Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 03:14
Static task
static1
Behavioral task
behavioral1
Sample
9cd24ec8dc7ae21677f4fc5cb04f0ce8_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
9cd24ec8dc7ae21677f4fc5cb04f0ce8_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9cd24ec8dc7ae21677f4fc5cb04f0ce8_JaffaCakes118.dll
-
Size
1.0MB
-
MD5
9cd24ec8dc7ae21677f4fc5cb04f0ce8
-
SHA1
7c8fd75df63163df50e2451ba376b26215d21edc
-
SHA256
8f50d3a4347252ab64f661adcaa77d3bc1f3dfdf6af2833596991b90188fe6f1
-
SHA512
168575657d85d2ebd0f8148d5e1e99fce62ac709e1c46c55e1e809cde96a70d51fa5668b8fce41838eb61e9160c1b850c205410acb213389d16c7bdd3187c45f
-
SSDEEP
24576:WlVq0okbkKy71LtxM9JP4oNBzb95ecd+7jJoYp5nXSqdix:+qwbly715xM9JrhbNABL5n6x
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2336 rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2336 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2336 rundll32.exe 2336 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2336 1512 rundll32.exe 28 PID 1512 wrote to memory of 2336 1512 rundll32.exe 28 PID 1512 wrote to memory of 2336 1512 rundll32.exe 28 PID 1512 wrote to memory of 2336 1512 rundll32.exe 28 PID 1512 wrote to memory of 2336 1512 rundll32.exe 28 PID 1512 wrote to memory of 2336 1512 rundll32.exe 28 PID 1512 wrote to memory of 2336 1512 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9cd24ec8dc7ae21677f4fc5cb04f0ce8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9cd24ec8dc7ae21677f4fc5cb04f0ce8_JaffaCakes118.dll,#12⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2336
-