Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f999740e94...18.exe

windows7-x64

7

f999740e94...18.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 05:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f999740e9439e553f81a25b83b346733_JaffaCakes118.exe

  • Size

    514KB

  • MD5

    f999740e9439e553f81a25b83b346733

  • SHA1

    8a574f8a70bdfa55737847b5c935b42e08c72a71

  • SHA256

    8c4e1f3edfcc474f9cf2175dacb421966fa627cafa5937b3cd73ad9f1095efeb

  • SHA512

    8cf05dd3b66d08e36e25e1d68b3d5ebbf94074b1ea2ded88b766cea3eaffcbed01b330fde4f07fc2a46dafc0eb340979dbf755eadfab00756710c8a38d88b599

  • SSDEEP

    3072:7+ZvkWp8qX96QfCDpMqrT4GmdVM3bXKCKk3T1a/PTYhA7Jf22QA6Ivv1tH/nSrNF:aZmqt6Qyiy3b6CR10TY8JOArF9S9

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f999740e9439e553f81a25b83b346733_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f999740e9439e553f81a25b83b346733_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
      2⤵
        PID:2204

    Network

    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      98.58.20.217.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      98.58.20.217.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=0DC677D1F8DE65E53B9063B7F965641B; domain=.bing.com; expires=Wed, 14-May-2025 05:27:30 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B55D2BE072824D9E98A2EB3B690896EF Ref B: LON04EDGE0916 Ref C: 2024-04-19T05:27:30Z
      date: Fri, 19 Apr 2024 05:27:29 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=0DC677D1F8DE65E53B9063B7F965641B
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=JzaGwizkZ9hGkdibdU3ftHkz_B8Ha289_mhmCMHSdis; domain=.bing.com; expires=Wed, 14-May-2025 05:27:30 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 804B097728CE4D59AF08FA2827E3FC4C Ref B: LON04EDGE0916 Ref C: 2024-04-19T05:27:30Z
      date: Fri, 19 Apr 2024 05:27:29 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=0DC677D1F8DE65E53B9063B7F965641B; MSPTC=JzaGwizkZ9hGkdibdU3ftHkz_B8Ha289_mhmCMHSdis
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 9F496898E30A4E289D3B3C07909F3EC8 Ref B: LON04EDGE0916 Ref C: 2024-04-19T05:27:30Z
      date: Fri, 19 Apr 2024 05:27:29 GMT
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.114.53.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.114.53.23.in-addr.arpa
      IN PTR
      Response
      21.114.53.23.in-addr.arpa
      IN PTR
      a23-53-114-21deploystaticakamaitechnologiescom
    • flag-us
      DNS
      156.33.209.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      156.33.209.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      91.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      91.90.14.23.in-addr.arpa
      IN PTR
      Response
      91.90.14.23.in-addr.arpa
      IN PTR
      a23-14-90-91deploystaticakamaitechnologiescom
    • flag-us
      DNS
      82.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      82.90.14.23.in-addr.arpa
      IN PTR
      Response
      82.90.14.23.in-addr.arpa
      IN PTR
      a23-14-90-82deploystaticakamaitechnologiescom
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=
      tls, http2
      2.0kB
       9.2kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

      HTTP Response

      204
    • 52.111.236.23:443
      322 B
       7
    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      98.58.20.217.in-addr.arpa
      dns
      71 B
       131 B
       1
      1

      DNS Request

      98.58.20.217.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       151 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      9.228.82.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      9.228.82.20.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
       143 B
       1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      21.114.53.23.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      21.114.53.23.in-addr.arpa

    • 8.8.8.8:53
      156.33.209.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      156.33.209.4.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      91.90.14.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      91.90.14.23.in-addr.arpa

    • 8.8.8.8:53
      82.90.14.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      82.90.14.23.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness No-Cd Crack.exe
      Filesize

      514KB

      MD5

      f999740e9439e553f81a25b83b346733

      SHA1

      8a574f8a70bdfa55737847b5c935b42e08c72a71

      SHA256

      8c4e1f3edfcc474f9cf2175dacb421966fa627cafa5937b3cd73ad9f1095efeb

      SHA512

      8cf05dd3b66d08e36e25e1d68b3d5ebbf94074b1ea2ded88b766cea3eaffcbed01b330fde4f07fc2a46dafc0eb340979dbf755eadfab00756710c8a38d88b599

      Download Submit

    • \??\c:\$$$$$.bat
      Filesize

      228B

      MD5

      be2002d4f4062c3589e1e0a4ea5e8a1b

      SHA1

      1f86818453417a86c91971127f5a854d638cc582

      SHA256

      d115d885096ff41d57cf94bd2e5ffa050c36a1990a29915dffc9301547201e58

      SHA512

      013b97c8f26f823b77bd4b38fa51bed0eaa29c0432e989f875bbb257ac4d5b08b8237b61670216670b567be8bd2fe937c15a2c7a16dbd4e89398e2aadbc92610

      Download Submit

    • memory/1132-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1132-706-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1132-821-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.