Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

3

2e4fe2331d...18.dll

windows7-x64

5

2e4fe2331d...18.dll

windows10-2004-x64

5

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 00:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e4fe2331d9f5fa9acb5465b974b8311_JaffaCakes118.dll

  • Size

    51KB

  • MD5

    2e4fe2331d9f5fa9acb5465b974b8311

  • SHA1

    e2db75ae0c9158c52d843a8add21f2bb5d1b3fe2

  • SHA256

    1e9619009e4970251461923fca29fbe0891fa47185175dcb5b18c1d6749a1077

  • SHA512

    40db2b68ab8206219ce9fc8ee122f2b47087f96f4c924e663a03330eb7163c36d5e1f7c5d36ee5dc0f50d0e58fb3fd86ad2357a64509e3128e3647a060d6b0be

  • SSDEEP

    768:Vq/Wj6Q3HgmbYkJnQ0ErnvZhX1uBSzm9DUDYK18z2/Hvl2Fi2bWn8AaOcI6Hv:YWjD3Hgvkl+xcSzm9sYKZJSWn8AaDIM

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e4fe2331d9f5fa9acb5465b974b8311_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e4fe2331d9f5fa9acb5465b974b8311_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      PID:3460

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2C398FDE80B7652C29539B69810C64BD; domain=.bing.com; expires=Sun, 03-Aug-2025 06:03:53 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 908E0AF6D2DC42D183D802E67ED052B7 Ref B: LON04EDGE0815 Ref C: 2024-07-09T06:03:53Z
    date: Tue, 09 Jul 2024 06:03:53 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2C398FDE80B7652C29539B69810C64BD
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=5cAF9qtEztdlRtDpzdHM_h0pNd5u3HFMCrucaIpvGOo; domain=.bing.com; expires=Sun, 03-Aug-2025 06:03:53 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 22E65E8B67BF458AB5C153916EA76B62 Ref B: LON04EDGE0815 Ref C: 2024-07-09T06:03:53Z
    date: Tue, 09 Jul 2024 06:03:53 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2C398FDE80B7652C29539B69810C64BD; MSPTC=5cAF9qtEztdlRtDpzdHM_h0pNd5u3HFMCrucaIpvGOo
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0978F0E32261486B837FBF683C80FFAD Ref B: LON04EDGE0815 Ref C: 2024-07-09T06:03:53Z
    date: Tue, 09 Jul 2024 06:03:53 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    147.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.142.123.92.in-addr.arpa
    IN PTR
    Response
    147.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-147deploystaticakamaitechnologiescom
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    147.142.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    147.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3460-1-0x0000000001210000-0x0000000001215000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3460-0-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3460-2-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3460-3-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3460-4-0x0000000001210000-0x0000000001215000-memory.dmp

    Filesize

    20KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.