Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

2b9e4c8b54...18.exe

windows7-x64

10

2b9e4c8b54...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 08:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe

  • Size

    5.6MB

  • MD5

    2b9e4c8b5459b6b32afe8232578e62c9

  • SHA1

    729cd17ddcdb3a25959402d232c4b57afc0a6205

  • SHA256

    a94be500bff41489e820128e5ae7cf0182cfb4008b96bae7aa84a7fc6bebd86f

  • SHA512

    bc5c73c5c88a57498c0ebf5f6ee752214c38679654ea6d0b0ce57801073942611c3032f7053b0b016988920c9794b92c33e021c94020fa01d480c41b2f81e342

  • SSDEEP

    98304:XQajqcRtCO5ngBBjXUlFNV0ccSL5CAfxsL8v8FGw/4hpfIpoZoaWBV8x4t44pUFn:pjxCYYq7959Z6HGrpQuqas8x4HpUnwh

Score
10/10
pandastealershurkinfostealerspywarestealervmprotect

Malware Config

Signatures

  • Panda Stealer payload 3 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1052

Network

  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 111.90.146.182:2222
    2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe
    260 B
     5
  • 111.90.146.182:2222
    2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe
    260 B
     5
  • 111.90.146.182:2222
    2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe
    260 B
     5
  • 111.90.146.182:2222
    2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe
    260 B
     5
  • 111.90.146.182:2222
    2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe
    260 B
     5
  • 111.90.146.182:2222
    2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe
    260 B
     5
  • 111.90.146.182:2222
    2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe
    260 B
     5
  • 111.90.146.182:2222
    2b9e4c8b5459b6b32afe8232578e62c9_JaffaCakes118.exe
  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1052-0-0x00000000005DA000-0x000000000091E000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1052-3-0x0000000000560000-0x0000000000EC6000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/1052-2-0x0000000000530000-0x0000000000531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1052-1-0x0000000000520000-0x0000000000521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1052-6-0x0000000000560000-0x0000000000EC6000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/1052-33-0x00000000005DA000-0x000000000091E000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1052-34-0x0000000000560000-0x0000000000EC6000-memory.dmp

    Filesize

    9.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.