Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/08/2024, 02:46
Static task
static1
Behavioral task
behavioral1
Sample
98a4496b6ba500b3bf0a4df0dc48f79c_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
98a4496b6ba500b3bf0a4df0dc48f79c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/iewybf.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/iewybf.dll
Resource
win10v2004-20240802-en
General
-
Target
$PLUGINSDIR/iewybf.dll
-
Size
29KB
-
MD5
4256ddc7ba4f2ab39fb28f081e870cfa
-
SHA1
8c1f0f6e94b68510bbffbf81143c5f26ebd913b6
-
SHA256
d519f718eca42250c87657b679a8a9d1766d331e6ee242d18bd739998bf44350
-
SHA512
a71ac74ad9d95c6b755858b0a75beaa3ec26e20eca252445a2d1541156d96bd39e39c30daa5eda28bafe8de2e2d67c2c70b25dce6b7f38f4ac0a0dfa60599c1a
-
SSDEEP
768:ubYYsBQJDh7wN4Ce10NUW5gPO8P9MOVAiTtm/MNJ:+IBQJDPGgPO8P9vAVm
Malware Config
Extracted
formbook
4.1
bkye
lawnandgardenzone.com
eazymoneyindia.com
macroscopicsystem.com
aocsw.com
maisonetjardinltd.com
khadijahtv.com
shashameneland.com
kildebasen.com
lovetxts.com
easycompanyarmory.com
surviveit.info
greenterra.solutions
ushergiving.com
stickyickybakery.com
pyesquard.com
dailyinformerblog.com
thekimchilife.com
rainbow-bm.com
bosonetwork.com
bestacnetreatmentever.com
amigos-chat.com
flyfreeonline.com
talismanyachting.com
sustainfulness.com
westernusgold.com
ddiversas.com
tammyscountrykitchen.com
jwdrill.net
pont-travaux-public.com
torokino.site
klantenvinden.com
service-importsecure.com
worldcargotransits.com
x-box2send23.club
kahhariresort.com
elveganmofongo.com
cbluedottvwdmall.com
skywalker413.net
citestaccnt1597669574.com
arita-kurita.com
zxxs259.com
dxnewradio.com
advancedpaymentsol.com
devo-denz.com
loopsandsoundtracks.com
recluseintherye.com
marc-pilon.com
travail-collaboratif.info
moresocialmedia.online
zhepaichuwei.com
v6moparnation.com
mhvproperties.com
wwwcpa125.com
sunshine-today.com
atlerz.com
zhmscbw.com
engoru.xyz
europremiumproducts.com
yejsubtrox.xyz
angellahskitchen.com
rulesfamily.com
hesups.com
adellestore.com
jhyibin.com
dronepixstudios.com
Signatures
-
Formbook payload 2 IoCs
resource yara_rule behavioral3/memory/2028-1-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral3/memory/2028-6-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2504 set thread context of 2028 2504 rundll32.exe 32 PID 2028 set thread context of 1204 2028 rundll32.exe 21 PID 2112 set thread context of 1204 2112 svchost.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2028 rundll32.exe 2028 rundll32.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2112 svchost.exe 2112 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2028 rundll32.exe Token: SeDebugPrivilege 2112 svchost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2504 2332 rundll32.exe 31 PID 2332 wrote to memory of 2504 2332 rundll32.exe 31 PID 2332 wrote to memory of 2504 2332 rundll32.exe 31 PID 2332 wrote to memory of 2504 2332 rundll32.exe 31 PID 2332 wrote to memory of 2504 2332 rundll32.exe 31 PID 2332 wrote to memory of 2504 2332 rundll32.exe 31 PID 2332 wrote to memory of 2504 2332 rundll32.exe 31 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 2504 wrote to memory of 2028 2504 rundll32.exe 32 PID 1204 wrote to memory of 2112 1204 Explorer.EXE 33 PID 1204 wrote to memory of 2112 1204 Explorer.EXE 33 PID 1204 wrote to memory of 2112 1204 Explorer.EXE 33 PID 1204 wrote to memory of 2112 1204 Explorer.EXE 33 PID 2112 wrote to memory of 1804 2112 svchost.exe 34 PID 2112 wrote to memory of 1804 2112 svchost.exe 34 PID 2112 wrote to memory of 1804 2112 svchost.exe 34 PID 2112 wrote to memory of 1804 2112 svchost.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iewybf.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iewybf.dll,#13⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iewybf.dll,#14⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\rundll32.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1804
-
-