Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 03:17
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_41a47fa29167eeaf685c1459b7d80c1ca76f02a87e707e8784861bb5cf134739.dll
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_41a47fa29167eeaf685c1459b7d80c1ca76f02a87e707e8784861bb5cf134739.dll
-
Size
188KB
-
MD5
e4674ba411a2c7678e966e07a77940f7
-
SHA1
f3bacac0eae80718f485843bb39416e585a68318
-
SHA256
41a47fa29167eeaf685c1459b7d80c1ca76f02a87e707e8784861bb5cf134739
-
SHA512
c24f2a14074226971418dd23f92c8bb71806dc922ee3b8e72e964e20da9db403a59c424ff5f8fadaf6a6449d1ed404140cf468072cd6f3de5122d1a98d57be79
-
SSDEEP
3072:vteMq7hp/YIzA6BZvlWnTDN2GL9L8NLXWruiuUCzTOwwc0cIzW9qM:3q7fYIHBZkTB6DWruUCOwjt
Malware Config
Extracted
dridex
22201
103.87.173.60:443
45.32.243.209:8116
207.180.208.54:4664
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/2532-1-0x0000000074B90000-0x0000000074BC0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2432 2532 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1552 wrote to memory of 2532 1552 rundll32.exe 31 PID 1552 wrote to memory of 2532 1552 rundll32.exe 31 PID 1552 wrote to memory of 2532 1552 rundll32.exe 31 PID 1552 wrote to memory of 2532 1552 rundll32.exe 31 PID 1552 wrote to memory of 2532 1552 rundll32.exe 31 PID 1552 wrote to memory of 2532 1552 rundll32.exe 31 PID 1552 wrote to memory of 2532 1552 rundll32.exe 31 PID 2532 wrote to memory of 2432 2532 rundll32.exe 32 PID 2532 wrote to memory of 2432 2532 rundll32.exe 32 PID 2532 wrote to memory of 2432 2532 rundll32.exe 32 PID 2532 wrote to memory of 2432 2532 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41a47fa29167eeaf685c1459b7d80c1ca76f02a87e707e8784861bb5cf134739.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41a47fa29167eeaf685c1459b7d80c1ca76f02a87e707e8784861bb5cf134739.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 3083⤵
- Program crash
PID:2432
-
-