Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 08:37
Static task
static1
Behavioral task
behavioral1
Sample
5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe
-
Size
70KB
-
MD5
5fc85e4419d8733b43b5ae25afb88fbd
-
SHA1
650b8906819e7b96b82a1788b58c5993c6b71c4a
-
SHA256
6c7c6101a3de28e0abbb30de69473479e28d518d67d122df5c0b64f1325cb637
-
SHA512
689b3195c7e79cdca6962911b9de3fe60d3e27ad19ba42e852e261d8b0e28e19aef2eb58b5f707ef21a23a1031adbd721f6b271642d0b518ae9710d46d6bc32d
-
SSDEEP
1536:ACGeHGDJz+grk1IfNvh1NWgywTFZKKydVYHg9S:AjR+o4gFhZKwg
Malware Config
Signatures
-
Loads dropped DLL 8 IoCs
pid Process 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2704 rundll32.exe 2704 rundll32.exe 2704 rundll32.exe 2704 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cviqihojis = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\lewmsy.dll\",Startup" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2620 wrote to memory of 2800 2620 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 31 PID 2620 wrote to memory of 2800 2620 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 31 PID 2620 wrote to memory of 2800 2620 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 31 PID 2620 wrote to memory of 2800 2620 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 31 PID 2620 wrote to memory of 2800 2620 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 31 PID 2620 wrote to memory of 2800 2620 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 31 PID 2620 wrote to memory of 2800 2620 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 31 PID 2800 wrote to memory of 2704 2800 rundll32.exe 32 PID 2800 wrote to memory of 2704 2800 rundll32.exe 32 PID 2800 wrote to memory of 2704 2800 rundll32.exe 32 PID 2800 wrote to memory of 2704 2800 rundll32.exe 32 PID 2800 wrote to memory of 2704 2800 rundll32.exe 32 PID 2800 wrote to memory of 2704 2800 rundll32.exe 32 PID 2800 wrote to memory of 2704 2800 rundll32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\lewmsy.dll",Startup2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\lewmsy.dll",iep3⤵
- Loads dropped DLL
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5f5224980dd9e1b73abe55009ba2a2ea3
SHA18d4bb7f08704bfdd7770b9f9701d868e6962194e
SHA256b0a4af04681bdbb45ae4b085be4d4e0c46bbfb2b354012308fd014983df651de
SHA512c6c6e4237caa87707296aca90de17ee9add3bc96ad7018774d96c6444658900ef76313bca653cf5083505c8f221ab607940897168594ae4dea4884318edd88f6