Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2074ab715f...18.exe

windows7-x64

7

2074ab715f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 11:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2074ab715fdd1eeb21ebe7af4d7a08a0_JaffaCakes118.exe

  • Size

    8.9MB

  • MD5

    2074ab715fdd1eeb21ebe7af4d7a08a0

  • SHA1

    868968c4653578a9b1e22a77981f2df8421975cc

  • SHA256

    575175e7a4e9f822848f4d0a4486bb01cbd182716aee6dc34d450dcc1a07af09

  • SHA512

    fe9f1b4aedc79cb6697b937ca23a0a55b33a5703dc200dd1eba5e7afe6f917a5fc6fec228a4fc7cdd92b398af7f8649c0c0a66c281e09d1b47b00dbab04b85a2

  • SSDEEP

    196608:8Bazg7DSmBazg7DSm8Bazg7DSmBazg7DSmn:Rg7uDg7uIg7uDg7uA

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2074ab715fdd1eeb21ebe7af4d7a08a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2074ab715fdd1eeb21ebe7af4d7a08a0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:1104
    • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
      "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
        "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:388
    • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
      "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2116

Network

  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    sunray1975.zapto.org
    7D57AD13E21.exe
    Remote address:
    8.8.8.8:53
    Request
    sunray1975.zapto.org
    IN A
    Response
  • flag-us
    DNS
    40.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.134.221.88.in-addr.arpa
    IN PTR
    Response
    40.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-40deploystaticakamaitechnologiescom
  • flag-us
    DNS
    sunray1975.zapto.org
    7D57AD13E21.exe
    Remote address:
    8.8.8.8:53
    Request
    sunray1975.zapto.org
    IN A
    Response
  • flag-us
    DNS
    sunray1975.zapto.org
    7D57AD13E21.exe
    Remote address:
    8.8.8.8:53
    Request
    sunray1975.zapto.org
    IN A
    Response
  • flag-us
    DNS
    218.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    218.135.221.88.in-addr.arpa
    IN PTR
    Response
    218.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-218deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    sunray1975.zapto.org
    7D57AD13E21.exe
    Remote address:
    8.8.8.8:53
    Request
    sunray1975.zapto.org
    IN A
    Response
  • flag-us
    DNS
    sunray1975.zapto.org
    7D57AD13E21.exe
    Remote address:
    8.8.8.8:53
    Request
    sunray1975.zapto.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    79.121.231.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    79.121.231.20.in-addr.arpa

  • 8.8.8.8:53
    sunray1975.zapto.org
    dns
    7D57AD13E21.exe
    66 B
     126 B
     1
    1

    DNS Request

    sunray1975.zapto.org

  • 8.8.8.8:53
    40.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    40.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    sunray1975.zapto.org
    dns
    7D57AD13E21.exe
    66 B
     126 B
     1
    1

    DNS Request

    sunray1975.zapto.org

  • 8.8.8.8:53
    sunray1975.zapto.org
    dns
    7D57AD13E21.exe
    66 B
     126 B
     1
    1

    DNS Request

    sunray1975.zapto.org

  • 8.8.8.8:53
    218.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    218.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    sunray1975.zapto.org
    dns
    7D57AD13E21.exe
    66 B
     126 B
     1
    1

    DNS Request

    sunray1975.zapto.org

  • 8.8.8.8:53
    sunray1975.zapto.org
    dns
    7D57AD13E21.exe
    66 B
     126 B
     1
    1

    DNS Request

    sunray1975.zapto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
    Filesize

    8.9MB

    MD5

    4d8b6bc510429f3a92a43bf0280b4c68

    SHA1

    fc7efc34053a8c868c008198c24ff56c9ed954b1

    SHA256

    3d924cc6e927bcbea8140cb0c1759bb9ed4b7c868f9cfd9f98b2dc60ed310048

    SHA512

    5ad9514926527aff62472ecc8d4035cf54cfc358abab090ef727e59db5b86349327f4174179922b0fe612fba79188777ee86f2e007f141a2749e5823d537a0d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
    Filesize

    1.0MB

    MD5

    a2f259ceb892d3b0d1d121997c8927e3

    SHA1

    6e0a7239822b8d365d690a314f231286355f6cc6

    SHA256

    ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

    SHA512

    5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

    Download Submit

  • memory/388-34-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/388-31-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/388-39-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/388-35-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/388-38-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/388-44-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/388-41-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1396-24-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1396-0-0x0000000000810000-0x0000000000811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1396-11-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1396-1-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1796-29-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1796-33-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1796-12-0x00000000008A0000-0x00000000008A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-30-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

    Download

  • memory/2116-37-0x00000000023F0000-0x00000000023F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-28-0x0000000002510000-0x0000000002511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-25-0x00000000023F0000-0x00000000023F1000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.