Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 01:11
Behavioral task
behavioral1
Sample
eec988d2c45a12b5ad30e59b9dffbf62_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eec988d2c45a12b5ad30e59b9dffbf62_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
eec988d2c45a12b5ad30e59b9dffbf62_JaffaCakes118.dll
-
Size
165KB
-
MD5
eec988d2c45a12b5ad30e59b9dffbf62
-
SHA1
ba795744d9b9d4bb6c1dcabc19ab9a23d79257c3
-
SHA256
f03d233f08f685bd506d4ed413c346659bc8ea0e05ed0134c869b6f304713ec4
-
SHA512
ba45cfd953f8945c516b99f6e71b282b7ac15a17b6e55ab604c50a0959bef7907bc943542769a6a3563f22c811ea316c065b740fd2c4a367af9dec53526aeee3
-
SSDEEP
3072:IfCxerVTeOpD/etpdK+78LwQSAsAILKNxC9pdMIv42FByb4Cn9UUtpz:Her7D2tpPwcCILKTCTdMIvZC93tp
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DCOM Server 60787 = "{2C1CD3D7-86AC-4068-93BC-A02304B60787}" rundll32.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 1 1920 rundll32.exe 7 1920 rundll32.exe 41 1920 rundll32.exe 43 1920 rundll32.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts rundll32.exe -
resource yara_rule behavioral2/memory/1920-1-0x0000000010000000-0x0000000010D2E000-memory.dmp upx behavioral2/memory/1920-3-0x0000000010000000-0x0000000010D2E000-memory.dmp upx behavioral2/memory/1920-5-0x0000000010000000-0x0000000010D2E000-memory.dmp upx behavioral2/memory/1920-7-0x0000000010000000-0x0000000010D2E000-memory.dmp upx behavioral2/memory/1920-13-0x0000000010000000-0x0000000010D2E000-memory.dmp upx behavioral2/memory/1920-15-0x0000000010000000-0x0000000010D2E000-memory.dmp upx behavioral2/memory/1920-16-0x0000000010000000-0x0000000010D2E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eec988d2c45a12b5ad30e59b9dffbf62_JaffaCakes118.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32\ThreadingModel = "Apartment" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 740 wrote to memory of 1920 740 rundll32.exe 82 PID 740 wrote to memory of 1920 740 rundll32.exe 82 PID 740 wrote to memory of 1920 740 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eec988d2c45a12b5ad30e59b9dffbf62_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eec988d2c45a12b5ad30e59b9dffbf62_JaffaCakes118.dll,#12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Blocklisted process makes network request
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1920
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:1948