Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 11:12
Static task
static1
Behavioral task
behavioral1
Sample
49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe
-
Size
128KB
-
MD5
49886a0f6a78612ac7e7d35a7deb0f53
-
SHA1
2519a3834bf10bec08cb6b5d9612108366a5e7c4
-
SHA256
8e8e41de3cf669a05f12f0d3d981a0653c20b7f688724491021728a7023ad195
-
SHA512
3f557bc3a96aebb1f4116f21f2d60b2c837837411f7e76007c27f0daa5939a055728029b6637273f8c65a7b8163c1f1fc4adcc1354ab5dc1ee7809e1ba29343e
-
SSDEEP
3072:/RkHRhqukTedU3M4qT+fpf1y7OlRXJdgMluoeolg:/uHuDYU3zqT8LgMluo
Malware Config
Signatures
-
Loads dropped DLL 8 IoCs
pid Process 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pliqupadewiyohup = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\pedwshwi.dll\",Startup" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2316 49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe 2276 rundll32.exe 2848 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2276 2316 49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe 30 PID 2316 wrote to memory of 2276 2316 49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe 30 PID 2316 wrote to memory of 2276 2316 49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe 30 PID 2316 wrote to memory of 2276 2316 49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe 30 PID 2316 wrote to memory of 2276 2316 49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe 30 PID 2316 wrote to memory of 2276 2316 49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe 30 PID 2316 wrote to memory of 2276 2316 49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe 30 PID 2276 wrote to memory of 2848 2276 rundll32.exe 32 PID 2276 wrote to memory of 2848 2276 rundll32.exe 32 PID 2276 wrote to memory of 2848 2276 rundll32.exe 32 PID 2276 wrote to memory of 2848 2276 rundll32.exe 32 PID 2276 wrote to memory of 2848 2276 rundll32.exe 32 PID 2276 wrote to memory of 2848 2276 rundll32.exe 32 PID 2276 wrote to memory of 2848 2276 rundll32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\49886a0f6a78612ac7e7d35a7deb0f53_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\pedwshwi.dll",Startup2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\pedwshwi.dll",iep3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD591fef4a3f0286ec1a0a9e04b26f63e64
SHA1b6b117e033e169a5834669172d8b3c9c263d19e7
SHA25673d7caa5adb429cf0f0fc5e54fa93c31994e89bea34c5c00d93a81b5f7a58121
SHA512478e93bd0646078af870d9e41e1c3454deffcbb03dd1e1f1a1218ae0f6f8939143393a38b9465d457d8110a11b1b5597996baff2020f5c1c4cdd6b642cda541f