Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

efc7ec79d3...18.dll

windows7-x64

10

efc7ec79d3...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/04/2024, 23:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efc7ec79d32d3ff1bbccc437976190a0_JaffaCakes118.dll

  • Size

    164KB

  • MD5

    efc7ec79d32d3ff1bbccc437976190a0

  • SHA1

    d338e809a644b12c81ea7bffb853ef643c43241f

  • SHA256

    f19ff4b1661df491dd1e3c5a70a16b1012b11c073e4f7e8908a82dd6abfeaf3b

  • SHA512

    d44b4727a0a1184511cab87856fc44085e4ae13b68e67f1c4fb7cb79cb4d7902d74c1c0da12dbedf1a8f1d8409f05eaefc0350337db161a0991d76052aa80b69

  • SSDEEP

    3072:cTltpXTmRUD82PbjCb5lcUpLhUf05x97bsqWpaM0fB8U6xcBwVSuU1E7YbqnOuOb:CuC7jj05CUpLhUsj97hM28xmwUuUKkbX

Score
10/10
bazarloaderdropperloader

Malware Config

Extracted

Family

bazarloader

C2

167.99.240.197

207.154.236.187

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Bazar/Team9 Loader payload 4 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\efc7ec79d32d3ff1bbccc437976190a0_JaffaCakes118.dll
    1⤵
      PID:4580
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\efc7ec79d32d3ff1bbccc437976190a0_JaffaCakes118.dll,DllRegisterServer {39C19A04-6A5D-4A3B-BAE4-575B616C0EB6}
      1⤵
        PID:416
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4088

        Network

        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          80.192.122.92.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          80.192.122.92.in-addr.arpa
          IN PTR
          Response
          80.192.122.92.in-addr.arpa
          IN PTR
          a92-122-192-80deploystaticakamaitechnologiescom
        • flag-us
          DNS
          20.160.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          20.160.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          microsoft.com
          Remote address:
          8.8.8.8:53
          Request
          microsoft.com
          IN A
          Response
          microsoft.com
          IN A
          20.112.250.133
          microsoft.com
          IN A
          20.231.239.246
          microsoft.com
          IN A
          20.76.201.171
          microsoft.com
          IN A
          20.70.246.20
          microsoft.com
          IN A
          20.236.44.162
        • flag-us
          HEAD
          https://microsoft.com/telemetry/update.exe
          Remote address:
          20.112.250.133:443
          Request
          HEAD /telemetry/update.exe HTTP/2.0
          host: microsoft.com
          accept: */*
          accept-encoding: identity
          user-agent: Microsoft BITS/7.8
          Response
          HTTP/2.0 301
          date: Sun, 14 Apr 2024 23:39:07 GMT
          server: Kestrel
          location: https://www.microsoft.com/telemetry/update.exe
          strict-transport-security: max-age=31536000
        • flag-us
          DNS
          www.microsoft.com
          Remote address:
          8.8.8.8:53
          Request
          www.microsoft.com
          IN A
          Response
          www.microsoft.com
          IN CNAME
          www.microsoft.com-c-3.edgekey.net
          www.microsoft.com-c-3.edgekey.net
          IN CNAME
          www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
          www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
          IN CNAME
          e13678.dscb.akamaiedge.net
          e13678.dscb.akamaiedge.net
          IN A
          72.246.173.187
        • flag-nl
          HEAD
          https://www.microsoft.com/telemetry/update.exe
          Remote address:
          72.246.173.187:443
          Request
          HEAD /telemetry/update.exe HTTP/2.0
          host: www.microsoft.com
          accept: */*
          accept-encoding: identity
          user-agent: Microsoft BITS/7.8
          Response
          HTTP/2.0 404
          content-length: 81632
          content-type: text/html
          access-control-allow-credentials: true
          access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
          access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
          cache-control: private
          p3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
          correlationvector: OPeaP9RALUKmrv8a.1.0
          x-frame-options: SAMEORIGIN
          x-sitemuse-origin: Azure
          x-azure-ref: 20240414T233908Z-15d5687bc4d4hrwqh813vqz3ts00000003g0000000004qwn
          date: Sun, 14 Apr 2024 23:39:08 GMT
          set-cookie: MS-CV=OPeaP9RALUKmrv8a.1; domain=.microsoft.com; expires=Mon, 15-Apr-2024 23:39:08 GMT; path=/;samesite=None; secure
          tls_version: tls1.2
          strict-transport-security: max-age=31536000
          ms-cv: CASMicrosoftCV4dc1b9eb.0
          ms-cv-esi: CASMicrosoftCV4dc1b9eb.0
          x-rtag: RT
        • flag-us
          DNS
          133.250.112.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          133.250.112.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          187.173.246.72.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          187.173.246.72.in-addr.arpa
          IN PTR
          Response
          187.173.246.72.in-addr.arpa
          IN PTR
          a72-246-173-187deploystaticakamaitechnologiescom
        • flag-us
          DNS
          104.219.191.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          104.219.191.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          183.59.114.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          183.59.114.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          206.23.85.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          206.23.85.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          65.139.73.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          65.139.73.23.in-addr.arpa
          IN PTR
          Response
          65.139.73.23.in-addr.arpa
          IN PTR
          a23-73-139-65deploystaticakamaitechnologiescom
        • flag-us
          DNS
          202.77.24.184.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          202.77.24.184.in-addr.arpa
          IN PTR
          Response
          202.77.24.184.in-addr.arpa
          IN PTR
          a184-24-77-202deploystaticakamaitechnologiescom
        • flag-us
          DNS
          chromewebstore.googleapis.com
          Remote address:
          8.8.8.8:53
          Request
          chromewebstore.googleapis.com
          IN A
          Response
          chromewebstore.googleapis.com
          IN A
          172.217.169.74
          chromewebstore.googleapis.com
          IN A
          172.217.169.42
          chromewebstore.googleapis.com
          IN A
          142.250.179.234
          chromewebstore.googleapis.com
          IN A
          142.250.180.10
          chromewebstore.googleapis.com
          IN A
          142.250.187.202
          chromewebstore.googleapis.com
          IN A
          142.250.187.234
          chromewebstore.googleapis.com
          IN A
          142.250.178.10
          chromewebstore.googleapis.com
          IN A
          172.217.16.234
          chromewebstore.googleapis.com
          IN A
          142.250.200.10
          chromewebstore.googleapis.com
          IN A
          142.250.200.42
          chromewebstore.googleapis.com
          IN A
          216.58.201.106
          chromewebstore.googleapis.com
          IN A
          216.58.204.74
        • flag-us
          DNS
          chromewebstore.googleapis.com
          Remote address:
          8.8.8.8:53
          Request
          chromewebstore.googleapis.com
          IN Unknown
          Response
        • flag-us
          DNS
          74.169.217.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          74.169.217.172.in-addr.arpa
          IN PTR
          Response
          74.169.217.172.in-addr.arpa
          IN PTR
          lhr48s09-in-f101e100net
        • flag-us
          DNS
          14.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.227.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          204.201.50.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          204.201.50.20.in-addr.arpa
          IN PTR
          Response
        • 20.112.250.133:443
          https://microsoft.com/telemetry/update.exe
          tls, http2
          1.1kB
           8.4kB
           13
          15

          HTTP Request

          HEAD https://microsoft.com/telemetry/update.exe

          HTTP Response

          301
        • 167.99.240.197:443
          regsvr32.exe
          260 B
           200 B
           5
          5
        • 72.246.173.187:443
          https://www.microsoft.com/telemetry/update.exe
          tls, http2
          1.2kB
           7.7kB
           15
          17

          HTTP Request

          HEAD https://www.microsoft.com/telemetry/update.exe

          HTTP Response

          404
        • 20.231.121.79:80
          46 B
           1
        • 167.99.240.197:443
          regsvr32.exe
          260 B
           200 B
           5
          5
        • 172.217.169.74:443
          chromewebstore.googleapis.com
          tls
          2.0kB
           7.9kB
           16
          17
        • 167.99.240.197:443
          regsvr32.exe
          260 B
           200 B
           5
          5
        • 8.8.8.8:53
          149.220.183.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          149.220.183.52.in-addr.arpa

        • 8.8.8.8:53
          80.192.122.92.in-addr.arpa
          dns
          72 B
           137 B
           1
          1

          DNS Request

          80.192.122.92.in-addr.arpa

        • 8.8.8.8:53
          20.160.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          20.160.190.20.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          microsoft.com
          dns
          59 B
           139 B
           1
          1

          DNS Request

          microsoft.com

          DNS Response

          20.112.250.133
          20.231.239.246
          20.76.201.171
          20.70.246.20
          20.236.44.162

        • 8.8.8.8:53
          www.microsoft.com
          dns
          63 B
           230 B
           1
          1

          DNS Request

          www.microsoft.com

          DNS Response

          72.246.173.187

        • 8.8.8.8:53
          133.250.112.20.in-addr.arpa
          dns
          73 B
           159 B
           1
          1

          DNS Request

          133.250.112.20.in-addr.arpa

        • 8.8.8.8:53
          187.173.246.72.in-addr.arpa
          dns
          73 B
           139 B
           1
          1

          DNS Request

          187.173.246.72.in-addr.arpa

        • 8.8.8.8:53
          104.219.191.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          104.219.191.52.in-addr.arpa

        • 8.8.8.8:53
          183.59.114.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          183.59.114.20.in-addr.arpa

        • 8.8.8.8:53
          206.23.85.13.in-addr.arpa
          dns
          71 B
           145 B
           1
          1

          DNS Request

          206.23.85.13.in-addr.arpa

        • 8.8.8.8:53
          65.139.73.23.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          65.139.73.23.in-addr.arpa

        • 8.8.8.8:53
          202.77.24.184.in-addr.arpa
          dns
          72 B
           137 B
           1
          1

          DNS Request

          202.77.24.184.in-addr.arpa

        • 8.8.8.8:53
          chromewebstore.googleapis.com
          dns
          75 B
           267 B
           1
          1

          DNS Request

          chromewebstore.googleapis.com

          DNS Response

          172.217.169.74
          172.217.169.42
          142.250.179.234
          142.250.180.10
          142.250.187.202
          142.250.187.234
          142.250.178.10
          172.217.16.234
          142.250.200.10
          142.250.200.42
          216.58.201.106
          216.58.204.74

        • 8.8.8.8:53
          chromewebstore.googleapis.com
          dns
          75 B
           132 B
           1
          1

          DNS Request

          chromewebstore.googleapis.com

        • 8.8.8.8:53
          74.169.217.172.in-addr.arpa
          dns
          73 B
           112 B
           1
          1

          DNS Request

          74.169.217.172.in-addr.arpa

        • 8.8.8.8:53
          14.227.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          14.227.111.52.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
           128 B
           1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          204.201.50.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          204.201.50.20.in-addr.arpa

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/416-1-0x000002440C4E0000-0x000002440C5D2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/416-2-0x000002440C4E0000-0x000002440C5D2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/4580-0-0x0000000002410000-0x0000000002502000-memory.dmp

          Filesize

          968KB

          Download

        • memory/4580-3-0x0000000002410000-0x0000000002502000-memory.dmp

          Filesize

          968KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.