Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
-
submitted
11/04/2024, 01:46 UTC
General
-
Target
ec6b3700004df6b2620b44d7a27fded7_JaffaCakes118.exe
-
Size
133KB
-
MD5
ec6b3700004df6b2620b44d7a27fded7
-
SHA1
5bf19c7c6cb08b04c8432473e67aaf673f20e15e
-
SHA256
f4f0df931d4e319aeba711888b40d75ce38530959a5a5e4040c685685573f780
-
SHA512
77bf431672fc6288dcb8dc1f0c240dc5b08e5349987361fe333fd339b2110d02e86c7de136c84c74f071e39606007b33532b172c6b274c8e7ed6213264fab9c7
-
SSDEEP
3072:z7FiuCDWaoL2cgr7sS3aNP2026OvB/vq+vqQ:z0v9LjXP3aINv5qhQ
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec6b3700004df6b2620b44d7a27fded7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ec6b3700004df6b2620b44d7a27fded7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ec6b3700004df6b2620b44d7a27fded7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ec6b3700004df6b2620b44d7a27fded7_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
-
Network
-
DNScutit.orgRemote address:8.8.8.8:53Requestcutit.orgIN AResponsecutit.orgIN A64.91.240.248 -
GEThttps://cutit.org/oxgBRRemote address:64.91.240.248:443RequestGET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: cutit.org
Cache-Control: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Date: Thu, 11 Apr 2024 01:46:45 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Location: http://ww1.cutit.org/oxgBR?usid=25&utid=6417720852
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
DNSww1.cutit.orgRemote address:8.8.8.8:53Requestww1.cutit.orgIN AResponseww1.cutit.orgIN CNAMEsedoparking.comsedoparking.comIN A64.190.63.136
-
GEThttp://ww1.cutit.org/oxgBR?usid=25&utid=6417720852Remote address:64.190.63.136:80RequestGET /oxgBR?usid=25&utid=6417720852 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: ww1.cutit.org
ResponseHTTP/1.1 439
date: Thu, 11 Apr 2024 01:46:46 GMT
content-length: 0
server: NginX
-
DNSq.gsRemote address:8.8.8.8:53Requestq.gsIN AResponseq.gsIN A104.21.84.133q.gsIN A172.67.193.84
-
GEThttp://q.gs/EVnYCRemote address:104.21.84.133:80RequestGET /EVnYC HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: q.gs
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Date: Thu, 11 Apr 2024 01:46:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=g02avp9hlumsdoqan86so14p5f; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-20SCGP/EVnYC?rndad=3211120935-1712800006
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TRY3DUu%2FBRL%2FXMw0qg3ClU3D9AEyvNj1KRm7d34UlcFyuuBLLxo0J9CA%2Bz3Ius9eoIdmW091dqijrWncNen2VxYCjNNpxSsQ6USrmSVdnO3Af5hy%2Fk3P"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87274e071e6676af-LHR
alt-svc: h2=":443"; ma=60
-
DNSyxeepsek.netRemote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A104.21.20.204yxeepsek.netIN A172.67.194.101
-
GEThttp://yxeepsek.net/-20SCGP/EVnYC?rndad=3211120935-1712800006Remote address:104.21.20.204:80RequestGET /-20SCGP/EVnYC?rndad=3211120935-1712800006 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Date: Thu, 11 Apr 2024 01:46:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=6t82ec7csdc0gdgdpi0nuk36mm; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B9CQpTwz%2BJ0UUtn8NQix4gcoDjihqJmuJwE7dJgUwN8ZiK%2FAQF67PCnn0wELDgru13fwryxjVNx%2B9G2WatO3Cry%2BkWjZ2PRDo4LVodikROWmN5GsWe%2F0ff6XzeSAL4s%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87274e091d3048bd-LHR
alt-svc: h2=":443"; ma=60
-
GEThttp://yxeepsek.net/suspended?a=3&u=20186239Remote address:104.21.20.204:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=6t82ec7csdc0gdgdpi0nuk36mm
ResponseHTTP/1.1 200 OK
Date: Thu, 11 Apr 2024 01:46:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QnLwydCllsCtE4B1p98AHQr%2BTlzoWoEmBf%2BSSYDFkpvpGeSE8zuCSZgiuGTLU67wVGF0ps%2Bj6V6Y6LSEGb9gb3wiX35WBKUkuc27KlR5V1W%2FT0qDKU8lUW3Yvfp2I3A%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87274e0a9dd848bd-LHR
alt-svc: h2=":443"; ma=60
-
64.91.240.248:443https://cutit.org/oxgBRtls, http
HTTP Request
GET https://cutit.org/oxgBRHTTP Response
302 -
64.190.63.136:80http://ww1.cutit.org/oxgBR?usid=25&utid=6417720852http
HTTP Request
GET http://ww1.cutit.org/oxgBR?usid=25&utid=6417720852HTTP Response
439 -
104.21.84.133:80http://q.gs/EVnYChttp
HTTP Request
GET http://q.gs/EVnYCHTTP Response
301 -
104.21.20.204:80http://yxeepsek.net/suspended?a=3&u=20186239http
HTTP Request
GET http://yxeepsek.net/-20SCGP/EVnYC?rndad=3211120935-1712800006HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
-
8.8.8.8:53cutit.orgdns
DNS Request
cutit.org
DNS Response
64.91.240.248
-
8.8.8.8:53ww1.cutit.orgdns
DNS Request
ww1.cutit.org
DNS Response
64.190.63.136
-
8.8.8.8:53q.gsdns
DNS Request
q.gs
DNS Response
104.21.84.133172.67.193.84
-
8.8.8.8:53yxeepsek.netdns
DNS Request
yxeepsek.net
DNS Response
104.21.20.204172.67.194.101
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD50b97bba2778a4e928347af15bd3bede7
SHA1f33b8deeebb090fc36273b212ec039fd61858b50
SHA2567168b69080f9f1205fff8666e6794fafca40930b1862798bc00d889787956100
SHA5123c3e906ca8219ea17c85395f8aa5058e3818d00aba23fe53fb912fcef15d0037fc04d3fcdfbc2f5f9dfff58e995dcb1d0dccaabf9d50a7eebaecd2415aa6e817
-
Filesize
536KB
-
Filesize
124KB
-
Filesize
132KB
-
Filesize
536KB
-
Filesize
124KB
-
Filesize
536KB
-
Filesize
132KB
-
Filesize
536KB