Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 17:35 UTC

General

  • Target

    8152cac14bc11bd6c1b8a96815210daf_JaffaCakes118.exe

  • Size

    608KB

  • MD5

    8152cac14bc11bd6c1b8a96815210daf

  • SHA1

    d724292b5cf0cfc479f06f8fa61bfd78cab782b2

  • SHA256

    8776a4ee8b6b13af9c666e4f6e55c7d970cb72d2f507f4fa6781fe7b94d390a3

  • SHA512

    9531a28c23a1b94c178f9cc226c6d5530efcc8b17708fd27395f4388a36de5abcc822c065df2b06a7fecc9c7628c6bfa8d15fb507904da96f4c888a5546c7d90

  • SSDEEP

    12288:pfU49eLWDQqXTqQJl6odMYQ1Y6kOxn5ItLHyApwzutsXC8WozrZCfojqHO7FgxNM:pfPkLWQqXDoA6kOx3y8WwZCfojcOmxD

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    divi@accauto.co
  • Password:
    7213575aceACE$

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8152cac14bc11bd6c1b8a96815210daf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8152cac14bc11bd6c1b8a96815210daf_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\8152cac14bc11bd6c1b8a96815210daf_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1288
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4940

Network

  • flag-us
    DNS
    98.56.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.56.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    whatismyipaddress.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    whatismyipaddress.com
    IN A
    Response
    whatismyipaddress.com
    IN A
    104.19.223.79
    whatismyipaddress.com
    IN A
    104.19.222.79
  • flag-us
    GET
    http://whatismyipaddress.com/
    RegAsm.exe
    Remote address:
    104.19.223.79:80
    Request
    GET / HTTP/1.1
    Host: whatismyipaddress.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 29 May 2024 17:35:20 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Wed, 29 May 2024 18:35:20 GMT
    Location: https://whatismyipaddress.com/
    Set-Cookie: __cf_bm=b1GChsk_nHFNyXmAitqTRHJq.wSLJaVg4Ik68g7B0YU-1717004120-1.0.1.1-pc1IBSCa7zh9AkjtbyGrQYWAs_srNVneZCCC1Njj2GzDMkStiSrmyzunS3zPqok3TUsxDV7zGjR1OMBuyYebpg; path=/; expires=Wed, 29-May-24 18:05:20 GMT; domain=.whatismyipaddress.com; HttpOnly
    Server: cloudflare
    CF-RAY: 88b83d8bbf9877ab-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://whatismyipaddress.com/
    RegAsm.exe
    Remote address:
    104.19.223.79:443
    Request
    GET / HTTP/1.1
    Host: whatismyipaddress.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Date: Wed, 29 May 2024 17:35:21 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 15247
    Connection: close
    Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Content-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    cf-mitigated: challenge
    cf-chl-out: TgkUZGqif+Gpcbx9dKu4vzATs3kjxSWFylR8cKLFLD8EUV2PQLXhmXTmj6M32qexDTRG/jfvtSXww4oM2QxcAFjMort54IOXf+HLMl9Mm4EJIqGZSSQK9MXAb7tyzOmll3gYezfFy3ky100B+p/ldg==$pdkm/cfRz5UWZ4Y0FYkLPQ==
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Set-Cookie: __cf_bm=fQSTaW25yP7qtvY1h9kPswF_cpqtmS7DoKvJperfjC0-1717004121-1.0.1.1-PbTr.qc8YWB186QzF2JUIQ86cIfPvc8jg87nrlPTF7bWKEqiZt.vu7Vncx7wK3zvT4Og8pYJEjZgxMStBwKnig; path=/; expires=Wed, 29-May-24 18:05:21 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
    Server: cloudflare
    CF-RAY: 88b83d8d29854133-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    us2.smtp.mailhostbox.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    us2.smtp.mailhostbox.com
    IN A
    Response
    us2.smtp.mailhostbox.com
    IN A
    208.91.199.225
    us2.smtp.mailhostbox.com
    IN A
    208.91.199.223
    us2.smtp.mailhostbox.com
    IN A
    208.91.199.224
    us2.smtp.mailhostbox.com
    IN A
    208.91.198.143
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.223.19.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.223.19.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.142.211.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.142.211.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    225.199.91.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.199.91.208.in-addr.arpa
    IN PTR
    Response
    225.199.91.208.in-addr.arpa
    IN PTR
    208-91-199-225 unifiedlayercom
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    249.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    249.197.17.2.in-addr.arpa
    IN PTR
    Response
    249.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-249deploystaticakamaitechnologiescom
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.197.17.2.in-addr.arpa
    IN PTR
    Response
    240.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-240deploystaticakamaitechnologiescom
  • 104.19.223.79:80
    http://whatismyipaddress.com/
    http
    RegAsm.exe
    347 B
    928 B
    6
    4

    HTTP Request

    GET http://whatismyipaddress.com/

    HTTP Response

    301
  • 104.19.223.79:443
    https://whatismyipaddress.com/
    tls, http
    RegAsm.exe
    1.1kB
    23.2kB
    17
    24

    HTTP Request

    GET https://whatismyipaddress.com/

    HTTP Response

    403
  • 208.91.199.225:587
    us2.smtp.mailhostbox.com
    smtp
    RegAsm.exe
    614 B
    935 B
    11
    12
  • 208.91.199.225:587
    us2.smtp.mailhostbox.com
    smtp
    RegAsm.exe
    516 B
    845 B
    9
    11
  • 8.8.8.8:53
    98.56.20.217.in-addr.arpa
    dns
    71 B
    131 B
    1
    1

    DNS Request

    98.56.20.217.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    whatismyipaddress.com
    dns
    RegAsm.exe
    67 B
    99 B
    1
    1

    DNS Request

    whatismyipaddress.com

    DNS Response

    104.19.223.79
    104.19.222.79

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    us2.smtp.mailhostbox.com
    dns
    RegAsm.exe
    70 B
    134 B
    1
    1

    DNS Request

    us2.smtp.mailhostbox.com

    DNS Response

    208.91.199.225
    208.91.199.223
    208.91.199.224
    208.91.198.143

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    79.223.19.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    79.223.19.104.in-addr.arpa

  • 8.8.8.8:53
    183.142.211.20.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    183.142.211.20.in-addr.arpa

  • 8.8.8.8:53
    225.199.91.208.in-addr.arpa
    dns
    73 B
    118 B
    1
    1

    DNS Request

    225.199.91.208.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    249.197.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    249.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    240.197.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    240.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

  • memory/548-0-0x0000000000650000-0x00000000006EE000-memory.dmp

    Filesize

    632KB

  • memory/548-1-0x0000000000664000-0x000000000066A000-memory.dmp

    Filesize

    24KB

  • memory/548-4-0x0000000000664000-0x000000000066A000-memory.dmp

    Filesize

    24KB

  • memory/548-3-0x0000000000650000-0x00000000006EE000-memory.dmp

    Filesize

    632KB

  • memory/1288-14-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1288-15-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1288-16-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3248-6-0x00000000050C0000-0x0000000005664000-memory.dmp

    Filesize

    5.6MB

  • memory/3248-9-0x0000000004D00000-0x0000000004D56000-memory.dmp

    Filesize

    344KB

  • memory/3248-12-0x0000000006230000-0x0000000006296000-memory.dmp

    Filesize

    408KB

  • memory/3248-13-0x0000000006400000-0x0000000006408000-memory.dmp

    Filesize

    32KB

  • memory/3248-5-0x00000000049B0000-0x0000000004A4C000-memory.dmp

    Filesize

    624KB

  • memory/3248-8-0x0000000004A90000-0x0000000004A9A000-memory.dmp

    Filesize

    40KB

  • memory/3248-7-0x0000000004B10000-0x0000000004BA2000-memory.dmp

    Filesize

    584KB

  • memory/3248-2-0x0000000000170000-0x00000000001F4000-memory.dmp

    Filesize

    528KB

  • memory/4940-17-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4940-18-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4940-25-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.