 rundll32.exe 6 1612 rundll32.exe 7 1612 rundll32.exe 9 1612 rundll32.exe 10 1612 rundll32.exe 12 1612 rundll32.exe 13 1612 rundll32.exe 17 1612 rundll32.exe 18 1612 rundll32.exe 19 1612 rundll32.exe 20 1612 rundll32.exe 22 1612 rundll32.exe 23 1612 rundll32.exe 25 1612 rundll32.exe 26 1612 rundll32.exe 28 1612 rundll32.exe 29 1612 rundll32.exe 31 1612 rundll32.exe 32 1612 rundll32.exe 33 1612 rundll32.exe 34 1612 rundll32.exe 36 1612 rundll32.exe 37 1612 rundll32.exe 39 1612 rundll32.exe 40 1612 rundll32.exe 42 1612 rundll32.exe 43 1612 rundll32.exe 45 1612 rundll32.exe 46 1612 rundll32.exe 47 1612 rundll32.exe 48 1612 rundll32.exe 50 1612 rundll32.exe 51 1612 rundll32.exe 53 1612 rundll32.exe 54 1612 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1612 2000 rundll32.exe 28 PID 2000 wrote to memory of 1612 2000 rundll32.exe 28 PID 2000 wrote to memory of 1612 2000 rundll32.exe 28 PID 2000 wrote to memory of 1612 2000 rundll32.exe 28 PID 2000 wrote to memory of 1612 2000 rundll32.exe 28 PID 2000 wrote to memory of 1612 2000 rundll32.exe 28 PID 2000 wrote to memory of 1612 2000 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7de2125eba63b36cdc4f45b008a4118b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7de2125eba63b36cdc4f45b008a4118b_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
PID:1612
-