Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 15:28
Static task
static1
Behavioral task
behavioral1
Sample
74a0ccaab31e32912f947d30b9478020_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
74a0ccaab31e32912f947d30b9478020_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
74a0ccaab31e32912f947d30b9478020_JaffaCakes118.dll
-
Size
1.1MB
-
MD5
74a0ccaab31e32912f947d30b9478020
-
SHA1
2dc7c3b54b92c0484d549da3c4a8b58f6c7ee238
-
SHA256
584bbfd86bb3f92d5ee176ab516943966c9339c1dda2063b02a6a7a4cddac746
-
SHA512
88ae7a924cd838adcc35b4b3d2d9b63ee6e9b797c5712234452920bec6c418e8646f4ab0a30c910505fd6d795039996bb235d3aefddbdcbcbddba8ff3e609aa5
-
SSDEEP
24576:SMpZ4OxwR1QcQq/W7ihb4bPWmBLXvPmVpTrdzjs00y:SuNZ7Ib8ZBL2/XR
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\74a0ccaab31e32912f947d30b9478020_JaffaCakes118.dll" regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\d201b00115.dll svchost.exe File created C:\Windows\SysWOW64\d201b00115.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4476 wrote to memory of 3028 4476 regsvr32.exe 84 PID 4476 wrote to memory of 3028 4476 regsvr32.exe 84 PID 4476 wrote to memory of 3028 4476 regsvr32.exe 84
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\74a0ccaab31e32912f947d30b9478020_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\74a0ccaab31e32912f947d30b9478020_JaffaCakes118.dll2⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k dtcGep -s dticem1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135B
MD580df1e19aba98b81c3ea02396d8313e3
SHA1c4bdbaec4ccf0f58e078a1d3ffe8976cb848aa8b
SHA2561b043dc578bc4d587c160eba32e4eac207f06074709a51e9b610435ea9c1b254
SHA5123bb0c27f358fb44245a6de6ea6e68374dbd77ee14ee2bcbbfb4e3c91d5e6b3e471bef81c4a6342296663fb8d5cf9d12ec3a2b3ab3308dfa24872dac124cdc81d
-
Filesize
114B
MD5f59633b854020316f43860e6164a6c55
SHA1fc62ab9ca0720a97b7514311ae6bf012a2275327
SHA256cb5036aaa564868c4648317be52bbe7b4718150001815a11d526f5935ef3e365
SHA5128b1258cc76b2dab63fe07da1362f48ebc2cef945c2930601ea1e8e38a821c8254477eeac00a3ec40179efa4a03043515df0f05d5588b611f25c5078495b222f7