Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 20:27 UTC
Static task
static1
Behavioral task
behavioral1
Sample
64a736e14a1c018f5db18abfdba3e590_JaffaCakes118.html
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
64a736e14a1c018f5db18abfdba3e590_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
64a736e14a1c018f5db18abfdba3e590_JaffaCakes118.html
-
Size
13KB
-
MD5
64a736e14a1c018f5db18abfdba3e590
-
SHA1
c61faea8d059aa1461e75ec81169b799691c04ea
-
SHA256
040add15d6ecd1a33d0e95e3a5d664220bb89563ea087f9e85610b899f780da3
-
SHA512
b84482e686d6a7a97286559b94c394b654e74067a04705885a5a5db9fd369954f0669a12a2612a111c2f978e861e8545441af48cbec62d39ce6385d8fe0b4160
-
SSDEEP
384:QlJsIX05xpbvDEdSNW1fVZS5LljG23vw9khUXulQTfCd6s0NfnKQG2O9LQXmN:8JtIxpb2SNgUdlqmAXmN
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422485111" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87DF8B41-17B0-11EF-A5B4-4205ACB4EED4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1244 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1244 iexplore.exe 1244 iexplore.exe 2924 IEXPLORE.EXE 2924 IEXPLORE.EXE 2924 IEXPLORE.EXE 2924 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2924 1244 iexplore.exe 28 PID 1244 wrote to memory of 2924 1244 iexplore.exe 28 PID 1244 wrote to memory of 2924 1244 iexplore.exe 28 PID 1244 wrote to memory of 2924 1244 iexplore.exe 28
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\64a736e14a1c018f5db18abfdba3e590_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2924
-
Network
-
Remote address:8.8.8.8:53Requestww4.sinaimg.cnIN AResponseww4.sinaimg.cnIN CNAMEweiboimg.gslb.sinaedge.comweiboimg.gslb.sinaedge.comIN CNAMEweiboimgwx.grid.sinaedge.comweiboimgwx.grid.sinaedge.comIN CNAMEww1.sinaimg.cn.w.alikunlun.comww1.sinaimg.cn.w.alikunlun.comIN A163.181.154.239ww1.sinaimg.cn.w.alikunlun.comIN A163.181.154.242ww1.sinaimg.cn.w.alikunlun.comIN A163.181.154.249ww1.sinaimg.cn.w.alikunlun.comIN A163.181.154.240ww1.sinaimg.cn.w.alikunlun.comIN A163.181.154.243ww1.sinaimg.cn.w.alikunlun.comIN A163.181.154.244ww1.sinaimg.cn.w.alikunlun.comIN A163.181.154.248ww1.sinaimg.cn.w.alikunlun.comIN A163.181.154.241
-
Remote address:8.8.8.8:53Requestwww.awfuli.comIN AResponsewww.awfuli.comIN A38.53.11.2
-
Remote address:8.8.8.8:53Requestdns.msftncsi.comIN AAAAResponsedns.msftncsi.comIN AAAAfd3e:4f5a:5b81::1
-
Remote address:8.8.8.8:53Requestimg3.doubanio.comIN AResponseimg3.doubanio.comIN CNAMEimg3.doubanio.com.w.alikunlun.comimg3.doubanio.com.w.alikunlun.comIN A163.181.154.243img3.doubanio.com.w.alikunlun.comIN A163.181.154.240img3.doubanio.com.w.alikunlun.comIN A163.181.154.248img3.doubanio.com.w.alikunlun.comIN A163.181.154.242img3.doubanio.com.w.alikunlun.comIN A163.181.154.241img3.doubanio.com.w.alikunlun.comIN A163.181.154.239img3.doubanio.com.w.alikunlun.comIN A163.181.154.249img3.doubanio.com.w.alikunlun.comIN A163.181.154.244
-
Remote address:8.8.8.8:53Requestapps.bdimg.comIN AResponseapps.bdimg.comIN CNAMEapps.bdimg.jomodns.comapps.bdimg.jomodns.comIN A61.170.103.49apps.bdimg.jomodns.comIN A106.225.194.49apps.bdimg.jomodns.comIN A113.142.207.49apps.bdimg.jomodns.comIN A118.180.40.49apps.bdimg.jomodns.comIN A120.41.32.49apps.bdimg.jomodns.comIN A121.14.135.49apps.bdimg.jomodns.comIN A125.74.1.49apps.bdimg.jomodns.comIN A125.74.42.49apps.bdimg.jomodns.comIN A220.169.152.49apps.bdimg.jomodns.comIN A222.216.122.49
-
Remote address:163.181.154.243:80RequestGET /view/movie_poster_cover/lpst/public/p2432003703.jpg HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: img3.doubanio.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 54830
Connection: keep-alive
Date: Tue, 21 May 2024 20:27:25 GMT
Cache-Control: max-age=31536000
Expires: Wed, 21 May 2025 20:27:24 GMT
Access-Control-Allow-Origin: *
Last-Modified: Tue, 11 Aug 2020 11:17:38 GMT
X-DAE-App: evendim
X-DAE-Instance: direct
Ali-Swift-Global-Savetime: 1716323245
Via: cache12.l2de2[214,214,200-0,M], cache21.l2de2[216,0], ens-cache22.gb4[234,233,200-0,M], ens-cache13.gb4[235,0]
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Tue, 21 May 2024 20:27:25 GMT
X-Swift-CacheTime: 31104000
Timing-Allow-Origin: *
EagleId: a3b59aa117163232456563152e
-
Remote address:163.181.154.239:80RequestGET /large/87c01ec7gy1fnqouembn6j20cp01ot8n.jpg HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ww4.sinaimg.cn
Connection: Keep-Alive
ResponseHTTP/1.1 403 Forbidden
Date: Tue, 21 May 2024 20:27:26 GMT
Content-Type: text/html
Content-Length: 238
Connection: keep-alive
X-UIDBLOCK-VERSION: 22086
x-ban: miss,22086
X-Via-CDN: f=aliyun,s=ens-cache16.gb4,c=191.101.209.39;
Access-Control-Allow-Credentials: true
Via: ens-cache16.gb4[,0]
Timing-Allow-Origin: *
EagleId: a3b59aa417163232461414940e
-
Remote address:8.8.8.8:53Requestbdimg.share.baidu.comIN AResponsebdimg.share.baidu.comIN CNAMEshare.jomodns.comshare.jomodns.comIN CNAMEshare.n.shifen.comshare.n.shifen.comIN A182.61.244.229share.n.shifen.comIN A14.215.182.161share.n.shifen.comIN A39.156.68.163share.n.shifen.comIN A112.34.113.148share.n.shifen.comIN A163.177.17.97share.n.shifen.comIN A180.101.212.103share.n.shifen.comIN A182.61.201.93share.n.shifen.comIN A182.61.201.94
-
Remote address:8.8.8.8:53Requestpush.zhanzhang.baidu.comIN AResponsepush.zhanzhang.baidu.comIN CNAMEshare.jomodns.comshare.jomodns.comIN CNAMEshare.n.shifen.comshare.n.shifen.comIN A163.177.17.97share.n.shifen.comIN A180.101.212.103share.n.shifen.comIN A182.61.201.93share.n.shifen.comIN A182.61.201.94share.n.shifen.comIN A182.61.244.229share.n.shifen.comIN A14.215.182.161share.n.shifen.comIN A39.156.68.163share.n.shifen.comIN A112.34.113.148
-
466 B 92 B 10 2
-
163.181.154.243:80http://img3.doubanio.com/view/movie_poster_cover/lpst/public/p2432003703.jpghttpIEXPLORE.EXE1.6kB 58.7kB 27 48
HTTP Request
GET http://img3.doubanio.com/view/movie_poster_cover/lpst/public/p2432003703.jpgHTTP Response
200 -
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
163.181.154.239:80http://ww4.sinaimg.cn/large/87c01ec7gy1fnqouembn6j20cp01ot8n.jpghttpIEXPLORE.EXE580 B 830 B 6 5
HTTP Request
GET http://ww4.sinaimg.cn/large/87c01ec7gy1fnqouembn6j20cp01ot8n.jpgHTTP Response
403 -
466 B 92 B 10 2
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
747 B 7.6kB 9 12
-
753 B 7.7kB 9 12
-
779 B 7.6kB 9 12
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
60 B 299 B 1 1
DNS Request
ww4.sinaimg.cn
DNS Response
163.181.154.239163.181.154.242163.181.154.249163.181.154.240163.181.154.243163.181.154.244163.181.154.248163.181.154.241
-
122 B 166 B 2 2
DNS Request
www.awfuli.com
DNS Response
38.53.11.2
DNS Request
dns.msftncsi.com
DNS Response
fd3e:4f5a:5b81::1
-
63 B 235 B 1 1
DNS Request
img3.doubanio.com
DNS Response
163.181.154.243163.181.154.240163.181.154.248163.181.154.242163.181.154.241163.181.154.239163.181.154.249163.181.154.244
-
60 B 253 B 1 1
DNS Request
apps.bdimg.com
DNS Response
61.170.103.49106.225.194.49113.142.207.49118.180.40.49120.41.32.49121.14.135.49125.74.1.49125.74.42.49220.169.152.49222.216.122.49
-
67 B 252 B 1 1
DNS Request
bdimg.share.baidu.com
DNS Response
182.61.244.22914.215.182.16139.156.68.163112.34.113.148163.177.17.97180.101.212.103182.61.201.93182.61.201.94
-
70 B 255 B 1 1
DNS Request
push.zhanzhang.baidu.com
DNS Response
163.177.17.97180.101.212.103182.61.201.93182.61.201.94182.61.244.22914.215.182.16139.156.68.163112.34.113.148
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55290e6ce5626fc89af627d4ea8978594
SHA1ffe5f3de5be7ec877fc5f254a98ddc6994a8334c
SHA256c98e97a5b94a9912c050cbec92dfc242ae5f32346422c7313de5476fe5650ba6
SHA5128ff36e9e441c3be9849bcdce7dce4cd4defc1f2ff15fef5d249c39a3d3cc0f8a91a08841120302f7fd77c2abdc336d5138ac2c4f655bf5bfe95259b533822e96
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD538ccadc175c059a1383e9c2fc0fcd587
SHA1d390327368013be6d6dde78010805f9a2daf2d9a
SHA25696b663313b0cd16587c66e45cba5a24b2e4be07ab0bec66dd71bb42dc91c37d4
SHA5128e7a7e10e2cbf84b815f3519deb85fb6b8e290b5f733a0dfbb9eb8623e927339a7bdba54717f256b41d2b36b3bfc0bef0ec31ab037b48996aa9c21d0f2e4a2d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55739b0042120217907237dc707024ae9
SHA11f2e31238ed49af4c8fcaaa2ad0d6a852e3acf9f
SHA256cf1b2361d3c28439b731a664a4dd17395f1a7003926407f1dd74e1f32804eda1
SHA512f8cee6a3803b5a2ae89f157faf90f92fbbd593ecd98556381e46bfd92132f5d373c0b69de24cef7b12bc192251c4030eac21934e13277de7f6cca88e7d102c2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5761857a732c07c71f7bae6231e4e35a2
SHA11f53cc02e394c6854fa1efe2b260c1f19a8a30ef
SHA2569e5bece7ba94bf8891a9b4b82e46ff8ef5d39ca8c38fbc9ec7ac1849f4632883
SHA5128feb296823f748fe1cf1bb5f972457945d309c2627c3f4edc794b3604be4d4fd5b7dcaeb2e0edc15add8f114ed136f6260bf91295099c6d72f58b19e8ebdb657
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56972eed8f8c1e163b749683307f46698
SHA167c8daf4f5bb7b654eda89404f03594dd2321730
SHA2563996f414c8e8799af09ae64c97b10dfe28a235acb2f775f5a52d9107cf982d3e
SHA512ede2c984a5e8ce58d35ae346d70291a4cdf2b14cdf61ed17ca819121b980430b27edb4d729c76da74fd50be0dbe8d1e117c068261142214500ddfb38036fe1e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD504329331b9d6e46c6db070a2d8f1b84e
SHA1dfff13465943d7e066c027ce6e0784a762effb03
SHA2567f98d4891dcff2174819248b27deaa2dab225999dfaf1a1e3a8d7521624314f2
SHA512d122b68f5484a7ea8a87756d52dafae987173b376ee0bc496f545f3e50c89c6faf696109e7e83fdce54302050c08c6e1803cf9609b4b20732d2234c975569347
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD527633e5684f01b40399c8e5fba3357d9
SHA16c24f70e8ae926f0dad5755c3800ce00988aef4f
SHA25655907c6faa242499e214dc31c37d451a7f3f582b2da8f626328e7928c2047d5b
SHA512d1cf22f2283b36f1cd61374b6d7b07fce7d8e68629129902559e43b3210985741b964aa8765f51fb8662cceb7c4c3444de188db3eafe8b4954fabd2086a98fbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD541e8f2fb9f69a6bc995a2c55c693db22
SHA169a553ebd9fa17a8671cb52086947a3a61afd94a
SHA2568a495c1c8294a3b4326bed6dcc60d561eabdca74cfd72fe61342c5580c1e90ad
SHA5120b480990e1bb7ad4fd54e0f2762b2cc94fba8d74f8102871d823378cbd772e41488fa3defe51f117fd4a80bd473a329c205815e54851126002ab444925068bfb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e1e91386613945da534970f834b89768
SHA1d30482bf5a48ef1cdc018c57597991e94c9f736d
SHA2569adc9a4e39b59cc2419b81269137a04086fef3322df61fbac52f44001102024c
SHA5128a7d22c7e0ad251fa08beab086966ad43278f13fc343c4cfa12a3f65cf14c33834f43af2f1e9329f0b0782aee065a264008644454f96540c6d3778b6d1bfd0d3
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a