Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 12:48
Behavioral task
behavioral1
Sample
JaffaCakes118_3fb2e10216207aad054db043f8cdd6d2.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3fb2e10216207aad054db043f8cdd6d2.dll
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_3fb2e10216207aad054db043f8cdd6d2.dll
-
Size
122KB
-
MD5
3fb2e10216207aad054db043f8cdd6d2
-
SHA1
0a704d3f4104d32161f68bcc607e7201d898e9ed
-
SHA256
44211df5a868c8f62026add71f37de7c23f2896643df105fb261b9cd8942958f
-
SHA512
07dcbc7e5ad29e82d9963cc57c1dd66e03c1b04b02067faa2efed393e519dda235ed5bde9f6950999806608fd972e6fc9845ff6ad0e2b2b26313ff0be6b39d59
-
SSDEEP
3072:of9xHwm1PXBmXZFeA28pMGEdePl9dehiv80P80Cnp8d6d:wdwaWB28adeP/deUv80P80Ap8e
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{398D0E68-B161-4042-A2D7-5A073650CE49}\stubpath = "þÿÿÿX" rundll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{398D0E68-B161-4042-A2D7-5A073650CE49} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{398D0E68-B161-4042-A2D7-5A073650CE49}\ = "ϵͳÉèÖÃ" rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1856 1996 rundll32.exe 29 PID 1996 wrote to memory of 1856 1996 rundll32.exe 29 PID 1996 wrote to memory of 1856 1996 rundll32.exe 29 PID 1996 wrote to memory of 1856 1996 rundll32.exe 29 PID 1996 wrote to memory of 1856 1996 rundll32.exe 29 PID 1996 wrote to memory of 1856 1996 rundll32.exe 29 PID 1996 wrote to memory of 1856 1996 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fb2e10216207aad054db043f8cdd6d2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fb2e10216207aad054db043f8cdd6d2.dll,#12⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:1856
-