Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11/05/2024, 11:26 UTC

General

  • Target

    345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe

  • Size

    967KB

  • MD5

    345afdeff01a318bae48ef80ec680227

  • SHA1

    1388f456fabffe068de6e39429afee0a0b4c9c72

  • SHA256

    58cb93ebbf4fb0ccfa194ba814b45eb4413d9122a911806ca799494a7746b971

  • SHA512

    2a7a4fe80de99462dbad49a087536dd93fd1904fd1ea47f2da711c006ac39b37ca91014a9067e8bc5c63d8b89028ab3e640b0acbec24bdabde83b3d861e21758

  • SSDEEP

    24576:ztXCT35bEN60Yc/rMegvH6RK1aeGokgwHv:zKBtV6MjvH6RIrDCv

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsd123B.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsd123B.tmp/fallbackfiles/'
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9105.bat" "C:\Users\Admin\AppData\Local\Temp\D76DACEAE6134388904C531847B4EA93\""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 1 -w 1000
          4⤵
          • Runs ping.exe
          PID:1652

Network

  • flag-us
    DNS
    t8u4n6u7.ssl.hwcdn.net
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    t8u4n6u7.ssl.hwcdn.net
    IN A
    Response
    t8u4n6u7.ssl.hwcdn.net
    IN A
    205.185.208.154
  • flag-us
    DNS
    c6m7w2m9.ssl.hwcdn.net
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    c6m7w2m9.ssl.hwcdn.net
    IN A
    Response
    c6m7w2m9.ssl.hwcdn.net
    IN A
    205.185.208.154
  • flag-us
    DNS
    fallback.playtech-installer.com
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    fallback.playtech-installer.com
    IN A
    Response
  • flag-us
    DNS
    log.web-installer-assets.com
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    log.web-installer-assets.com
    IN A
    Response
  • 205.185.208.154:443
    t8u4n6u7.ssl.hwcdn.net
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    152 B
    3
  • 205.185.208.154:80
    c6m7w2m9.ssl.hwcdn.net
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    152 B
    3
  • 205.185.208.154:443
    c6m7w2m9.ssl.hwcdn.net
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    104 B
    2
  • 205.185.208.154:443
    c6m7w2m9.ssl.hwcdn.net
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    104 B
    2
  • 8.8.8.8:53
    t8u4n6u7.ssl.hwcdn.net
    dns
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    68 B
    84 B
    1
    1

    DNS Request

    t8u4n6u7.ssl.hwcdn.net

    DNS Response

    205.185.208.154

  • 8.8.8.8:53
    c6m7w2m9.ssl.hwcdn.net
    dns
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    68 B
    84 B
    1
    1

    DNS Request

    c6m7w2m9.ssl.hwcdn.net

    DNS Response

    205.185.208.154

  • 8.8.8.8:53
    fallback.playtech-installer.com
    dns
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    77 B
    77 B
    1
    1

    DNS Request

    fallback.playtech-installer.com

  • 8.8.8.8:53
    log.web-installer-assets.com
    dns
    internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    74 B
    147 B
    1
    1

    DNS Request

    log.web-installer-assets.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9105.bat

    Filesize

    214B

    MD5

    739fcc7ba42b209fe44bea47e7a8c48f

    SHA1

    bc7a448a7c018133edcf012bc94301623eb42c5b

    SHA256

    69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

    SHA512

    2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

  • C:\Users\Admin\AppData\Local\Temp\D76DACEAE6134388904C531847B4EA93\D76DACEAE6134388904C531847B4EA93_LogFile.txt

    Filesize

    9KB

    MD5

    a53d2bcd04a648af9e16c4ba860a32df

    SHA1

    5ae79c536c3e1e96eef960fa47d65092a6fa29f4

    SHA256

    7ec4c3368fb3c3921b42a3a0245f6612892702c0babcdd1ac3471d2985b82c97

    SHA512

    3ce1ded8435f66ab0e78d7dd89bb1532571fd18b7c5621f59ef7074ace98732d47ae5f535af2e48c3dbd8d1432b1c6ee7e460f1a18bafc3221fe8d0d513b7724

  • C:\Users\Admin\AppData\Local\Temp\D76DACEAE6134388904C531847B4EA93\D76DAC~1.TXT

    Filesize

    103KB

    MD5

    d739fe4a044870c8457cc7df27b8293a

    SHA1

    e90fd4c9f230100f40e59baf1762f2decefd2da5

    SHA256

    9348073b0bc758adfc383c29efbc46c112dbcba1d0a0525e6739ee6cec01f6d6

    SHA512

    e5d285ea312c623c32b993f8656e7e3732d5dea3e0dbcf65ce5040bd0edf8a949e63d13fe609953aa588591b05580758cfc872d16eb62029c2939886df2c739f

  • C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118_icon.ico

    Filesize

    11KB

    MD5

    592abe695d3fb84c8a7589b0d2553a97

    SHA1

    d70d6de6fa25ca1924bd02b84075ee94f3870133

    SHA256

    ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0

    SHA512

    a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

  • C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118_splash.png

    Filesize

    136KB

    MD5

    0a8589de904eec91522c276d896216c4

    SHA1

    58ba5e9158c3afa3c3112fe1e24567996794c07e

    SHA256

    496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55

    SHA512

    bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

  • \Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe

    Filesize

    1.8MB

    MD5

    77bfacca17ee1d89833b57f3a746d9a0

    SHA1

    aa9490c913489c5eafd02f67f875efcb56d23036

    SHA256

    38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52

    SHA512

    21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

  • memory/2940-72-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

  • memory/2940-180-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

  • memory/3048-116-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/3048-257-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.