Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/08/2024, 19:50
Behavioral task
behavioral1
Sample
c78951653b2bcadb68af7f2b17dedaed_JaffaCakes118.dll
Resource
win7-20240708-en
3 signatures
150 seconds
General
-
Target
c78951653b2bcadb68af7f2b17dedaed_JaffaCakes118.dll
-
Size
11KB
-
MD5
c78951653b2bcadb68af7f2b17dedaed
-
SHA1
e9ae0eaab62a07de48568c9a65f77a6f06779c53
-
SHA256
55d474ab4893f7685dc8fb0b911efa91e1a7f7f05102e220943fa25a63577c82
-
SHA512
5dcd82a0179decc814aeb5cea3e2fd459d30190d4e258e815438474182f4658cf318de41ec67948c1a4271ffb423a0cd741ccddd02f63a99fdff1f6c6b8531a1
-
SSDEEP
192:fXyLBKUBvhyH28JiLi5t9Cu/1JB5vTb90U+aQNA8FIXYrU22Bc:gbRhD+0U2u/1LZ9JGA8eYv2B
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2800-2-0x0000000010000000-0x00000000100FF000-memory.dmp upx behavioral1/memory/2800-1-0x0000000010000000-0x00000000100FF000-memory.dmp upx behavioral1/memory/2800-0-0x0000000010000000-0x00000000100FF000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2800 2292 rundll32.exe 30 PID 2292 wrote to memory of 2800 2292 rundll32.exe 30 PID 2292 wrote to memory of 2800 2292 rundll32.exe 30 PID 2292 wrote to memory of 2800 2292 rundll32.exe 30 PID 2292 wrote to memory of 2800 2292 rundll32.exe 30 PID 2292 wrote to memory of 2800 2292 rundll32.exe 30 PID 2292 wrote to memory of 2800 2292 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c78951653b2bcadb68af7f2b17dedaed_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c78951653b2bcadb68af7f2b17dedaed_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:2800
-