Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 21:26
Behavioral task
behavioral1
Sample
cdfcb8482dea366655ab7a6510e38b95_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cdfcb8482dea366655ab7a6510e38b95_JaffaCakes118.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
cdfcb8482dea366655ab7a6510e38b95_JaffaCakes118.dll
-
Size
135KB
-
MD5
cdfcb8482dea366655ab7a6510e38b95
-
SHA1
13bed94301f5e02ac400e53cc1e6366ecc20e234
-
SHA256
132faa0a540eed4da22938aa67d2960125f9c7f7e047b5238e26ef45b630caff
-
SHA512
dad779162dad95b361a109c182c58edf4afd9f82853d0a4ac7a8e270c0f6335ee2a8b1e2747ed888038f43e484a4d16a792579408a8c3fccbbebea8ebc1c8647
-
SSDEEP
1536:SNDX58zc+BwWarTdNFiHnhuzGjmplPnmeKk+iUnouy8tz4RiRM:SB5n+eWuMnECjOnmVkdkouttzcm
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1980-0-0x0000000010000000-0x0000000010023000-memory.dmp upx behavioral1/files/0x000c00000001225c-4.dat upx behavioral1/memory/1156-5-0x0000000010000000-0x0000000010023000-memory.dmp upx behavioral1/memory/1156-6-0x0000000010000000-0x0000000010023000-memory.dmp upx behavioral1/memory/1156-7-0x0000000010000000-0x0000000010023000-memory.dmp upx behavioral1/memory/1980-8-0x0000000010000000-0x0000000010023000-memory.dmp upx behavioral1/memory/1156-9-0x0000000010000000-0x0000000010023000-memory.dmp upx behavioral1/memory/1156-11-0x0000000010000000-0x0000000010023000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\lua.wkl rundll32.exe File created C:\Windows\msremotx.dll rundll32.exe File opened for modification C:\Windows\msremotx.dll rundll32.exe File opened for modification C:\Windows\lua.wkl rundll32.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 1156 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "cdfcb8482dea366655ab7a6510e38b95_JaffaCakes118.dll,1309250235,-496657352,-352895392" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe 1156 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1796 wrote to memory of 1980 1796 rundll32.exe 31 PID 1796 wrote to memory of 1980 1796 rundll32.exe 31 PID 1796 wrote to memory of 1980 1796 rundll32.exe 31 PID 1796 wrote to memory of 1980 1796 rundll32.exe 31 PID 1796 wrote to memory of 1980 1796 rundll32.exe 31 PID 1796 wrote to memory of 1980 1796 rundll32.exe 31 PID 1796 wrote to memory of 1980 1796 rundll32.exe 31 PID 1980 wrote to memory of 1156 1980 rundll32.exe 32 PID 1980 wrote to memory of 1156 1980 rundll32.exe 32 PID 1980 wrote to memory of 1156 1980 rundll32.exe 32 PID 1980 wrote to memory of 1156 1980 rundll32.exe 32 PID 1980 wrote to memory of 1156 1980 rundll32.exe 32 PID 1980 wrote to memory of 1156 1980 rundll32.exe 32 PID 1980 wrote to memory of 1156 1980 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cdfcb8482dea366655ab7a6510e38b95_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cdfcb8482dea366655ab7a6510e38b95_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msremotx.dll",_RunAs@163⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1156
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5cdfcb8482dea366655ab7a6510e38b95
SHA113bed94301f5e02ac400e53cc1e6366ecc20e234
SHA256132faa0a540eed4da22938aa67d2960125f9c7f7e047b5238e26ef45b630caff
SHA512dad779162dad95b361a109c182c58edf4afd9f82853d0a4ac7a8e270c0f6335ee2a8b1e2747ed888038f43e484a4d16a792579408a8c3fccbbebea8ebc1c8647