Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 12:14
Static task
static1
Behavioral task
behavioral1
Sample
c0b9b35382d8ce1eb9214a345cb426aa_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c0b9b35382d8ce1eb9214a345cb426aa_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
c0b9b35382d8ce1eb9214a345cb426aa_JaffaCakes118.dll
-
Size
1.5MB
-
MD5
c0b9b35382d8ce1eb9214a345cb426aa
-
SHA1
1f6c920ad895a55313c2577089fa9dfe6a4863d2
-
SHA256
22d34c4e45800b1cc6667aa7d2a6afd044aaf0456e0b86e6b150cdab1a5a9eee
-
SHA512
23b42a6c523ab5fd436a5e8155817608be56c8ba2ffbecaa613a19f7c9cdaebac4e5d91bfe086a2ab0f12cfb07ee363ef6603195fd288fce6991ed6a2ee8aad5
-
SSDEEP
24576:SMG0BU5hg49JASpliJt/ZxZcoCfih32WyOzhTUT738kRi:SUBU5hpJASpIJp7NCQ38shgT7M+i
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 27 2528 rundll32.exe 29 2528 rundll32.exe 31 2528 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM rundll32.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3984 timeout.exe 3504 timeout.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572\Blob = 030000000100000014000000fa47ef9f4168443796e2a534a90d9d36c1c185722000000001000000cd030000308203c9308202b1a003020102020900d98308e45f1730f5300d06092a864886f70d01010505003065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c61796572301e170d3138303132323131353631375a170d3438303131353131353631375a3065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c6179657230820122300d06092a864886f70d01010105000382010f003082010a0282010100addc4d3e91686c4409bc81594db895497f51ba4391d1cdd3a5f023b7b5b7386f03863ff8af25814b0b2d7de511bb4515936cad031e20a2be99c04b1ec2b21a6bd8f107b3ed9d67d1c455f2f6854c7e8310ac0ef014ff69119bb60f87a61dc4f40a49b62eb1af5493076cb90d736afe8aa9b3a80fe17818a95ffe33adfc2c0492437144c8edd4c2665c2172bc69bb3be29164b96550bc62e6dcb18fc71c795f2d1922ff394b095c02643e2859c75d9aa3121d6f6b22c785730ed45f66bef0acbda739ab1ff60e4cba43bed235fe6b979d1c0422b60068422c86945c6594854301e58ab2a2fb49121675b15c1c7793476093d3da84702e637a691ababf0268e58d0203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101005114df932c65ef49a656d1315aabaea70d75c696ae6060766818ed0dc95ee86d99ec858118e7727ac355ad5f71e98e210b89ec87cccacee7ca1146aba9537a08b1d8f8543a700c4f5c895eb81b9681438deaa8905cd0852209dab68baa845bb3d56159e6b2463f11f7a5936bbc887841d75ccb09401be88581a079d49236a37dcbe8a3fc538293a6d4842db85ec8be5faa9bafc453de3be56f8d0bb73a79c193d78bec90ed22b54151a9a42051d9d102c75bce07be4bb4273bc117ba2e47b544d3e656adaa88ccea61274dde5a966df5212270ca2f3fb025ef2cf6938caaa9fc7a4dbc214a2ced10b44740dd2d7449772849fd4806e594c19586089f6a56f7bf rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E\Blob = 03000000010000001400000026d9e607fff0c58c7844b47ff8b6e079e5a2220e2000000001000000fd030000308203f9308202e1a003020102020900b6e1abf38b9ab41a300d06092a864886f70d0101050500307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d65301e170d3134303732333137323531355a170d3434303731353137323531355a307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d6530820122300d06092a864886f70d01010105000382010f003082010a0282010100be81e2dbe640e8c8a9e76c999ef6e0c46742128d3d0474d43d2849abf5149c8294cf2fb58de6bc42b190042de09615a65e6a5a13b3cd9c5db30d6cb92b8776842df83410d8516064c11ffb80aba7ca30a5f2a7c314a1ce63d4a02a595ba97b0a11d23466cbfc2356413ed7be195bd838cc79293620f376adc5b3130b538128903b41879fba875df7df874e5d88be90c9fd1e5a9c16579f28e26c59c8616de1acbf052bf74711a0382b7c6c8a7aab31a65767bba43585ff4d7c14ceceb096f92accc2059fdae11c12c3be346f1e35e21cd90598f223a6ecc40e601af56e5f60ef694cbcdc03b2ac0dbd8fa65467cedccb2f46bce1339520a963394a35e56ab7870203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101008b5c1a22ece724034f3fd5be07c19a706a076ecbdc9d799800dc1cef121b7cc1e3219de83111ef7b7a25cd677079c85a94cebd99ddeb21d6eb3afda74f3bcbfd8d7d25da45581310ae6321c41d88b245102c060edb76875faea630f56daa88b17e811cf3f6dabee21a56f281e826b7e2d8499eb622cba18b498749de17300b36341e9cb2c76cf952429706bf4743841c7f6d4ef8e0e96dcdd905de86b8161c446f7b387d76744a16ecd1f2813933669cb9fee2ed52f3a25e5056a9d0f2dc9eeadf85352caedf013f1deca04331a3df29b83221a09e65263a94af9652c5871acbff896936af81372731bcad9fd3ce4db1c057c2c7c54997b879fcfb0b8325429a rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2528 2288 rundll32.exe 84 PID 2288 wrote to memory of 2528 2288 rundll32.exe 84 PID 2288 wrote to memory of 2528 2288 rundll32.exe 84 PID 2528 wrote to memory of 3916 2528 rundll32.exe 99 PID 2528 wrote to memory of 3916 2528 rundll32.exe 99 PID 2528 wrote to memory of 3916 2528 rundll32.exe 99 PID 3916 wrote to memory of 3984 3916 cmd.exe 101 PID 3916 wrote to memory of 3984 3916 cmd.exe 101 PID 3916 wrote to memory of 3984 3916 cmd.exe 101 PID 3916 wrote to memory of 3504 3916 cmd.exe 102 PID 3916 wrote to memory of 3504 3916 cmd.exe 102 PID 3916 wrote to memory of 3504 3916 cmd.exe 102
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c0b9b35382d8ce1eb9214a345cb426aa_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c0b9b35382d8ce1eb9214a345cb426aa_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.execmd /c for /l %x in (1, 1, 2) do del /Q "C:\Users\Admin\AppData\Local\Temp\c0b9b35382d8ce1eb9214a345cb426aa_JaffaCakes118.dll" & timeout /t 53⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3984
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3504
-
-
-