Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 12:43
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_652eeaa68ce3f8f0d25a5c7ea69b43ba.dll
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_652eeaa68ce3f8f0d25a5c7ea69b43ba.dll
-
Size
76KB
-
MD5
652eeaa68ce3f8f0d25a5c7ea69b43ba
-
SHA1
07e00a7e841a6694e14f2adf951600b1840548ae
-
SHA256
99a843369ad9e8aa851a3c58f749901ae8a859bbea06b2c4c83fcb5bc37203c4
-
SHA512
0492c944a0faa00e871326e09b7497ee68b0483aee8b64981252bba6f074a22cb623fbd162a07a5ec9c31c8fd44973487e37fa64edc179ed9d1f3b6a8b75d493
-
SSDEEP
1536:908ycVb3jZUVVS4DgzeZqJvhmjK5ZxMbngWYpaA9HAhWoICEWMPo:VycV4ieZq1kjKrxMrctghrIlWMg
Malware Config
Signatures
-
Pony family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2432-4-0x00000000001F0000-0x000000000021E000-memory.dmp upx behavioral1/memory/2432-5-0x00000000001F0000-0x000000000021E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 2432 rundll32.exe Token: SeTcbPrivilege 2432 rundll32.exe Token: SeChangeNotifyPrivilege 2432 rundll32.exe Token: SeCreateTokenPrivilege 2432 rundll32.exe Token: SeBackupPrivilege 2432 rundll32.exe Token: SeRestorePrivilege 2432 rundll32.exe Token: SeIncreaseQuotaPrivilege 2432 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 2432 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2432 2676 rundll32.exe 30 PID 2676 wrote to memory of 2432 2676 rundll32.exe 30 PID 2676 wrote to memory of 2432 2676 rundll32.exe 30 PID 2676 wrote to memory of 2432 2676 rundll32.exe 30 PID 2676 wrote to memory of 2432 2676 rundll32.exe 30 PID 2676 wrote to memory of 2432 2676 rundll32.exe 30 PID 2676 wrote to memory of 2432 2676 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_652eeaa68ce3f8f0d25a5c7ea69b43ba.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_652eeaa68ce3f8f0d25a5c7ea69b43ba.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2432
-