Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 00:06 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2e4fe2331d9f5fa9acb5465b974b8311_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2e4fe2331d9f5fa9acb5465b974b8311_JaffaCakes118.dll
Resource
win10v2004-20240704-en
General
-
Target
2e4fe2331d9f5fa9acb5465b974b8311_JaffaCakes118.dll
-
Size
51KB
-
MD5
2e4fe2331d9f5fa9acb5465b974b8311
-
SHA1
e2db75ae0c9158c52d843a8add21f2bb5d1b3fe2
-
SHA256
1e9619009e4970251461923fca29fbe0891fa47185175dcb5b18c1d6749a1077
-
SHA512
40db2b68ab8206219ce9fc8ee122f2b47087f96f4c924e663a03330eb7163c36d5e1f7c5d36ee5dc0f50d0e58fb3fd86ad2357a64509e3128e3647a060d6b0be
-
SSDEEP
768:Vq/Wj6Q3HgmbYkJnQ0ErnvZhX1uBSzm9DUDYK18z2/Hvl2Fi2bWn8AaOcI6Hv:YWjD3Hgvkl+xcSzm9sYKZJSWn8AaDIM
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\gopakibi.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\botejora rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3460 rundll32.exe 3460 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3876 wrote to memory of 3460 3876 rundll32.exe 82 PID 3876 wrote to memory of 3460 3876 rundll32.exe 82 PID 3876 wrote to memory of 3460 3876 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e4fe2331d9f5fa9acb5465b974b8311_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e4fe2331d9f5fa9acb5465b974b8311_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3460
-
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2C398FDE80B7652C29539B69810C64BD; domain=.bing.com; expires=Sun, 03-Aug-2025 06:03:53 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 908E0AF6D2DC42D183D802E67ED052B7 Ref B: LON04EDGE0815 Ref C: 2024-07-09T06:03:53Z
date: Tue, 09 Jul 2024 06:03:53 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2C398FDE80B7652C29539B69810C64BD
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=5cAF9qtEztdlRtDpzdHM_h0pNd5u3HFMCrucaIpvGOo; domain=.bing.com; expires=Sun, 03-Aug-2025 06:03:53 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 22E65E8B67BF458AB5C153916EA76B62 Ref B: LON04EDGE0815 Ref C: 2024-07-09T06:03:53Z
date: Tue, 09 Jul 2024 06:03:53 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2C398FDE80B7652C29539B69810C64BD; MSPTC=5cAF9qtEztdlRtDpzdHM_h0pNd5u3HFMCrucaIpvGOo
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0978F0E32261486B837FBF683C80FFAD Ref B: LON04EDGE0815 Ref C: 2024-07-09T06:03:53Z
date: Tue, 09 Jul 2024 06:03:53 GMT
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request147.142.123.92.in-addr.arpaIN PTRResponse147.142.123.92.in-addr.arpaIN PTRa92-123-142-147deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=tls, http22.0kB 9.3kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=985597166263484a93348d8335bde4c1&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=HTTP Response
204
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
147.142.123.92.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa