Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
08/07/2024, 01:30 UTC
General
-
Target
2a820d6c1f534eaaeb806493418616c1_JaffaCakes118.exe
-
Size
204KB
-
MD5
2a820d6c1f534eaaeb806493418616c1
-
SHA1
144c5b1ef5dbf5cd88c83b580924deb872c8407e
-
SHA256
362170e04bd4e9093f37eabd6ce56c118f7692ce66c0d9c07e8fd19570f56cdc
-
SHA512
df28a9eccb64b847328038b4ba9ab723fed6bf928e661ce5e0595d58ebaf92518f05a667c4f581c1c40fde3ff9c680e40f03c3c02ae018f6bf06f7e97ab5b7c7
-
SSDEEP
1536:xXz230zZ3NMsOfXu7Ke9TG4yMSmcUk6lCbQvmSTpJwuqCNQR6nkX5SADkPY+Gdt1:Ry30ZTTG4yMZc9pJSTp63ZXB
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 51 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a820d6c1f534eaaeb806493418616c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2a820d6c1f534eaaeb806493418616c1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\jiuiqi.exe"C:\Users\Admin\jiuiqi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
Network
-
DNSg.bing.comRemote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A13.107.21.237dual-a-0034.a-msedge.netIN A204.79.197.237 -
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0320E235293E6A962E1EF68328DE6B2E; domain=.bing.com; expires=Sat, 02-Aug-2025 06:11:14 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B509BFD2F6494F88ADCF8D53E7FCE899 Ref B: LON04EDGE1210 Ref C: 2024-07-08T06:11:14Z
date: Mon, 08 Jul 2024 06:11:13 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0320E235293E6A962E1EF68328DE6B2E
ResponseHTTP/2.0 204
cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=cfg-8SiOB-JPkBTyQasANq7x2pynGr66fyqKD1NrboM; domain=.bing.com; expires=Sat, 02-Aug-2025 06:11:14 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AEF0B603E2CA44CD85E497934C5BD2C9 Ref B: LON04EDGE1210 Ref C: 2024-07-08T06:11:14Z
date: Mon, 08 Jul 2024 06:11:14 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0320E235293E6A962E1EF68328DE6B2E; MSPTC=cfg-8SiOB-JPkBTyQasANq7x2pynGr66fyqKD1NrboM
ResponseHTTP/2.0 204
cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 54558A9A737B46E0BB3DD9DA7EB77792 Ref B: LON04EDGE1210 Ref C: 2024-07-08T06:11:14Z
date: Mon, 08 Jul 2024 06:11:14 GMT
-
DNS101.58.20.217.in-addr.arpaRemote address:8.8.8.8:53Request101.58.20.217.in-addr.arpaIN PTRResponse
-
DNS4.159.190.20.in-addr.arpaRemote address:8.8.8.8:53Request4.159.190.20.in-addr.arpaIN PTRResponse
-
DNS237.21.107.13.in-addr.arpaRemote address:8.8.8.8:53Request237.21.107.13.in-addr.arpaIN PTRResponse
-
DNSns1.player1253.comRemote address:8.8.8.8:53Requestns1.player1253.comIN AResponse
-
DNSns1.videoall.netRemote address:8.8.8.8:53Requestns1.videoall.netIN AResponse
-
DNSns1.videoall.netRemote address:8.8.8.8:53Requestns1.videoall.netIN A
-
DNSns1.mediashares.orgRemote address:8.8.8.8:53Requestns1.mediashares.orgIN AResponsens1.mediashares.orgIN A107.178.223.183ns1.mediashares.orgIN A104.155.138.21
-
DNS88.156.103.20.in-addr.arpaRemote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
DNS103.169.127.40.in-addr.arpaRemote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
DNS103.169.127.40.in-addr.arpaRemote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTR
-
DNS103.169.127.40.in-addr.arpaRemote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTR
-
DNS206.23.85.13.in-addr.arpaRemote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
DNS172.214.232.199.in-addr.arpaRemote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
DNS172.214.232.199.in-addr.arpaRemote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTR
-
DNS44.56.20.217.in-addr.arpaRemote address:8.8.8.8:53Request44.56.20.217.in-addr.arpaIN PTRResponse
-
DNS172.210.232.199.in-addr.arpaRemote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
DNS11.179.89.13.in-addr.arpaRemote address:8.8.8.8:53Request11.179.89.13.in-addr.arpaIN PTRResponse
-
13.107.21.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=tls, http2
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4668098b9197447c80023f821095ca96&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=HTTP Response
204
-
8.8.8.8:53g.bing.comdns
DNS Request
g.bing.com
DNS Response
13.107.21.237204.79.197.237
-
8.8.8.8:53101.58.20.217.in-addr.arpadns
DNS Request
101.58.20.217.in-addr.arpa
-
8.8.8.8:534.159.190.20.in-addr.arpadns
DNS Request
4.159.190.20.in-addr.arpa
-
8.8.8.8:53237.21.107.13.in-addr.arpadns
DNS Request
237.21.107.13.in-addr.arpa
-
8.8.8.8:53ns1.player1253.comdns
DNS Request
ns1.player1253.com
-
8.8.8.8:53ns1.videoall.netdns
DNS Request
ns1.videoall.net
DNS Request
ns1.videoall.net
-
8.8.8.8:53ns1.mediashares.orgdns
DNS Request
ns1.mediashares.org
DNS Response
107.178.223.183104.155.138.21
-
8.8.8.8:5388.156.103.20.in-addr.arpadns
DNS Request
88.156.103.20.in-addr.arpa
-
8.8.8.8:53103.169.127.40.in-addr.arpadns
DNS Request
103.169.127.40.in-addr.arpa
DNS Request
103.169.127.40.in-addr.arpa
DNS Request
103.169.127.40.in-addr.arpa
-
8.8.8.8:53206.23.85.13.in-addr.arpadns
DNS Request
206.23.85.13.in-addr.arpa
-
8.8.8.8:53172.214.232.199.in-addr.arpadns
DNS Request
172.214.232.199.in-addr.arpa
DNS Request
172.214.232.199.in-addr.arpa
-
8.8.8.8:5344.56.20.217.in-addr.arpadns
DNS Request
44.56.20.217.in-addr.arpa
-
8.8.8.8:53172.210.232.199.in-addr.arpadns
DNS Request
172.210.232.199.in-addr.arpa
-
8.8.8.8:5311.179.89.13.in-addr.arpadns
DNS Request
11.179.89.13.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD500862d9b1001a9f036b4546c75160ce9
SHA10015bd1fd7c382f77ede2179c4a98dbe4fd98116
SHA2560bc8967da7e873be233ababdf046023dfe8fc7a49a4f8d094cf31ad29831c826
SHA51289beb0f1d5523ce87ab49ffad5de7b841aa43a99e1d403ae0bdf51eb899541482aa6994b39b129785d8c18e19f699fba3df84426a7c628a1e7cdc8438483ce20