Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
13e08a76d492d8c3855e8dabe9f552c3_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
13e08a76d492d8c3855e8dabe9f552c3_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
13e08a76d492d8c3855e8dabe9f552c3_JaffaCakes118.dll
-
Size
30KB
-
MD5
13e08a76d492d8c3855e8dabe9f552c3
-
SHA1
76a2206828de98c9dbf7b49334683e65df7c6065
-
SHA256
009708a99a9ee43aa872ee280d8f533f3fdf44f8cf442e495a2da256d89d65cd
-
SHA512
91eb470972d8ea3d1c3d437da8140e0b699323927976dba0f9b407d87cdbd6e7b6a433178eed4d887a6b08868c34600ea3059a12fceb0a639e2c0a0116149404
-
SSDEEP
768:P8r2oVHxstDY0UgrLuusF61RBKw7AK7/gFLQ8i+acOcL:oHGdSqNsF61RBKwMKDgBQH+TdL
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1592 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\lua.wkl rundll32.exe File created C:\Windows\twan32.dll rundll32.exe File opened for modification C:\Windows\twan32.dll rundll32.exe File opened for modification C:\Windows\lua.wkl rundll32.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 1592 rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "13e08a76d492d8c3855e8dabe9f552c3_JaffaCakes118.dll,1299060089,408043380,-352895392" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2548 2388 rundll32.exe 89 PID 2388 wrote to memory of 2548 2388 rundll32.exe 89 PID 2388 wrote to memory of 2548 2388 rundll32.exe 89 PID 2548 wrote to memory of 1592 2548 rundll32.exe 90 PID 2548 wrote to memory of 1592 2548 rundll32.exe 90 PID 2548 wrote to memory of 1592 2548 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13e08a76d492d8c3855e8dabe9f552c3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13e08a76d492d8c3855e8dabe9f552c3_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\twan32.dll",_RunAs@163⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Access Token Manipulation: Create Process with Token
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD513e08a76d492d8c3855e8dabe9f552c3
SHA176a2206828de98c9dbf7b49334683e65df7c6065
SHA256009708a99a9ee43aa872ee280d8f533f3fdf44f8cf442e495a2da256d89d65cd
SHA51291eb470972d8ea3d1c3d437da8140e0b699323927976dba0f9b407d87cdbd6e7b6a433178eed4d887a6b08868c34600ea3059a12fceb0a639e2c0a0116149404