Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/08/2024, 21:06
Static task
static1
Behavioral task
behavioral1
Sample
838ebebc70e143a588dea3b6015b0836_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
838ebebc70e143a588dea3b6015b0836_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
838ebebc70e143a588dea3b6015b0836_JaffaCakes118.dll
-
Size
113KB
-
MD5
838ebebc70e143a588dea3b6015b0836
-
SHA1
c3bc6254d8685f72fa8e23eb2a651d471748adfb
-
SHA256
2e03e3e69fc5f00e08a6700f21b81d9d0c96eb8857a74aeb6502e30931ee16c5
-
SHA512
8679e5dad1c94669234ce22761a0e7c73134a7cde13793305ac48bb02e63d8ad730abf0239ad9eb754a3b8a00af1d85432a953a34ca6e71f5122f77848956cf8
-
SSDEEP
1536:z4XKrvcRXJPmSCh9ZR8UKOaIiQHpGNfKFVHQbrVjcHD8ZuBa3ZcKkAgyiTg:zvr8XJPxORiQJK8HQPBwHYcKYyiT
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2820 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2820 2556 rundll32.exe 29 PID 2556 wrote to memory of 2820 2556 rundll32.exe 29 PID 2556 wrote to memory of 2820 2556 rundll32.exe 29 PID 2556 wrote to memory of 2820 2556 rundll32.exe 29 PID 2556 wrote to memory of 2820 2556 rundll32.exe 29 PID 2556 wrote to memory of 2820 2556 rundll32.exe 29 PID 2556 wrote to memory of 2820 2556 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\838ebebc70e143a588dea3b6015b0836_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\838ebebc70e143a588dea3b6015b0836_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2820
-