Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 17:49
Static task
static1
Behavioral task
behavioral1
Sample
a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll
-
Size
56KB
-
MD5
a386a95e1048d8300741e9cf5138fa6c
-
SHA1
ec4e21b4108d9f0b371d45212c6d99cd53a060c4
-
SHA256
932d2dfe044d54bf3f8d52c537023736cb2d2163074b88a2de81984fda49c59a
-
SHA512
795ee457fcdeb8c6ffb4fc5dc3a595d2abc179016ed31b201328b766667b9aa401eb54918c42483574c872fee51e796095e442eb3354ef5825f371d7649d4b3d
-
SSDEEP
768:zJP53DwAZ+FTLwzEMO2/zNB0mD661QKnhikoqnT5:N5zwAZcTLr2hLFX/oq
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2628 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2628 2296 rundll32.exe 30 PID 2296 wrote to memory of 2628 2296 rundll32.exe 30 PID 2296 wrote to memory of 2628 2296 rundll32.exe 30 PID 2296 wrote to memory of 2628 2296 rundll32.exe 30 PID 2296 wrote to memory of 2628 2296 rundll32.exe 30 PID 2296 wrote to memory of 2628 2296 rundll32.exe 30 PID 2296 wrote to memory of 2628 2296 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2628
-