Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
fca7479a10b70e422c824990fc8e44a6_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
fca7479a10b70e422c824990fc8e44a6_JaffaCakes118.dll
-
Size
451KB
-
MD5
fca7479a10b70e422c824990fc8e44a6
-
SHA1
f44c9dacba2e60df8864c5cf80fcb24b1cbc5c0d
-
SHA256
3f74053f3095407c621c4137d53e5eaef12dae9cfcbaf08b49949d839eac35ad
-
SHA512
a3a9a63d507ee4f5fe3319e92f38deaa3c7ac091a45e7f223636c90062f537beb74105ba73188759afc298b48353b175f2f4fe6474c1b88f7ed5ad621ce579fd
-
SSDEEP
12288:mv3OOvT/V3UUVXNckpICmXx0y90z888888888888W88888888888cZxH:kvT/ZUsdXCCmXx0ypZxH
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2548 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 2548 rundll32.exe Token: SeTcbPrivilege 2548 rundll32.exe Token: SeChangeNotifyPrivilege 2548 rundll32.exe Token: SeCreateTokenPrivilege 2548 rundll32.exe Token: SeBackupPrivilege 2548 rundll32.exe Token: SeRestorePrivilege 2548 rundll32.exe Token: SeIncreaseQuotaPrivilege 2548 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 2548 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2548 2532 rundll32.exe 30 PID 2532 wrote to memory of 2548 2532 rundll32.exe 30 PID 2532 wrote to memory of 2548 2532 rundll32.exe 30 PID 2532 wrote to memory of 2548 2532 rundll32.exe 30 PID 2532 wrote to memory of 2548 2532 rundll32.exe 30 PID 2532 wrote to memory of 2548 2532 rundll32.exe 30 PID 2532 wrote to memory of 2548 2532 rundll32.exe 30 PID 2548 wrote to memory of 1808 2548 rundll32.exe 31 PID 2548 wrote to memory of 1808 2548 rundll32.exe 31 PID 2548 wrote to memory of 1808 2548 rundll32.exe 31 PID 2548 wrote to memory of 1808 2548 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fca7479a10b70e422c824990fc8e44a6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fca7479a10b70e422c824990fc8e44a6_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /K3⤵
- System Location Discovery: System Language Discovery
PID:1808
-
-