Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
fca7479a10b70e422c824990fc8e44a6_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
fca7479a10b70e422c824990fc8e44a6_JaffaCakes118.dll
-
Size
451KB
-
MD5
fca7479a10b70e422c824990fc8e44a6
-
SHA1
f44c9dacba2e60df8864c5cf80fcb24b1cbc5c0d
-
SHA256
3f74053f3095407c621c4137d53e5eaef12dae9cfcbaf08b49949d839eac35ad
-
SHA512
a3a9a63d507ee4f5fe3319e92f38deaa3c7ac091a45e7f223636c90062f537beb74105ba73188759afc298b48353b175f2f4fe6474c1b88f7ed5ad621ce579fd
-
SSDEEP
12288:mv3OOvT/V3UUVXNckpICmXx0y90z888888888888W88888888888cZxH:kvT/ZUsdXCCmXx0ypZxH
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4728 rundll32.exe 4728 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 4728 rundll32.exe Token: SeTcbPrivilege 4728 rundll32.exe Token: SeChangeNotifyPrivilege 4728 rundll32.exe Token: SeCreateTokenPrivilege 4728 rundll32.exe Token: SeBackupPrivilege 4728 rundll32.exe Token: SeRestorePrivilege 4728 rundll32.exe Token: SeIncreaseQuotaPrivilege 4728 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 4728 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3216 wrote to memory of 4728 3216 rundll32.exe 82 PID 3216 wrote to memory of 4728 3216 rundll32.exe 82 PID 3216 wrote to memory of 4728 3216 rundll32.exe 82 PID 4728 wrote to memory of 3376 4728 rundll32.exe 83 PID 4728 wrote to memory of 3376 4728 rundll32.exe 83 PID 4728 wrote to memory of 3376 4728 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fca7479a10b70e422c824990fc8e44a6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fca7479a10b70e422c824990fc8e44a6_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\cmd.execmd /K3⤵
- System Location Discovery: System Language Discovery
PID:3376
-
-