Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
12s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 03:31
Static task
static1
Behavioral task
behavioral1
Sample
441e3a4bc788dedf60588c7d99dd60d4_JaffaCakes118.dll
Resource
win7-20240704-en
General
-
Target
441e3a4bc788dedf60588c7d99dd60d4_JaffaCakes118.dll
-
Size
124KB
-
MD5
441e3a4bc788dedf60588c7d99dd60d4
-
SHA1
ca09b2912f4bc08ee232bfaf59da965be29f1435
-
SHA256
719ccc6adde36900dea84188f6556181e2fae12418c55ac3e24093b403190767
-
SHA512
94791332f737b40762dea2a211ad22f448246c13add30845e9c922e4f50c18fb4df18a13dbb9e835d6307a9643e26e4fa27fb78279a9e7c8d5dac1b1c34e549b
-
SSDEEP
3072:Z61Ye3TaEu2CoCcn3zO7A4D8XHqhpiNeiIi+l1UUzGh0wf:ATa12CoCckAe8iicx6mGl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 888 rundll32mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 2504 rundll32.exe 2504 rundll32.exe 2444 WerFault.exe 2444 WerFault.exe 2444 WerFault.exe 2444 WerFault.exe 2444 WerFault.exe 2444 WerFault.exe 2444 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2464 2504 WerFault.exe 29 2444 888 WerFault.exe 30 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2504 2548 rundll32.exe 29 PID 2548 wrote to memory of 2504 2548 rundll32.exe 29 PID 2548 wrote to memory of 2504 2548 rundll32.exe 29 PID 2548 wrote to memory of 2504 2548 rundll32.exe 29 PID 2548 wrote to memory of 2504 2548 rundll32.exe 29 PID 2548 wrote to memory of 2504 2548 rundll32.exe 29 PID 2548 wrote to memory of 2504 2548 rundll32.exe 29 PID 2504 wrote to memory of 888 2504 rundll32.exe 30 PID 2504 wrote to memory of 888 2504 rundll32.exe 30 PID 2504 wrote to memory of 888 2504 rundll32.exe 30 PID 2504 wrote to memory of 888 2504 rundll32.exe 30 PID 888 wrote to memory of 2444 888 rundll32mgr.exe 32 PID 888 wrote to memory of 2444 888 rundll32mgr.exe 32 PID 888 wrote to memory of 2444 888 rundll32mgr.exe 32 PID 888 wrote to memory of 2444 888 rundll32mgr.exe 32 PID 2504 wrote to memory of 2464 2504 rundll32.exe 31 PID 2504 wrote to memory of 2464 2504 rundll32.exe 31 PID 2504 wrote to memory of 2464 2504 rundll32.exe 31 PID 2504 wrote to memory of 2464 2504 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\441e3a4bc788dedf60588c7d99dd60d4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\441e3a4bc788dedf60588c7d99dd60d4_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1564⤵
- Loads dropped DLL
- Program crash
PID:2444
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 2283⤵
- Program crash
PID:2464
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD50e0f0ae845d89c22bb6385f64a6b85fd
SHA10f3f1e7f18ab81572c5ce938d3880d4a5d7100ac
SHA2565a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd
SHA512baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350