Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 08:41
Behavioral task
behavioral1
Sample
4515e5d21f61dd9bcaadf9094948e57b_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4515e5d21f61dd9bcaadf9094948e57b_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
4515e5d21f61dd9bcaadf9094948e57b_JaffaCakes118.dll
-
Size
120KB
-
MD5
4515e5d21f61dd9bcaadf9094948e57b
-
SHA1
56b41d6edb0ffea9ebec070649ccb542dadbb625
-
SHA256
1e96bb5b6683c0061e77821db787184f6c15696414c6fb71792392f79bba2d15
-
SHA512
31270f550a8a5041762d05efbe595bc7b805fbcd58d497d1d60b8f2414bae1223862e1a8d4d1f6de9da62adf53b436066bbe8f5c2cf8456b2bbd301936195880
-
SSDEEP
3072:deYZ6FCLi/bbrMbvT0q8O1cZPzQ7IXMBc+AMP+QfQEhxFyVU7Dzt0y:dxZ4wQwvP6bQ7yMP+DE827Pb
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2748 2648 rundll32.exe 30 PID 2648 wrote to memory of 2748 2648 rundll32.exe 30 PID 2648 wrote to memory of 2748 2648 rundll32.exe 30 PID 2648 wrote to memory of 2748 2648 rundll32.exe 30 PID 2648 wrote to memory of 2748 2648 rundll32.exe 30 PID 2648 wrote to memory of 2748 2648 rundll32.exe 30 PID 2648 wrote to memory of 2748 2648 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4515e5d21f61dd9bcaadf9094948e57b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4515e5d21f61dd9bcaadf9094948e57b_JaffaCakes118.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2748
-