Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

9604916c18...8.html

windows7-x64

1

9604916c18...8.html

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 19:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9604916c18b08cd09e4290641e7354be_JaffaCakes118.html

  • Size

    20KB

  • MD5

    9604916c18b08cd09e4290641e7354be

  • SHA1

    2874b95186f20a73dce6ad0969de1bb8aa5f40cd

  • SHA256

    a99cf6e079ce9a2e34485f07b31b74d4a57f7259999417dac0b193691865df88

  • SHA512

    4b3550b7cc5a2a58262c84bafa15a6c177ed63cc5f43ab85db2f0b731656191de4b5db50c1a578e62e02aa741ec184661dd1873f51cf977cf31e60124800e09a

  • SSDEEP

    384:Y6QFwS3JuTLVSfdx+E1YfqjpSa2AxFZLGQL9Mv:Y61S5uTLkCE1YfqjpS4xFZLGQL94

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\9604916c18b08cd09e4290641e7354be_JaffaCakes118.html
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1ff746f8,0x7ffe1ff74708,0x7ffe1ff74718
      2⤵
        PID:2644
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        2⤵
          PID:1320
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4708
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
          2⤵
            PID:5004
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
            2⤵
              PID:3820
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
              2⤵
                PID:4520
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
                2⤵
                  PID:3252
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3952
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
                  2⤵
                    PID:1696
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
                    2⤵
                      PID:2464
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
                      2⤵
                        PID:748
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
                        2⤵
                          PID:1976
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12694182836887569903,2659268718224097327,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4840 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2876
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4556
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:636

                          Network

                          • flag-us
                            DNS
                            104.219.191.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            104.219.191.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            reskrimsuspoldajatim.com
                            msedge.exe
                            Remote address:
                            8.8.8.8:53
                            Request
                            reskrimsuspoldajatim.com
                            IN A
                            Response
                          • flag-gb
                            GET
                            http://fonts.googleapis.com/css?family=Open+Sans
                            msedge.exe
                            Remote address:
                            216.58.204.74:80
                            Request
                            GET /css?family=Open+Sans HTTP/1.1
                            Host: fonts.googleapis.com
                            Connection: keep-alive
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
                            DNT: 1
                            Accept: text/css,*/*;q=0.1
                            Accept-Encoding: gzip, deflate
                            Accept-Language: en-US,en;q=0.9
                            Response
                            HTTP/1.1 200 OK
                            Content-Type: text/css; charset=utf-8
                            Access-Control-Allow-Origin: *
                            Timing-Allow-Origin: *
                            Link: <http://fonts.gstatic.com>; rel=preconnect; crossorigin
                            Expires: Tue, 04 Jun 2024 19:35:39 GMT
                            Date: Tue, 04 Jun 2024 19:35:39 GMT
                            Cache-Control: private, max-age=86400, stale-while-revalidate=604800
                            Last-Modified: Tue, 04 Jun 2024 19:35:39 GMT
                            Cross-Origin-Resource-Policy: cross-origin
                            Cross-Origin-Opener-Policy: same-origin-allow-popups
                            Content-Encoding: gzip
                            Transfer-Encoding: chunked
                            Server: ESF
                            X-XSS-Protection: 0
                            X-Frame-Options: SAMEORIGIN
                            X-Content-Type-Options: nosniff
                          • flag-us
                            DNS
                            www.threadpaints.com
                            msedge.exe
                            Remote address:
                            8.8.8.8:53
                            Request
                            www.threadpaints.com
                            IN A
                            Response
                          • flag-us
                            DNS
                            172.210.232.199.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            172.210.232.199.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            68.159.190.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            68.159.190.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            74.204.58.216.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            74.204.58.216.in-addr.arpa
                            IN PTR
                            Response
                            74.204.58.216.in-addr.arpa
                            IN PTR
                            lhr25s13-in-f741e100net
                            74.204.58.216.in-addr.arpa
                            IN PTR
                            lhr25s13-in-f10�H
                            74.204.58.216.in-addr.arpa
                            IN PTR
                            lhr48s49-in-f10�H
                          • flag-us
                            DNS
                            95.221.229.192.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            95.221.229.192.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            99.201.58.216.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            99.201.58.216.in-addr.arpa
                            IN PTR
                            Response
                            99.201.58.216.in-addr.arpa
                            IN PTR
                            lhr48s48-in-f31e100net
                            99.201.58.216.in-addr.arpa
                            IN PTR
                            prg03s02-in-f3�G
                            99.201.58.216.in-addr.arpa
                            IN PTR
                            prg03s02-in-f99�G
                          • flag-us
                            DNS
                            228.249.119.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            228.249.119.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            13.86.106.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            13.86.106.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            183.142.211.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            183.142.211.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            183.59.114.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            183.59.114.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            171.39.242.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            171.39.242.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            13.227.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            13.227.111.52.in-addr.arpa
                            IN PTR
                            Response
                          • 216.58.204.74:80
                            http://fonts.googleapis.com/css?family=Open+Sans
                            http
                            msedge.exe
                            704 B
                             2.5kB
                             8
                            8

                            HTTP Request

                            GET http://fonts.googleapis.com/css?family=Open+Sans

                            HTTP Response

                            200
                          • 216.58.201.99:80
                            fonts.gstatic.com
                            msedge.exe
                            236 B
                             208 B
                             5
                            4
                          • 8.8.8.8:53
                            104.219.191.52.in-addr.arpa
                            dns
                            73 B
                             147 B
                             1
                            1

                            DNS Request

                            104.219.191.52.in-addr.arpa

                          • 8.8.8.8:53
                            reskrimsuspoldajatim.com
                            dns
                            msedge.exe
                            70 B
                             143 B
                             1
                            1

                            DNS Request

                            reskrimsuspoldajatim.com

                          • 8.8.8.8:53
                            www.threadpaints.com
                            dns
                            msedge.exe
                            66 B
                             139 B
                             1
                            1

                            DNS Request

                            www.threadpaints.com

                          • 8.8.8.8:53
                            172.210.232.199.in-addr.arpa
                            dns
                            74 B
                             128 B
                             1
                            1

                            DNS Request

                            172.210.232.199.in-addr.arpa

                          • 8.8.8.8:53
                            68.159.190.20.in-addr.arpa
                            dns
                            72 B
                             158 B
                             1
                            1

                            DNS Request

                            68.159.190.20.in-addr.arpa

                          • 8.8.8.8:53
                            74.204.58.216.in-addr.arpa
                            dns
                            72 B
                             171 B
                             1
                            1

                            DNS Request

                            74.204.58.216.in-addr.arpa

                          • 8.8.8.8:53
                            95.221.229.192.in-addr.arpa
                            dns
                            73 B
                             144 B
                             1
                            1

                            DNS Request

                            95.221.229.192.in-addr.arpa

                          • 8.8.8.8:53
                            99.201.58.216.in-addr.arpa
                            dns
                            72 B
                             169 B
                             1
                            1

                            DNS Request

                            99.201.58.216.in-addr.arpa

                          • 8.8.8.8:53
                            228.249.119.40.in-addr.arpa
                            dns
                            73 B
                             159 B
                             1
                            1

                            DNS Request

                            228.249.119.40.in-addr.arpa

                          • 224.0.0.251:5353
                            584 B
                             9
                          • 8.8.8.8:53
                            13.86.106.20.in-addr.arpa
                            dns
                            71 B
                             157 B
                             1
                            1

                            DNS Request

                            13.86.106.20.in-addr.arpa

                          • 8.8.8.8:53
                            183.142.211.20.in-addr.arpa
                            dns
                            73 B
                             159 B
                             1
                            1

                            DNS Request

                            183.142.211.20.in-addr.arpa

                          • 8.8.8.8:53
                            183.59.114.20.in-addr.arpa
                            dns
                            72 B
                             158 B
                             1
                            1

                            DNS Request

                            183.59.114.20.in-addr.arpa

                          • 8.8.8.8:53
                            171.39.242.20.in-addr.arpa
                            dns
                            72 B
                             158 B
                             1
                            1

                            DNS Request

                            171.39.242.20.in-addr.arpa

                          • 8.8.8.8:53
                            13.227.111.52.in-addr.arpa
                            dns
                            72 B
                             158 B
                             1
                            1

                            DNS Request

                            13.227.111.52.in-addr.arpa

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            537815e7cc5c694912ac0308147852e4

                            SHA1

                            2ccdd9d9dc637db5462fe8119c0df261146c363c

                            SHA256

                            b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

                            SHA512

                            63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            8b167567021ccb1a9fdf073fa9112ef0

                            SHA1

                            3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

                            SHA256

                            26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

                            SHA512

                            726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            7cd1ab852cdaaa986b205a1950817868

                            SHA1

                            4af7836794c0a1bace0f6d72246612799b773b59

                            SHA256

                            9cce2a440b656403d3ca2c7b08a5a485578840142ed8f72b38c44b5f9ce92b98

                            SHA512

                            80ddc734e7a654de6b83a3eb01359637c7689e63a23591f68596e767e552beabc4bc2fb30b76a82a4eb25ea1920aac67ef1c510167d174f3527425a858de3d73

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            02b0cb7201e307f9071c3e4414bfd8a8

                            SHA1

                            7b634f6bb92a81b8263643cb247ea5ce197f594a

                            SHA256

                            7e2e1f320a9ed0408144038f54650ad0b04cf9ace41fae8f800f234602c5c8ab

                            SHA512

                            c449d92acb62f021c5dcc617f96f51ab5a47206343785b63dc097983cdccfb743a95b83adf3a5c60d960859ce9bff20a3443dfaebd826825e48d5e61fb203b16

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            10KB

                            MD5

                            891f1ea3dbec12345ff27a6a5c0ac126

                            SHA1

                            5e82eb7b69978c85632b16e78bed71d3db5ee4aa

                            SHA256

                            8644c2e07a3be766828c9178454f8c3707e1661fea30a5e5cfba46a166fcd510

                            SHA512

                            5c8a5201abd17d28c1eb4467ddefe1b9abc1685e33f9ae4f32dd5fb429190c17f0519e9eb48415e3395de210bfda26664b8780655efee06402646e38144f116e

                            Download Submit

                          We care about your privacy.

                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.