Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 17:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e52d4a84d54a850fc71a258d5c82d9d_JaffaCakes118.dll
Resource
win7-20240705-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e52d4a84d54a850fc71a258d5c82d9d_JaffaCakes118.dll
Resource
win10v2004-20240709-en
4 signatures
150 seconds
General
-
Target
3e52d4a84d54a850fc71a258d5c82d9d_JaffaCakes118.dll
-
Size
33KB
-
MD5
3e52d4a84d54a850fc71a258d5c82d9d
-
SHA1
c47cd5a4f9db5610bfae4cb1565c96c3d5b3e47d
-
SHA256
d8908755ffd54fa035cb953d8ee3f0f52ac3e848db70c6bd93e774d440e566ba
-
SHA512
9f43fe8b38a2e3b6ac14f36ca0ea01bf0d84003f2bef401fb1884ef4e4b0ebf345478cd3571224a92dd5673c30d64142e922aa33a47d4ce1bf3394aedb4c4d25
-
SSDEEP
768:ShvIm+tmYXrDgc8vV6JZ+ynXe/PGLos/+NZIf:ShvImoXXgc8vgJGGksQZa
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\segtrgh.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\segtrgh.dll rundll32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2668 rundll32.exe Token: SeDebugPrivilege 2668 rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2668 2524 rundll32.exe 83 PID 2524 wrote to memory of 2668 2524 rundll32.exe 83 PID 2524 wrote to memory of 2668 2524 rundll32.exe 83 PID 2668 wrote to memory of 3512 2668 rundll32.exe 56 PID 2668 wrote to memory of 3512 2668 rundll32.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e52d4a84d54a850fc71a258d5c82d9d_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e52d4a84d54a850fc71a258d5c82d9d_JaffaCakes118.dll,#13⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
-
-