Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0e9d0251891b221685420a76ee08458b.dll
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_0e9d0251891b221685420a76ee08458b.dll
-
Size
76KB
-
MD5
0e9d0251891b221685420a76ee08458b
-
SHA1
93d5fefb6ef79baf9e3cbbf24fffe912da5f9bea
-
SHA256
29ab9cf34cac55f5f3891ec047369c625e0bcc172b00d14d86851d7f64ea8a6b
-
SHA512
7e2e08b6642511feb9a3d5201fea677059f55091f8771700ab9f540f47e7238a925f39aed6885b25dd2b328339a1ee0e26f9a5eabd14d6f736280ea4016a0043
-
SSDEEP
1536:g08ycVb3jZUVVS4DgzeZqJvhmjK5ZxMbngWYpaA9HAhWoICEWMPo:OycV4ieZq1kjKrxMrctghrIlWMg
Malware Config
Signatures
-
Pony family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral2/memory/3716-3-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3716-4-0x0000000000400000-0x000000000042E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 3716 rundll32.exe Token: SeTcbPrivilege 3716 rundll32.exe Token: SeChangeNotifyPrivilege 3716 rundll32.exe Token: SeCreateTokenPrivilege 3716 rundll32.exe Token: SeBackupPrivilege 3716 rundll32.exe Token: SeRestorePrivilege 3716 rundll32.exe Token: SeIncreaseQuotaPrivilege 3716 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 3716 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2260 wrote to memory of 3716 2260 rundll32.exe 82 PID 2260 wrote to memory of 3716 2260 rundll32.exe 82 PID 2260 wrote to memory of 3716 2260 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e9d0251891b221685420a76ee08458b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e9d0251891b221685420a76ee08458b.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3716
-