Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1976187ba4...18.dll

windows7-x64

10

1976187ba4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/06/2024, 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1976187ba49108669682ffff927e417a_JaffaCakes118.dll

  • Size

    3.7MB

  • MD5

    1976187ba49108669682ffff927e417a

  • SHA1

    e75394263922f301ffb9f95621343877258771e1

  • SHA256

    9d9259e092e2c0d04668acff35f7dba53ced1037e3389fb457967f50454e85dc

  • SHA512

    0a270686db1897d8cb82dcb5eb824162264f5298cd6eb0fc386593566a206f9bc882d5a42efe27910b097735ff9dbf16a63eb6746d4795cf6566cc493c674275

  • SSDEEP

    6144:CWqcbsqA/Yiaf9qRGDfTJd9WYXmHPocXz2v/64UgP1toJI:pbsqA/zc4RG5aYIFK64UgPvoS

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1976187ba49108669682ffff927e417a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1976187ba49108669682ffff927e417a_JaffaCakes118.dll,#1
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      PID:4604
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 572
        3⤵
        • Program crash
        PID:4680
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4604 -ip 4604
    1⤵
      PID:3732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\exwinnig.dll
      Filesize

      5.0MB

      MD5

      27ceae9650286f1ca255294d3375fb0d

      SHA1

      47b9be1c038f67f8b60c740e84c1a28bafb1d6c5

      SHA256

      6d298933f5823d00f4632359a008ad0e718fe3040c82dceb1670c826d7eb78aa

      SHA512

      ca31fc2af124b9b06c2b4db7959ab81b00e305d22d4b9f13e82f4f11836c9aeb601f347cce826a7a8e4a35133b984fd38e542a3a85954ba2f8021431153b78d8

      Download Submit

    • memory/4604-0-0x0000000001F70000-0x0000000001FBE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4604-2-0x0000000002140000-0x0000000002195000-memory.dmp

      Filesize

      340KB

      Download

    • memory/4604-8-0x0000000000620000-0x0000000000628000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4604-9-0x0000000000620000-0x0000000000628000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4604-22-0x0000000002650000-0x000000000269E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4604-26-0x00000000027A0000-0x00000000027F5000-memory.dmp

      Filesize

      340KB

      Download

    • memory/4604-25-0x00000000027A0000-0x00000000027F5000-memory.dmp

      Filesize

      340KB

      Download

    • memory/4604-32-0x0000000000630000-0x0000000000638000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4604-40-0x0000000002650000-0x000000000269E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4604-39-0x0000000001F70000-0x0000000001FBE000-memory.dmp

      Filesize

      312KB

      Download