Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

2cbbaa1731...18.dll

windows7-x64

6

2cbbaa1731...18.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    140s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 14:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2cbbaa1731999087c182c1630f07ae92_JaffaCakes118.dll

  • Size

    120KB

  • MD5

    2cbbaa1731999087c182c1630f07ae92

  • SHA1

    5b4ec12f8f9dd8161e641941732606e545685d2f

  • SHA256

    f50cd03a06c4f359eb5d3f88b1c56a601d410e79557f9fd3e168806d7561b4b1

  • SHA512

    f6708b4ea75f8ee83f14fa7ae353eb7c8a88c056694239b66c251fe414f7954dfe10c6ca8c2cb204b74b314077352c2702a654dd4be53458de02c8ff1499909d

  • SSDEEP

    3072:jcNoX9Zfcq6NDl9I3Xy7j8OSXt3QzEjXOnpMbC0w1c3Pwg4u:ImX7Eq+A3GopQzEjYOq18/4u

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbbaa1731999087c182c1630f07ae92_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbbaa1731999087c182c1630f07ae92_JaffaCakes118.dll,#1
      2⤵
        PID:1488
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4048,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
      1⤵
        PID:3608

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=
        Remote address:
        13.107.21.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=2BF868B9E9C1676938017C0FE87A6638; domain=.bing.com; expires=Sat, 02-Aug-2025 23:05:09 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 4651BBE76DF246398B570062980E686D Ref B: LON04EDGE0819 Ref C: 2024-07-08T23:05:09Z
        date: Mon, 08 Jul 2024 23:05:09 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=
        Remote address:
        13.107.21.237:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=2BF868B9E9C1676938017C0FE87A6638
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=eaUWocuAM4qsCrXmfSSwkwUaU6fp_-IOMGwWW4z39Ck; domain=.bing.com; expires=Sat, 02-Aug-2025 23:05:09 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 6D82DD6D8D7D46ABACFBA85BA890B05C Ref B: LON04EDGE0819 Ref C: 2024-07-08T23:05:09Z
        date: Mon, 08 Jul 2024 23:05:09 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=
        Remote address:
        13.107.21.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=2BF868B9E9C1676938017C0FE87A6638; MSPTC=eaUWocuAM4qsCrXmfSSwkwUaU6fp_-IOMGwWW4z39Ck
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 33810ED83C6845DF895573033E23BD37 Ref B: LON04EDGE0819 Ref C: 2024-07-08T23:05:09Z
        date: Mon, 08 Jul 2024 23:05:09 GMT
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        133.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        237.21.107.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.21.107.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        25.140.123.92.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        25.140.123.92.in-addr.arpa
        IN PTR
        Response
        25.140.123.92.in-addr.arpa
        IN PTR
        a92-123-140-25deploystaticakamaitechnologiescom
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        73.190.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.190.18.2.in-addr.arpa
        IN PTR
        Response
        73.190.18.2.in-addr.arpa
        IN PTR
        a2-18-190-73deploystaticakamaitechnologiescom
      • flag-us
        DNS
        30.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        30.243.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        169.117.168.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        169.117.168.52.in-addr.arpa
        IN PTR
        Response
      • 13.107.21.237:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=
        tls, http2
        2.0kB
         9.3kB
         21
        19

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ba9a766ac5554ca38598dc1386e3b404&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=

        HTTP Response

        204
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
         151 B
         1
        1

        DNS Request

        g.bing.com

        DNS Response

        13.107.21.237
        204.79.197.237

      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        133.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        133.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        237.21.107.13.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        237.21.107.13.in-addr.arpa

      • 8.8.8.8:53
        25.140.123.92.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        25.140.123.92.in-addr.arpa

      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        73.190.18.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        73.190.18.2.in-addr.arpa

      • 8.8.8.8:53
        30.243.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        30.243.111.52.in-addr.arpa

      • 8.8.8.8:53
        169.117.168.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        169.117.168.52.in-addr.arpa

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1488-0-0x0000000000C20000-0x0000000000C2B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1488-2-0x0000000010000000-0x000000001000A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1488-7-0x0000000000C20000-0x0000000000C2B000-memory.dmp

        Filesize

        44KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.