Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

1234470662...18.dll

windows7-x64

8

1234470662...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 06:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1234470662aeda854724e00aa02f86ad_JaffaCakes118.dll

  • Size

    72KB

  • MD5

    1234470662aeda854724e00aa02f86ad

  • SHA1

    c0d09aef7505d611b3a252459fa90e1b9f3c04c1

  • SHA256

    f49d41ee968d4184740682085623be10a5c2bb04a778ec7f76a43875445f56d6

  • SHA512

    8f95c8f770afe2392de100ae3c435511d6a27412574055e49cbc5503d420aa4c5b749474da8abaf4b189d28bf7b4cd71b2be47c2cbcb8d35f490de2a2ffeece2

  • SSDEEP

    1536:IoySfvnfvG7oAvXzZWHvxyHUgXQFDwdNfq3cjkj7yijcwX1:IBE202tHUTxwPfq3Qg7vjcwl

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1234470662aeda854724e00aa02f86ad_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1234470662aeda854724e00aa02f86ad_JaffaCakes118.dll,#1
      2⤵
      • Server Software Component: Terminal Services DLL
      • System Location Discovery: System Language Discovery
      PID:2244
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2796

Network

  • flag-us
    DNS
    rikocnt.info
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    rikocnt.info
    IN A
    Response
  • flag-us
    DNS
    xjhiesp.com
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    xjhiesp.com
    IN A
    Response
  • flag-us
    DNS
    xjhiesp.net
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    xjhiesp.net
    IN A
    Response
  • flag-us
    DNS
    mevikot.com
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    mevikot.com
    IN A
    Response
  • flag-us
    DNS
    mevikot.net
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    mevikot.net
    IN A
    Response
  • flag-us
    DNS
    mevikot.biz
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    mevikot.biz
    IN A
    Response
No results found
  • 8.8.8.8:53
    rikocnt.info
    dns
    netsvcs
    58 B
     137 B
     1
    1

    DNS Request

    rikocnt.info

  • 8.8.8.8:53
    xjhiesp.com
    dns
    netsvcs
    57 B
     130 B
     1
    1

    DNS Request

    xjhiesp.com

  • 8.8.8.8:53
    xjhiesp.net
    dns
    netsvcs
    57 B
     130 B
     1
    1

    DNS Request

    xjhiesp.net

  • 8.8.8.8:53
    mevikot.com
    dns
    netsvcs
    57 B
     130 B
     1
    1

    DNS Request

    mevikot.com

  • 8.8.8.8:53
    mevikot.net
    dns
    netsvcs
    57 B
     130 B
     1
    1

    DNS Request

    mevikot.net

  • 8.8.8.8:53
    mevikot.biz
    dns
    netsvcs
    57 B
     119 B
     1
    1

    DNS Request

    mevikot.biz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2244-3-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2244-2-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2244-1-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2244-0-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2244-4-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2244-5-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2796-8-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2796-7-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2796-6-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2796-22-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.