Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 00:15
Static task
static1
Behavioral task
behavioral1
Sample
329125cb74987be402641dae0dac0468_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
329125cb74987be402641dae0dac0468_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
329125cb74987be402641dae0dac0468_JaffaCakes118.exe
-
Size
49KB
-
MD5
329125cb74987be402641dae0dac0468
-
SHA1
ecc0ad80be80f552d3db782727a07fedd2748dbc
-
SHA256
5939216313878c4162162155405c8829655b20c38c39fe751556911fb15f07b6
-
SHA512
584b9f4c366eee488d2bc3817e6948ec10c0fe1ea4137572fb9a3ad2b766710c7c4695de369fa50db7ecd065e73dbe50756eaffa3f6f96ec5c7f96346c61e385
-
SSDEEP
768:RM6vXHIn3W6z2SXibYPIKLiQZXVHjVRyYLv+OJxy8XBb2ffxUTQKwyIVOrpJ3:RMUonmaXi/EZX9yYLxvxksyYpJ3
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 12 3436 rundll32.exe 14 3436 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 3436 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\fccdddBR.dll,#1" rundll32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rqRLcCuu.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\fccdddBR.dll 329125cb74987be402641dae0dac0468_JaffaCakes118.exe File created C:\Windows\SysWOW64\fccdddBR.dll 329125cb74987be402641dae0dac0468_JaffaCakes118.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\fccdddBR.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe 3436 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4680 wrote to memory of 620 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 5 PID 4680 wrote to memory of 3436 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 84 PID 4680 wrote to memory of 3436 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 84 PID 4680 wrote to memory of 3436 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 84 PID 4680 wrote to memory of 3416 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 85 PID 4680 wrote to memory of 3416 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 85 PID 4680 wrote to memory of 3416 4680 329125cb74987be402641dae0dac0468_JaffaCakes118.exe 85 PID 3436 wrote to memory of 2524 3436 rundll32.exe 87 PID 3436 wrote to memory of 2524 3436 rundll32.exe 87 PID 3436 wrote to memory of 2524 3436 rundll32.exe 87
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Users\Admin\AppData\Local\Temp\329125cb74987be402641dae0dac0468_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\329125cb74987be402641dae0dac0468_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\fccdddBR.dll,a2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\rqRLcCuu.dll",s3⤵PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxyxXNda.bat "C:\Users\Admin\AppData\Local\Temp\329125cb74987be402641dae0dac0468_JaffaCakes118.exe"2⤵PID:3416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71B
MD552667c9ca6aa06b47f079883578de185
SHA1ee5c5ac6aaf229d0091f310aa34f487f54b9f4e8
SHA256eca0be39aca8aac76e43fd4a5fb3d4da7d212ce0628294f2e873bea6e39122d3
SHA512c393bbe7e699fe8b1dd4171a742c61242a8d3aee100bbcd9a4cad4fb7a5677bcc8ad20880d87c4d6bbfc7e8046e6d4b54a5a582d903c21369b2efb50326f92a2
-
Filesize
36KB
MD52bfecb1bbb48dfc6de080b4221e77c50
SHA19ed1940b86eb205934f76d78826e7d6ba948b3e8
SHA2566fab590506d524da205eccb59f44bdfeba07f12d051eac1c9876ecc524b43106
SHA512a24acdbdd9cda1912e7b1ceba6b78603cffbc16c3e2d1dd54b6dc0da99b1263617e006ba86799beadcbefd65b0cfd41218322b5184269a566e7bab5311f83685
-
Filesize
1KB
MD53c7feb8a01f4335cb4d0e6c25a31f2cf
SHA10ee2d8d32130a70e3ac1ddc26156b2d5e8f390e3
SHA25602d6edf0cf3bca3be07d7c7ac1fd052add5a422dd0d22ab3a0eead550b985bb3
SHA512907679f48adcaa26de209184c904842594950c104a29a98833e4691939a2623c26a19a038b7e1ed98806088f08c2e7522285485038c661f5a18fc3c2a3713d31