Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 15:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5a515ccdbfb76acf91839684585abf60.dll
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_5a515ccdbfb76acf91839684585abf60.dll
-
Size
137KB
-
MD5
5a515ccdbfb76acf91839684585abf60
-
SHA1
16a18160a614bdc5a7796c99853b127cb362bc2d
-
SHA256
db1420a2ff6a29f63ed3da12087155231cce82b4550e20cd31fb287e44832514
-
SHA512
e83e06ed0d6c1fcf0590d8e595f41d754e2cc44133401efea07683f8f8195121296a896ec68aa30372087f9e2196fc30eca9dd51970f9cbcb5e5ff6e00b1d82b
-
SSDEEP
3072:/NqgwmI488TRAfVhBQ7P+0Us4Q+LQI1H2UJ2mro/Y:svmlAfVhy75ZlIx2Svo/Y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2032 rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/files/0x000a000000023c1f-3.dat upx behavioral2/memory/2032-4-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral2/memory/2032-8-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 3120 4644 WerFault.exe 83 212 2032 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2180 wrote to memory of 4644 2180 rundll32.exe 83 PID 2180 wrote to memory of 4644 2180 rundll32.exe 83 PID 2180 wrote to memory of 4644 2180 rundll32.exe 83 PID 4644 wrote to memory of 2032 4644 rundll32.exe 84 PID 4644 wrote to memory of 2032 4644 rundll32.exe 84 PID 4644 wrote to memory of 2032 4644 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a515ccdbfb76acf91839684585abf60.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a515ccdbfb76acf91839684585abf60.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 2644⤵
- Program crash
PID:212
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 6323⤵
- Program crash
PID:3120
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2032 -ip 20321⤵PID:4580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4644 -ip 46441⤵PID:4564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD5db92102c142a97620d0f02b3321d235b
SHA184adf0da0cfa131b61a23cf26719b5d0c75702a9
SHA25612dc8f962b54cbf925146db55709c9ad8465e392aede3a5095f74e7ca6ade2a5
SHA51204bbb8ca5e5e63e85da4c4a9de8f46352cb9437005c0cae014da1d61c58916584a284fb7fba21b06f963de440362e150b6f2ef5d69143fd6a187c0712bf28d65