Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/02/2025, 23:11
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll
-
Size
195KB
-
MD5
b0513a2e9f11f2ebc7d739e84f9f9b98
-
SHA1
6b6cb092ee713f0caeebabec1fb855c95dc78445
-
SHA256
e7d2e3ede3d3f5c6a83e124f853b69f535c261c47f1cf03e5d0aac518568966a
-
SHA512
a9abf6abb993b9fb0baa9edf5a02da0be5af38e404021b9e0483b7af49f0c50aa2529c2a4b567f623a050b218cb94312224f3b7d4260d49e48598a0b6c982123
-
SSDEEP
3072:5A2UsplBHR7MBcf/UAZ7M37Dbnz4j4hEvDAPxTgSkRRq4YT+R+SrPI//ou77Z:q2UIuyfvZE7v8j4hzgSWrwY
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Vlebayug = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll\",Startup" rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2340 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2340 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2340 1940 rundll32.exe 30 PID 1940 wrote to memory of 2340 1940 rundll32.exe 30 PID 1940 wrote to memory of 2340 1940 rundll32.exe 30 PID 1940 wrote to memory of 2340 1940 rundll32.exe 30 PID 1940 wrote to memory of 2340 1940 rundll32.exe 30 PID 1940 wrote to memory of 2340 1940 rundll32.exe 30 PID 1940 wrote to memory of 2340 1940 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll,#12⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2340
-