Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 10:49
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9490a96656c76f667feb406d7a08c9a0a44eca1c8151ed6999000179549a92b1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9490a96656c76f667feb406d7a08c9a0a44eca1c8151ed6999000179549a92b1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/yenf.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/yenf.dll
Resource
win10v2004-20241007-en
General
-
Target
$PLUGINSDIR/yenf.dll
-
Size
72KB
-
MD5
46c925d5eaaaf5a7cdd55ffc845d037c
-
SHA1
df0fc5da0fd9a0d288abac007e2ce470911fe25d
-
SHA256
649b6cf91616337859aa74ec46fbdcfed6859475bb689c49c84eafdf33f796ec
-
SHA512
9e124847e59a37ad9c11fdd94e5a8e0b4e93a273c43daecf2d357c94ffb55387b7070b45af688566a9d762cb7ad78cd4412b84ff32892a6fb7c8a7c8c3d53373
-
SSDEEP
1536:/f6RHirpM7t5P37QCIuAw8nMZxcZrIOIkGcFe2KRU8+TRbdGxJgUx:/CR2grMCxL7j+IBkmRU8+T
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1080 3068 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2200 wrote to memory of 3068 2200 rundll32.exe 30 PID 2200 wrote to memory of 3068 2200 rundll32.exe 30 PID 2200 wrote to memory of 3068 2200 rundll32.exe 30 PID 2200 wrote to memory of 3068 2200 rundll32.exe 30 PID 2200 wrote to memory of 3068 2200 rundll32.exe 30 PID 2200 wrote to memory of 3068 2200 rundll32.exe 30 PID 2200 wrote to memory of 3068 2200 rundll32.exe 30 PID 3068 wrote to memory of 1080 3068 rundll32.exe 31 PID 3068 wrote to memory of 1080 3068 rundll32.exe 31 PID 3068 wrote to memory of 1080 3068 rundll32.exe 31 PID 3068 wrote to memory of 1080 3068 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\yenf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\yenf.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 2563⤵
- Program crash
PID:1080
-
-