Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 18:30 UTC
Static task
static1
Behavioral task
behavioral1
Sample
06e98e65983664ecbdf203ec177dc52c_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
06e98e65983664ecbdf203ec177dc52c_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
06e98e65983664ecbdf203ec177dc52c_JaffaCakes118.dll
-
Size
44KB
-
MD5
06e98e65983664ecbdf203ec177dc52c
-
SHA1
35008b2ef93c40b5ce96c7769eb937f0fae6af35
-
SHA256
6da0f2ec78f06dae6a05d8b9f11542247fc53ffef68c74b7b835f3a9e16cb4b5
-
SHA512
44526ee591d31f89eed932dc873af50f16e8e4b45d729a2b6f54def5766694e6fa98099be14aba9ac08cbc149b1934245472bb3440223ec75b44d222973ee772
-
SSDEEP
768:nUR3Dwot8/wDvwkcGe0rzzCGRmZo4oD4W6lQnxGkO:eDwGKwUhGvzCGRJxGkO
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1644 2840 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3352 wrote to memory of 2840 3352 rundll32.exe 82 PID 3352 wrote to memory of 2840 3352 rundll32.exe 82 PID 3352 wrote to memory of 2840 3352 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06e98e65983664ecbdf203ec177dc52c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06e98e65983664ecbdf203ec177dc52c_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 5963⤵
- Program crash
PID:1644
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2840 -ip 28401⤵PID:432
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.117.19.2.in-addr.arpaIN PTRResponse75.117.19.2.in-addr.arpaIN PTRa2-19-117-75deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
75.117.19.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa