Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 21:32 UTC
Behavioral task
behavioral1
Sample
26d677861d07f32f5a1eb2336f8b3a2f_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
26d677861d07f32f5a1eb2336f8b3a2f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsArray.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsArray.dll
Resource
win10v2004-20240508-en
General
-
Target
$PLUGINSDIR/NSISdl.dll
-
Size
14KB
-
MD5
a5f8399a743ab7f9c88c645c35b1ebb5
-
SHA1
168f3c158913b0367bf79fa413357fbe97018191
-
SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
-
SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
SSDEEP
192:tUZTobBDJ68r67wmsvJI5ad9cXzFOVu+mZ/P3p+57CvpVqDxVp01Dwn2GRPgsfA:6Bo/680dCI5adOjFOg9//p27uNw2Go
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1704 3848 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4136 wrote to memory of 3848 4136 rundll32.exe 91 PID 4136 wrote to memory of 3848 4136 rundll32.exe 91 PID 4136 wrote to memory of 3848 4136 rundll32.exe 91
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#12⤵PID:3848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 6243⤵
- Program crash
PID:1704
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3848 -ip 38481⤵PID:1268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4584 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3952
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestchromewebstore.googleapis.comIN AResponsechromewebstore.googleapis.comIN A142.250.200.10chromewebstore.googleapis.comIN A142.250.200.42chromewebstore.googleapis.comIN A216.58.201.106chromewebstore.googleapis.comIN A216.58.204.74chromewebstore.googleapis.comIN A216.58.212.202chromewebstore.googleapis.comIN A216.58.212.234chromewebstore.googleapis.comIN A172.217.169.74chromewebstore.googleapis.comIN A142.250.179.234chromewebstore.googleapis.comIN A142.250.180.10chromewebstore.googleapis.comIN A142.250.187.202chromewebstore.googleapis.comIN A142.250.187.234chromewebstore.googleapis.comIN A142.250.178.10chromewebstore.googleapis.comIN A172.217.16.234
-
Remote address:8.8.8.8:53Requestchromewebstore.googleapis.comIN UnknownResponse
-
Remote address:8.8.8.8:53Requestpki.googIN AResponsepki.googIN A216.239.32.29
-
Remote address:8.8.8.8:53Requestpki.googIN UnknownResponse
-
Remote address:216.239.32.29:80RequestGET /gsr1/gsr1.crt HTTP/1.1
Host: pki.goog
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Content-Encoding: gzip
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 797
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 08 May 2024 21:03:54 GMT
Expires: Wed, 08 May 2024 21:53:54 GMT
Cache-Control: public, max-age=3000
Age: 1736
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
-
Remote address:216.239.32.29:80RequestGET /repo/certs/gtsr1.der HTTP/1.1
Host: pki.goog
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1371
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 08 May 2024 21:00:30 GMT
Expires: Wed, 08 May 2024 21:50:30 GMT
Cache-Control: public, max-age=3000
Age: 1940
Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
-
Remote address:216.239.32.29:80RequestGET /repo/certs/gts1c3.der HTTP/1.1
Host: pki.goog
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Content-Encoding: gzip
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1304
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 08 May 2024 21:09:18 GMT
Expires: Wed, 08 May 2024 21:59:18 GMT
Cache-Control: public, max-age=3000
Age: 1412
Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Request10.200.250.142.in-addr.arpaIN PTRResponse10.200.250.142.in-addr.arpaIN PTRlhr48s29-in-f101e100net
-
Remote address:8.8.8.8:53Request29.32.239.216.in-addr.arpaIN PTRResponse29.32.239.216.in-addr.arpaIN PTRany-in-201d1e100net
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request201.64.52.20.in-addr.arpaIN PTRResponse
-
909 B 5.2kB 8 8
-
1.3kB 6.1kB 10 10
HTTP Request
GET http://pki.goog/gsr1/gsr1.crtHTTP Response
200HTTP Request
GET http://pki.goog/repo/certs/gtsr1.derHTTP Response
200HTTP Request
GET http://pki.goog/repo/certs/gts1c3.derHTTP Response
200 -
46 B 40 B 1 1
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
74.32.126.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
75 B 283 B 1 1
DNS Request
chromewebstore.googleapis.com
DNS Response
142.250.200.10142.250.200.42216.58.201.106216.58.204.74216.58.212.202216.58.212.234172.217.169.74142.250.179.234142.250.180.10142.250.187.202142.250.187.234142.250.178.10172.217.16.234
-
75 B 132 B 1 1
DNS Request
chromewebstore.googleapis.com
-
54 B 70 B 1 1
DNS Request
pki.goog
DNS Response
216.239.32.29
-
54 B 128 B 1 1
DNS Request
pki.goog
-
73 B 112 B 1 1
DNS Request
10.200.250.142.in-addr.arpa
-
72 B 107 B 1 1
DNS Request
29.32.239.216.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
201.64.52.20.in-addr.arpa