Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/09/2024, 23:54
Static task
static1
Behavioral task
behavioral1
Sample
ea3512912960e71ce5d9c26b9818e142_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ea3512912960e71ce5d9c26b9818e142_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ea3512912960e71ce5d9c26b9818e142_JaffaCakes118.dll
-
Size
28KB
-
MD5
ea3512912960e71ce5d9c26b9818e142
-
SHA1
4307f6b082bd7feef1feaa7e3726ca86dd39b506
-
SHA256
ec0c74e386224ac26d6b5b29ab1f9add46b7a1a21065df6e33bc55954a8e6cb5
-
SHA512
60bbcb01b7044d79fffcd034aad3a3e0fc487b5ec6843da928721bb99ba4aa0d0d7ff839fa58e3c58dca94b5185c0a0a4048411bec3187e499f662a9dfbe1314
-
SSDEEP
384:Qyuzmk3ySFy81TvV5OFz9X30WkOAYoMUd6ksBDEsTmT5J5AHF16LlAzLG:sM81TvV5EZ30WoHGEGHDx
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\checkcj_zy.ini rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1232 wrote to memory of 800 1232 rundll32.exe 30 PID 1232 wrote to memory of 800 1232 rundll32.exe 30 PID 1232 wrote to memory of 800 1232 rundll32.exe 30 PID 1232 wrote to memory of 800 1232 rundll32.exe 30 PID 1232 wrote to memory of 800 1232 rundll32.exe 30 PID 1232 wrote to memory of 800 1232 rundll32.exe 30 PID 1232 wrote to memory of 800 1232 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea3512912960e71ce5d9c26b9818e142_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea3512912960e71ce5d9c26b9818e142_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:800
-