Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e96a9dbcc0...18.exe

windows7-x64

10

e96a9dbcc0...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 07:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe

  • Size

    336KB

  • MD5

    e96a9dbcc089237f78ec8c2fb417cd43

  • SHA1

    3bd4a49dc3efe6a3ad06e67a8dc4bae8a8a8b6c4

  • SHA256

    c06acd7f6f4c44fc52d9f07b430079e12dc1b857c346818f0bd2064774d8df7b

  • SHA512

    386fc40141d7a8e4295b1c00959eacb6414c3d450ec02bae6449bc3183dc5d9212098471d8023e2101ecba82595811273e98cd1a0128479511adac3a7936c1aa

  • SSDEEP

    6144:208bRhsVZdfF8oVnzhstpwQvK+w8B0aRGJi4oAle0esKPUN4b8j7xyUg5JVcS:2B4V/fFbUpwTn8GJi4cxUN4b8jkUg5Jm

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    PID:3536
    • C:\Users\Admin\AppData\Local\Temp\e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:456
      • C:\Users\Admin\AppData\Local\32698158\X
        193.105.154.210:80
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2312
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:4184

Network

  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.90.14.23.in-addr.arpa
    IN PTR
    Response
    82.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-82deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    91.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    91.90.14.23.in-addr.arpa
    IN PTR
    Response
    91.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-91deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    85.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.65.42.20.in-addr.arpa
    IN PTR
    Response
  • 193.105.154.210:80
    e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
    260 B
     5
  • 193.105.154.210:80
    e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
    260 B
     5
  • 193.105.154.210:80
    e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
    260 B
     5
  • 193.105.154.210:80
    X
    260 B
     5
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    82.90.14.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    82.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    91.90.14.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    91.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    85.65.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    85.65.42.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\32698158\X
    Filesize

    41KB

    MD5

    686b479b0ee164cf1744a8be359ebb7d

    SHA1

    8615e8f967276a85110b198d575982a958581a07

    SHA256

    fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

    SHA512

    7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

    Download Submit

  • memory/456-2-0x00000000000C0000-0x00000000001C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/456-1-0x0000000000400000-0x00000000004623D8-memory.dmp

    Filesize

    392KB

    Download

  • memory/456-9-0x0000000000400000-0x00000000004623D8-memory.dmp

    Filesize

    392KB

    Download

  • memory/456-11-0x0000000000400000-0x00000000004623D8-memory.dmp

    Filesize

    392KB

    Download

  • memory/3536-8-0x0000000000760000-0x0000000000768000-memory.dmp

    Filesize

    32KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.