Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 06:32 UTC

General

  • Target

    2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe

  • Size

    126KB

  • MD5

    2f5009a385b3c87156e2372fcc834242

  • SHA1

    2551e460d87e884f3e32bc81d07edf0d7350f2db

  • SHA256

    a84cc849c5d3fe3d666143b2786df3b51de9c50e9f9d803e71f18f380ed3c4bc

  • SHA512

    684bfa168edbb9b10fd78693b923d71c3080df921e4dec9dc0eae249c953c6229f7649369bdf8a706f33dcfc9d0d5abdff9645a9385edc9b389d8e1928dab62e

  • SSDEEP

    1536:QZN3pOTDnWqwEpkYdZFoVP5mv+DiED8LE/Ln8D04cXQZqTERGtbxSUg7cWKiU:QHITDWqwExCk+DVF/L844cgcTok9g7W

Score
8/10

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2044

Network

  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.99.105.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.99.105.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
No results found
  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    58.99.105.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    58.99.105.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Nla.dll

    Filesize

    126KB

    MD5

    4e3514d1e271a60a24f9785c3cbcd279

    SHA1

    fb86fa75768d677a307da6aeaf2578020a4c2b66

    SHA256

    7328bc89b607593d82467754675b32e71eecd80f2cbbe38dc522706500a3d5fb

    SHA512

    5cdb26adfe3be0c48ebfa57425f015a06c31d58fd2c8a354a26768a8a037f51041c1391acd945e5b9a7b3ddeef8b1003e4b7252880601244b5cc1f4af158d6df

  • memory/2044-0-0x0000000000180000-0x00000000001A4000-memory.dmp

    Filesize

    144KB

  • memory/2044-5-0x0000000077272000-0x0000000077273000-memory.dmp

    Filesize

    4KB

  • memory/2044-6-0x00000000761FC000-0x00000000761FD000-memory.dmp

    Filesize

    4KB

  • memory/2044-19-0x0000000000180000-0x00000000001A4000-memory.dmp

    Filesize

    144KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.