Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
845d9bae68dfb559b8d0a3beece17d1e_JaffaCakes118.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
845d9bae68dfb559b8d0a3beece17d1e_JaffaCakes118.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
845d9bae68dfb559b8d0a3beece17d1e_JaffaCakes118.dll
-
Size
3KB
-
MD5
845d9bae68dfb559b8d0a3beece17d1e
-
SHA1
ddaf1308b78216572d6e5f5b7c9fa9f5f9e68bc5
-
SHA256
d4e9c5bcc9256f0de300e1494adca2050453b5380d7c5827a369fabb5861d7b2
-
SHA512
2f3029cbbee68e1cd02b0b25771cc6685476ba26a45a482c7fee97f02c9ac55da2e04424e69bfe1403d85f61478065df566d1c11021030e07ed6e0684f51ee69
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2592 2244 rundll32.exe 84 PID 2244 wrote to memory of 2592 2244 rundll32.exe 84 PID 2244 wrote to memory of 2592 2244 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\845d9bae68dfb559b8d0a3beece17d1e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\845d9bae68dfb559b8d0a3beece17d1e_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2592
-