Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
eab1181d644b1fc91512497219929233_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eab1181d644b1fc91512497219929233_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eab1181d644b1fc91512497219929233_JaffaCakes118.exe
-
Size
80KB
-
MD5
eab1181d644b1fc91512497219929233
-
SHA1
9815b16409886c2faaa833728a1b7a5a9605e8e3
-
SHA256
a4c22404f0aaf35832ff67b13a45b42e023c8aa02d0d240a9dca0d6464a7a35d
-
SHA512
659354852d0acfd4d2f97179be5ab2523b1d1bd179cbbd1c8a8c70e5cd57269847b99683b2726470ac0484e55ba5c099db56c464bac9de0d76676cc8fa827e60
-
SSDEEP
1536:9uC1dl50pS1HQg1YBWo04NUqkojFWHw5pe9Riz5MLXIbyO:9dL1H2jgkpemz5m4bT
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 13 2844 rundll32.exe 14 1952 rundll32.exe 15 1952 rundll32.exe 22 1952 rundll32.exe 35 1952 rundll32.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2844 rundll32.exe 1952 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_46 = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_46.avi\", start" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab1181d644b1fc91512497219929233_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4624 eab1181d644b1fc91512497219929233_JaffaCakes118.exe Token: SeDebugPrivilege 2844 rundll32.exe Token: SeDebugPrivilege 1952 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4624 wrote to memory of 2844 4624 eab1181d644b1fc91512497219929233_JaffaCakes118.exe 81 PID 4624 wrote to memory of 2844 4624 eab1181d644b1fc91512497219929233_JaffaCakes118.exe 81 PID 4624 wrote to memory of 2844 4624 eab1181d644b1fc91512497219929233_JaffaCakes118.exe 81 PID 2844 wrote to memory of 1952 2844 rundll32.exe 86 PID 2844 wrote to memory of 1952 2844 rundll32.exe 86 PID 2844 wrote to memory of 1952 2844 rundll32.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab1181d644b1fc91512497219929233_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eab1181d644b1fc91512497219929233_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\\e9bfafce-1854-45e4-afd9-3a52da20b975\wrkBA95.tmp_46", start first worker2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\\e9bfafce-1854-45e4-afd9-3a52da20b975\wrkC3FC.tmp_46", start task worker3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5fa093219878c389ca88b89b67f93236b
SHA1b8ba51896287b8912346acf3ebf7e28d837c8d80
SHA256a7f80596128abd24953c249a7673278d52abb0e67c241ab1c16c17be85b64fcc
SHA5122e650674f724068ce4822e709d7d7874a0d92083e96e63e7c5cf4608e2ad4b0f5fa373fc6f3971fd43cffa03ea0eadd7dc8714f90595885e9ee90c29f15bab3e