Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

f68710fe35...18.exe

windows7-x64

7

f68710fe35...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 19:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    f68710fe35afa8f2b117ac95574d069b

  • SHA1

    3c8077cf1ac9fcb2e19fa783703d07a3373f3582

  • SHA256

    3f788f28e51b2aa32ea58f8485b947ca72dafc84a47455ef50c9b4aa0a706c07

  • SHA512

    85deb8f266029d1664d4a0fbe730fbb2bc6d494161af686eb126c3281602daaee37e4c3ca2b874681897e471daec53a11282543c00bba82ebfa910050efdb451

  • SSDEEP

    24576:2i82rieWoznFLPlBwE43w4TRJWvbyIF+/htSdTXe1aW/AXiZwR7eIWO:2F2rJn9wE4AsiD+/3SlXe8W/Avpf

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:3740

Network

  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.121.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.121.18.2.in-addr.arpa
    IN PTR
    Response
    198.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-198deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.114.53.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.114.53.23.in-addr.arpa
    IN PTR
    Response
    21.114.53.23.in-addr.arpa
    IN PTR
    a23-53-114-21deploystaticakamaitechnologiescom
  • flag-us
    DNS
    zipansion.com
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
    Response
    zipansion.com
    IN A
    104.21.73.114
    zipansion.com
    IN A
    172.67.144.180
  • flag-us
    GET
    http://zipansion.com/2pRLi
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Remote address:
    104.21.73.114:80
    Request
    GET /2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: zipansion.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Date: Wed, 17 Apr 2024 19:46:23 GMT
    Content-Type: text/html
    Content-Length: 143
    Connection: keep-alive
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Location: https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DIsVW0WbbPq4C40k7PrwDjDJ8yKj0SgVFvUom5%2F2f3wlYHtonhhtq5MR0AjICpHahYbNnd7RFpcL9TdiEGTPUlOxGft4GMs0%2FWjpRe3JQ0i99POnoBvVC9fcN%2Fc7gI9o"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 875eebc0abfa79ae-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    publisher.linkvertise.com
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    publisher.linkvertise.com
    IN A
    Response
    publisher.linkvertise.com
    IN A
    104.26.15.247
    publisher.linkvertise.com
    IN A
    172.67.69.167
    publisher.linkvertise.com
    IN A
    104.26.14.247
  • flag-us
    GET
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Remote address:
    104.26.15.247:443
    Request
    GET /adfly-hard-migrator/url?url=http://zipansion.com/2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Cache-Control: no-cache
    Host: publisher.linkvertise.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Date: Wed, 17 Apr 2024 19:46:23 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    location: https://linkvertise.com/adfly-notice
    Cache-Control: no-cache, private
    vary: Origin
    set-cookie: laravel_session=j2XkIFVMdmJuc7Or3472EHAZGFHaOFdkdVPqITQp; expires=Thu, 17 Apr 2025 19:46:23 GMT; Max-Age=31536000; path=/; domain=.linkvertise.com; httponly
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bVOQCWyrXMrVfF1KSeO1tySYDn9WP5UUqnBd6S6VlwPhFOjX6rtoNMLvT%2BYEAdBRUwit2U7YUsf6j55%2BfMhQByL8UOgCEh%2F83a9u1X4hihuxz0TuRq5ygJfbOyRsD26%2BHowJ8DoRnNhoQPs%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: sameorigin
    Server: cloudflare
    CF-RAY: 875eebc339ce94b7-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    114.73.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.73.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    247.15.26.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    247.15.26.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.169.217.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.169.217.172.in-addr.arpa
    IN PTR
    Response
    67.169.217.172.in-addr.arpa
    IN PTR
    lhr48s09-in-f31e100net
  • flag-us
    DNS
    linkvertise.com
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    linkvertise.com
    IN A
    Response
    linkvertise.com
    IN A
    172.67.69.167
    linkvertise.com
    IN A
    104.26.15.247
    linkvertise.com
    IN A
    104.26.14.247
  • flag-us
    GET
    https://linkvertise.com/adfly-notice
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Remote address:
    172.67.69.167:443
    Request
    GET /adfly-notice HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Cache-Control: no-cache
    Connection: Keep-Alive
    Host: linkvertise.com
    Cookie: laravel_session=j2XkIFVMdmJuc7Or3472EHAZGFHaOFdkdVPqITQp
    Response
    HTTP/1.1 200 OK
    Date: Wed, 17 Apr 2024 19:46:24 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    Link: <//cdn.exmarketplace.com>; rel="preconnect", <//securepubads.g.doubleclick.net>; rel="preconnect"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=noKGvZRq46pP0qaK7Y%2B8h425xdnPdrvOeHb6XyBDgcJZBM0D8aI%2FDuRP%2BGCIPS7WDW6EhxnnlN0N9JimNwkv5E6HlKVAJw2q0lfq2wQ3Glel8nFbV807GlpZNV2X%2BOMHubc%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    CF-Cache-Status: DYNAMIC
    X-Frame-Options: sameorigin
    Server: cloudflare
    CF-RAY: 875eebc68bd463eb-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    x2.c.lencr.org
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    x2.c.lencr.org
    IN A
    Response
    x2.c.lencr.org
    IN CNAME
    crl.root-x1.letsencrypt.org.edgekey.net
    crl.root-x1.letsencrypt.org.edgekey.net
    IN CNAME
    e8652.dscx.akamaiedge.net
    e8652.dscx.akamaiedge.net
    IN A
    2.21.17.29
  • flag-us
    DNS
    75.121.18.2.in-addr.arpa
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    75.121.18.2.in-addr.arpa
    IN PTR
    Response
    75.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-75deploystaticakamaitechnologiescom
  • flag-be
    GET
    http://x2.c.lencr.org/
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Remote address:
    2.21.17.29:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: x2.c.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/pkix-crl
    Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
    ETag: "65ca969f-12b"
    Cache-Control: max-age=3600
    Expires: Wed, 17 Apr 2024 20:46:24 GMT
    Date: Wed, 17 Apr 2024 19:46:24 GMT
    Content-Length: 299
    Connection: keep-alive
  • flag-us
    DNS
    167.69.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.69.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.17.21.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.17.21.2.in-addr.arpa
    IN PTR
    Response
    29.17.21.2.in-addr.arpa
    IN PTR
    a2-21-17-29deploystaticakamaitechnologiescom
  • flag-us
    DNS
    99.56.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.56.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 104.21.73.114:80
    http://zipansion.com/2pRLi
    http
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    483 B
     1.1kB
     7
    4

    HTTP Request

    GET http://zipansion.com/2pRLi

    HTTP Response

    302
  • 104.26.15.247:443
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi
    tls, http
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    1.2kB
     7.1kB
     15
    11

    HTTP Request

    GET https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi

    HTTP Response

    302
  • 172.67.69.167:443
    https://linkvertise.com/adfly-notice
    tls, http
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    3.0kB
     54.9kB
     53
    49

    HTTP Request

    GET https://linkvertise.com/adfly-notice

    HTTP Response

    200
  • 2.21.17.29:80
    http://x2.c.lencr.org/
    http
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    437 B
     760 B
     7
    4

    HTTP Request

    GET http://x2.c.lencr.org/

    HTTP Response

    200
  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    198.121.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    198.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    21.114.53.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    21.114.53.23.in-addr.arpa

  • 8.8.8.8:53
    zipansion.com
    dns
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    59 B
     91 B
     1
    1

    DNS Request

    zipansion.com

    DNS Response

    104.21.73.114
    172.67.144.180

  • 8.8.8.8:53
    publisher.linkvertise.com
    dns
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    71 B
     119 B
     1
    1

    DNS Request

    publisher.linkvertise.com

    DNS Response

    104.26.15.247
    172.67.69.167
    104.26.14.247

  • 8.8.8.8:53
    114.73.21.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    114.73.21.104.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    247.15.26.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    247.15.26.104.in-addr.arpa

  • 8.8.8.8:53
    67.169.217.172.in-addr.arpa
    dns
    73 B
     111 B
     1
    1

    DNS Request

    67.169.217.172.in-addr.arpa

  • 8.8.8.8:53
    linkvertise.com
    dns
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    61 B
     109 B
     1
    1

    DNS Request

    linkvertise.com

    DNS Response

    172.67.69.167
    104.26.15.247
    104.26.14.247

  • 8.8.8.8:53
    x2.c.lencr.org
    dns
    f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    130 B
     298 B
     2
    2

    DNS Request

    x2.c.lencr.org

    DNS Response

    2.21.17.29

    DNS Request

    75.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    167.69.67.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    167.69.67.172.in-addr.arpa

  • 8.8.8.8:53
    29.17.21.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    29.17.21.2.in-addr.arpa

  • 8.8.8.8:53
    99.56.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    99.56.20.217.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    8.173.189.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    8.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\f68710fe35afa8f2b117ac95574d069b_JaffaCakes118.exe
    Filesize

    1.3MB

    MD5

    730ef75b7a2dc90a40074af2e7108d50

    SHA1

    e3ed65b76e98370fbb13ab635062bf3972e9f6d0

    SHA256

    7216c852612e5892767c178208d99fb9f5db9ddcd53105f7e41c6b1cfa5ec375

    SHA512

    46e32c213c6f4c694236330332c21cacad5f2bd625f905cb04736b9f8243487dd401f75b0968062d7e073f10bea82582d389629fa1ca868864d0e8e2d132e66e

    Download Submit

  • memory/2348-0-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2348-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2348-2-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2348-12-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/3740-13-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3740-15-0x00000000018F0000-0x0000000001A23000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3740-14-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/3740-20-0x00000000055B0000-0x00000000057DA000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/3740-21-0x0000000000400000-0x000000000061D000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3740-40-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.