Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2024, 21:17
Static task
static1
Behavioral task
behavioral1
Sample
36da45a37d30043e157040e0725f1597_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
36da45a37d30043e157040e0725f1597_JaffaCakes118.dll
-
Size
144KB
-
MD5
36da45a37d30043e157040e0725f1597
-
SHA1
160917680c9be5d847c74f56dd0f0b5fe5580950
-
SHA256
f6d982448b1d7eadb9bf17ecae6c020583d1751ec41a7bdaa2d12cf2fa34f59c
-
SHA512
ffd89ec891eb1b383f902fcda8dcf15588a06f382c8eea008b19f6b026975d54251f5e7a031df0f34b2c3aaf32e0d5c7c1044404608b9eab90b2919ad4583c32
-
SSDEEP
3072:PibTTp78CclGbAqhMjW3Mfw534x3CtlGpuo:gT14TGAoMfTsHGj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2676 rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/files/0x000a000000023c24-3.dat upx behavioral2/memory/2676-4-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral2/memory/2676-9-0x0000000000400000-0x000000000046E000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 664 2676 WerFault.exe 84 3528 2796 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2796 2836 rundll32.exe 83 PID 2836 wrote to memory of 2796 2836 rundll32.exe 83 PID 2836 wrote to memory of 2796 2836 rundll32.exe 83 PID 2796 wrote to memory of 2676 2796 rundll32.exe 84 PID 2796 wrote to memory of 2676 2796 rundll32.exe 84 PID 2796 wrote to memory of 2676 2796 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36da45a37d30043e157040e0725f1597_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36da45a37d30043e157040e0725f1597_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 2644⤵
- Program crash
PID:664
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 6083⤵
- Program crash
PID:3528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2676 -ip 26761⤵PID:2832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2796 -ip 27961⤵PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD59b49fec7e03c33277f188a2819b8d726
SHA1a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f
SHA2569d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad
SHA512049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d