Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 13:43
Static task
static1
Behavioral task
behavioral1
Sample
744d6e1b87a9c6eadf4e4208ff19f35c_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
744d6e1b87a9c6eadf4e4208ff19f35c_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
744d6e1b87a9c6eadf4e4208ff19f35c_JaffaCakes118.dll
-
Size
176KB
-
MD5
744d6e1b87a9c6eadf4e4208ff19f35c
-
SHA1
147d9fa0c406d8f7c221905b5ccb0cd019c5fabe
-
SHA256
7efbc0bc9bd3dcf9b3e03fe93130898fb4f4f91c6243fcdf1123671a48efcfa2
-
SHA512
2391a3c7046d6f7e9a9d11cded2dd07e02d28a9321406422299dd3c65d1db064c9c90f50a30b777e8741ba6f512a0d7432fb82e8c8f9837289125f38cb0cc0a9
-
SSDEEP
3072:bY9uw5G+6aQzsZ5X35MichVoktMGj2r6hwamPTmumtPpuz:bMQ8JcheeUHUpK
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qegbdmwf = "{B0F7003F-D6BB-43CE-93CE-9BA5BDF5B58F}" rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0F7003F-D6BB-43CE-93CE-9BA5BDF5B58F}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0F7003F-D6BB-43CE-93CE-9BA5BDF5B58F} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0F7003F-D6BB-43CE-93CE-9BA5BDF5B58F}\InProcServer32\ = "C:\\Windows\\qegbdmwf.dll" rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2300 2944 rundll32.exe 30 PID 2944 wrote to memory of 2300 2944 rundll32.exe 30 PID 2944 wrote to memory of 2300 2944 rundll32.exe 30 PID 2944 wrote to memory of 2300 2944 rundll32.exe 30 PID 2944 wrote to memory of 2300 2944 rundll32.exe 30 PID 2944 wrote to memory of 2300 2944 rundll32.exe 30 PID 2944 wrote to memory of 2300 2944 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\744d6e1b87a9c6eadf4e4208ff19f35c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\744d6e1b87a9c6eadf4e4208ff19f35c_JaffaCakes118.dll,#12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2300
-