Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 09:19

General

  • Target

    62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll

  • Size

    1.3MB

  • MD5

    62aa951d7c043b9ab09eba4cf190a8a0

  • SHA1

    98100b81d653034bdc269ca74609466d6bd7f1a4

  • SHA256

    3ae9e6413dfeab7c352a6725d94781fef66da320691760173b8973b63607e00d

  • SHA512

    417c2a6828e5122731c7300eedc55e3f73a0a5691a7f14d7fe20cf39aa2c887e0b21d8e6527fcf3dc296c08507f4389078bb0b76f04199501adcde474fcd2826

  • SSDEEP

    12288:0DF3Jd1x080T/mlJpA/77Z8ZKdo/SMZoSr2SnPiXiydhwXGGGGXdhw7Q3:0DD2TmfpA/776KlMPZPiXJdcdMg

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 3 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\SkinH_EL.dll

    Filesize

    86KB

    MD5

    147127382e001f495d1842ee7a9e7912

    SHA1

    92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

    SHA256

    edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

    SHA512

    97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

  • \Windows\SysWOW64\Êý¾Ý¿âÎļþ(Îðɾ).dll

    Filesize

    59KB

    MD5

    c9df0cc26b1d586f2c58b27a22d6a154

    SHA1

    160f81ac48751f939b4e286aab636abafb663898

    SHA256

    52f0a16626ccbf8921ae43d322090d67609beca5595968e5f9b530c2776ea4ec

    SHA512

    9ac797aea76f52f4d386b46e1b4f29f1ea0903e604c614205e37457e6195de2043a9e625f0ea5b1ca87a4004b7a89acaa0c4eabd1d742b26fcf544176af10a07

  • memory/2384-6-0x0000000000C60000-0x0000000000C9D000-memory.dmp

    Filesize

    244KB

  • memory/2384-14-0x0000000002240000-0x0000000002274000-memory.dmp

    Filesize

    208KB

  • memory/2384-13-0x0000000002240000-0x0000000002274000-memory.dmp

    Filesize

    208KB

  • memory/2384-15-0x0000000002240000-0x0000000002274000-memory.dmp

    Filesize

    208KB