Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 19:21
Behavioral task
behavioral1
Sample
0a62322eb5e1a29638ea63e8339b34bb_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a62322eb5e1a29638ea63e8339b34bb_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
0a62322eb5e1a29638ea63e8339b34bb_JaffaCakes118.dll
-
Size
114KB
-
MD5
0a62322eb5e1a29638ea63e8339b34bb
-
SHA1
584bd1149f79e30ae2d923b773e9a755d9c02093
-
SHA256
600bcf09f6d921650c6960754fdbff18e22f27b55565bf6e31c79f58dcb6df63
-
SHA512
2e543b423ff5d964f62c471815872b5a54b1833c0c29f8ab13da449f4f17c5f1448be332aa9e659cad26cdb7af8a781eb4be934a2ade0753b1368c5bbbeb9cf3
-
SSDEEP
3072:IdpgMxsdSyg4TvtcMk8Lyzb8ckivlu5KYiCbmN:Mpl2GkGMkSgb8Svlu5KYON
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{g3xqxym3-fsgk-umam-masc-qegiwerbtq3y}\stubpath rundll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{g3xqxym3-fsgk-umam-masc-qegiwerbtq3y} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{g3xqxym3-fsgk-umam-masc-qegiwerbtq3y}\ = "ϵͳÉèÖÃ" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3192 wrote to memory of 1596 3192 rundll32.exe 81 PID 3192 wrote to memory of 1596 3192 rundll32.exe 81 PID 3192 wrote to memory of 1596 3192 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a62322eb5e1a29638ea63e8339b34bb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a62322eb5e1a29638ea63e8339b34bb_JaffaCakes118.dll,#12⤵
- Boot or Logon Autostart Execution: Active Setup
PID:1596
-