Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...fe.dll

windows7-x64

10

JaffaCakes...fe.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_10e4671d0a542883ec77b53f1513229637df362470a0f2c97cb63bde3b045bfe.dll

  • Size

    181KB

  • MD5

    b24fafa145eed8e9d49ec9d6ad6b9c9d

  • SHA1

    6f0a4d9aa1583ae3362cdef05ae2076dcf48953d

  • SHA256

    10e4671d0a542883ec77b53f1513229637df362470a0f2c97cb63bde3b045bfe

  • SHA512

    291cc977b9842d8d4b773f7cdac92e678c5369415b3c54c891613bc353703280943869e5802d8ce470a5985bd580ed57ecffce84dababdd579de3db84187f88a

  • SSDEEP

    3072:RWoZIfMoHNI+5yXEvfrtL20RHIBTtP22OOGSu/ALLVBk9dek/fa:YlMoHNSmBLlH0tO5OG9/ALxyiKfa

Score
10/10
emotetepoch1bankerdiscoverytrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

152.170.79.100:80

190.247.139.101:80

138.197.99.250:8080

167.71.148.58:443

211.215.18.93:8080

191.241.233.198:80

83.169.21.32:7080

113.163.216.135:80

70.32.84.74:8080

217.13.106.14:8080

177.23.7.151:80

172.104.169.32:8080

187.39.237.56:8080

80.15.100.37:80

177.144.130.105:443

168.121.4.238:80

1.234.65.61:80

191.182.6.118:80

170.81.48.2:80

45.184.103.73:80
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Blocklisted process makes network request 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e4671d0a542883ec77b53f1513229637df362470a0f2c97cb63bde3b045bfe.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e4671d0a542883ec77b53f1513229637df362470a0f2c97cb63bde3b045bfe.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2996

Network

    No results found
  • 152.170.79.100:80
    rundll32.exe
    152 B
     3
  • 152.170.79.100:80
    rundll32.exe
    152 B
     3
  • 190.247.139.101:80
    rundll32.exe
    152 B
     3
  • 190.247.139.101:80
    rundll32.exe
    152 B
     3
  • 138.197.99.250:8080
    rundll32.exe
    152 B
     120 B
     3
    3
  • 138.197.99.250:8080
    rundll32.exe
    152 B
     120 B
     3
    3
  • 167.71.148.58:443
    rundll32.exe
    152 B
     3
  • 167.71.148.58:443
    rundll32.exe
    104 B
     2
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2996-0-0x00000000001F0000-0x000000000020F000-memory.dmp

    Filesize

    124KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.