Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 10:39
Static task
static1
Behavioral task
behavioral1
Sample
b3246e524bf177fa9f6e2fbece91edf5_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
b3246e524bf177fa9f6e2fbece91edf5_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
b3246e524bf177fa9f6e2fbece91edf5_JaffaCakes118.dll
-
Size
16KB
-
MD5
b3246e524bf177fa9f6e2fbece91edf5
-
SHA1
b4ab912a42a898858b155e0d7cd81dda8f269e9b
-
SHA256
5e1d2dca8da62ad2597d1cb992ba5cc62681ab49a339149d37f3728add5c754e
-
SHA512
be129d0967566ccff562064cae536c9ca908ef199f6f1708d58f74ed2b1984cc51849cd34fb152ddbf30a6dfb4de2711a93944901449aba5aef78c4ec278c1aa
-
SSDEEP
384:d28a7tn6gxNruplPCy/UuXRD3kNcJ0EI8:EVdxClPQYRDUN80x8
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2156 1388 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 552 wrote to memory of 3580 552 rundll32.exe 83 PID 552 wrote to memory of 3580 552 rundll32.exe 83 PID 552 wrote to memory of 3580 552 rundll32.exe 83 PID 3580 wrote to memory of 4980 3580 rundll32.exe 87 PID 3580 wrote to memory of 4980 3580 rundll32.exe 87 PID 3580 wrote to memory of 4980 3580 rundll32.exe 87 PID 4980 wrote to memory of 1388 4980 rundll32.exe 88 PID 4980 wrote to memory of 1388 4980 rundll32.exe 88 PID 4980 wrote to memory of 1388 4980 rundll32.exe 88
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3246e524bf177fa9f6e2fbece91edf5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3246e524bf177fa9f6e2fbece91edf5_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3246e524bf177fa9f6e2fbece91edf5_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3246e524bf177fa9f6e2fbece91edf5_JaffaCakes118.dll,#14⤵
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 5445⤵
- Program crash
PID:2156
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1388 -ip 13881⤵PID:1300