Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 22:44
Static task
static1
Behavioral task
behavioral1
Sample
d73699f012d734b3427e8787ea4aa83b_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
d73699f012d734b3427e8787ea4aa83b_JaffaCakes118.dll
-
Size
70KB
-
MD5
d73699f012d734b3427e8787ea4aa83b
-
SHA1
2f837c65817d0577d090e3f022bf130a2534af2e
-
SHA256
081b85be7aa8a2913a4d2013738b5b58089464c1417bf522f2f367835ec0098f
-
SHA512
ac8d5afe029af985b6f822efeb52fb23bc4cb174cb39288176a3349c507a8bf110ad5febbd8dcffb0b38ef51cb307e13187af445a131faeb09b5de9f9654c2b3
-
SSDEEP
1536:mBz9i76UGqTb6ZvCyy10gHEFH7ROZRdYNvvV4CBT/X5cx:uz0uUzSgkFH1OZRd21/X
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1916 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 1916 rundll32.exe Token: SeTcbPrivilege 1916 rundll32.exe Token: SeChangeNotifyPrivilege 1916 rundll32.exe Token: SeCreateTokenPrivilege 1916 rundll32.exe Token: SeBackupPrivilege 1916 rundll32.exe Token: SeRestorePrivilege 1916 rundll32.exe Token: SeIncreaseQuotaPrivilege 1916 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 1916 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1916 1704 rundll32.exe 30 PID 1704 wrote to memory of 1916 1704 rundll32.exe 30 PID 1704 wrote to memory of 1916 1704 rundll32.exe 30 PID 1704 wrote to memory of 1916 1704 rundll32.exe 30 PID 1704 wrote to memory of 1916 1704 rundll32.exe 30 PID 1704 wrote to memory of 1916 1704 rundll32.exe 30 PID 1704 wrote to memory of 1916 1704 rundll32.exe 30 PID 1916 wrote to memory of 2016 1916 rundll32.exe 31 PID 1916 wrote to memory of 2016 1916 rundll32.exe 31 PID 1916 wrote to memory of 2016 1916 rundll32.exe 31 PID 1916 wrote to memory of 2016 1916 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d73699f012d734b3427e8787ea4aa83b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d73699f012d734b3427e8787ea4aa83b_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.execmd /K3⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-