Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 09:37
Static task
static1
Behavioral task
behavioral1
Sample
21e297eefb0d199aaae7da5aa9399320_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
21e297eefb0d199aaae7da5aa9399320_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
21e297eefb0d199aaae7da5aa9399320_JaffaCakes118.dll
-
Size
241KB
-
MD5
21e297eefb0d199aaae7da5aa9399320
-
SHA1
d5ad2fdbae7495170f046ee8d1716d51a8bf923e
-
SHA256
05e00652504e31cf7ff8b660b1305bac68230af35b6b6e4ba64a417383e23638
-
SHA512
e619afe903e67ce4d41137aa1f43b29f8437b8974033ee1a2e16e79debbf87ebe6a2ec83748ea7096bf5f7868cfa9fa27ffe4e5cfd99b433cf997cc23ac5bf4d
-
SSDEEP
6144:4VoguLpLhbQhkaFTAGvpHaS9oYU9j9b3hXG+C:4W/RSFFFHaS9oYU9rG+C
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4804-0-0x0000000010000000-0x00000000100A9000-memory.dmp upx behavioral2/memory/4804-1-0x0000000010000000-0x00000000100A9000-memory.dmp upx behavioral2/memory/4804-2-0x0000000010000000-0x00000000100A9000-memory.dmp upx behavioral2/memory/4804-5-0x0000000010000000-0x00000000100A9000-memory.dmp upx behavioral2/memory/4804-6-0x0000000010000000-0x00000000100A9000-memory.dmp upx behavioral2/memory/4804-7-0x0000000010000000-0x00000000100A9000-memory.dmp upx -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4804 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1536 wrote to memory of 4804 1536 rundll32.exe 83 PID 1536 wrote to memory of 4804 1536 rundll32.exe 83 PID 1536 wrote to memory of 4804 1536 rundll32.exe 83 PID 4804 wrote to memory of 1076 4804 rundll32.exe 84 PID 4804 wrote to memory of 1076 4804 rundll32.exe 84 PID 4804 wrote to memory of 1076 4804 rundll32.exe 84 PID 1076 wrote to memory of 612 1076 net.exe 86 PID 1076 wrote to memory of 612 1076 net.exe 86 PID 1076 wrote to memory of 612 1076 net.exe 86 PID 4804 wrote to memory of 4560 4804 rundll32.exe 98 PID 4804 wrote to memory of 4560 4804 rundll32.exe 98 PID 4804 wrote to memory of 4560 4804 rundll32.exe 98 PID 4560 wrote to memory of 2772 4560 net.exe 100 PID 4560 wrote to memory of 2772 4560 net.exe 100 PID 4560 wrote to memory of 2772 4560 net.exe 100
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21e297eefb0d199aaae7da5aa9399320_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21e297eefb0d199aaae7da5aa9399320_JaffaCakes118.dll,#12⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\net.exenet stop winss3⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winss4⤵PID:612
-
-
-
C:\Windows\SysWOW64\net.exenet stop OcHealthMon3⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OcHealthMon4⤵PID:2772
-
-
-