Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe
-
Size
88KB
-
MD5
17ecd2482ee7117bb01d500ed1dbc23f
-
SHA1
76507cec7f81a04ecba0a2542ed6c6f679a26a9f
-
SHA256
86ab82676be16232b60514b0673f385e883af6f24a0ad43a98904c088d0292e6
-
SHA512
f09497b9c0e3afd19979758e34407dff710b93c8dd5d4b3349441faad87ed610024c025c22a4424f93e67f9fef60a61d68728207cb9d86d92960187acd5df0bc
-
SSDEEP
1536:KTS4t3A4HTqgpkY+0MMpqkRKihKs9q2+/u+shQ9sb4+wIyDYxBQuH6vd0J+yNCWj:KTU4GEkrMpJVLqW+sicgYb6vd0/G
Malware Config
Signatures
-
Loads dropped DLL 8 IoCs
pid Process 1640 rundll32.exe 1640 rundll32.exe 1640 rundll32.exe 1640 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fyayinuyozewa = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\dftdoxl.dll\",Startup" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1640 rundll32.exe 1640 rundll32.exe 1640 rundll32.exe 1640 rundll32.exe 1640 rundll32.exe 1640 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1640 1680 17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe 28 PID 1680 wrote to memory of 1640 1680 17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe 28 PID 1680 wrote to memory of 1640 1680 17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe 28 PID 1680 wrote to memory of 1640 1680 17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe 28 PID 1680 wrote to memory of 1640 1680 17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe 28 PID 1680 wrote to memory of 1640 1680 17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe 28 PID 1680 wrote to memory of 1640 1680 17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2668 1640 rundll32.exe 29 PID 1640 wrote to memory of 2668 1640 rundll32.exe 29 PID 1640 wrote to memory of 2668 1640 rundll32.exe 29 PID 1640 wrote to memory of 2668 1640 rundll32.exe 29 PID 1640 wrote to memory of 2668 1640 rundll32.exe 29 PID 1640 wrote to memory of 2668 1640 rundll32.exe 29 PID 1640 wrote to memory of 2668 1640 rundll32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17ecd2482ee7117bb01d500ed1dbc23f_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\dftdoxl.dll",Startup2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\dftdoxl.dll",iep3⤵
- Loads dropped DLL
PID:2668
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5ef100aef1f101e81cbae6f9cdcb58127
SHA1548faa930db08b9bbe7665f8b3dab1f275803c2c
SHA25698b0145d246bc2aa1c2134ae04d9d04a7bfc620fb5fd46276513a9d6945ecbf5
SHA512bcc6f51def515971921cda11f9e8e7c8091c66e289a24b12f658927df9c5d5e60512433d7432ab7eb3cdaf7c98dec53fb652dfb13158c27c98edbe890036babe