Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 17:49
Static task
static1
Behavioral task
behavioral1
Sample
a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll
-
Size
56KB
-
MD5
a386a95e1048d8300741e9cf5138fa6c
-
SHA1
ec4e21b4108d9f0b371d45212c6d99cd53a060c4
-
SHA256
932d2dfe044d54bf3f8d52c537023736cb2d2163074b88a2de81984fda49c59a
-
SHA512
795ee457fcdeb8c6ffb4fc5dc3a595d2abc179016ed31b201328b766667b9aa401eb54918c42483574c872fee51e796095e442eb3354ef5825f371d7649d4b3d
-
SSDEEP
768:zJP53DwAZ+FTLwzEMO2/zNB0mD661QKnhikoqnT5:N5zwAZcTLr2hLFX/oq
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1584 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4492 wrote to memory of 1584 4492 rundll32.exe 84 PID 4492 wrote to memory of 1584 4492 rundll32.exe 84 PID 4492 wrote to memory of 1584 4492 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a386a95e1048d8300741e9cf5138fa6c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1584
-