Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2fa475e76c...18.dll

windows7-x64

8

2fa475e76c...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 08:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fa475e76cb3078dda103f5193e0a111_JaffaCakes118.dll

  • Size

    1.1MB

  • MD5

    2fa475e76cb3078dda103f5193e0a111

  • SHA1

    43fb76212bb4eb9c83b1b61ef98d80fa6c9baafd

  • SHA256

    e87a6bb6a951fd9a669a5d8fbb2333cd36dfcbe0f54d917e03c3a98caa6d9c06

  • SHA512

    c5f07a60b0b5ace28236a041fe7c93668cbcab25945093e84094d2d1f5abd8be393a33130d351aa5129f07181755a421ff1ccca1673404787962b05a6f9a11bd

  • SSDEEP

    24576:SMpZ4OxwR1QcQq/W7ihb4bPWmBLXvPmVpTrdzjs00D:SuNZ7Ib8ZBL2/X4

Score
8/10
persistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2fa475e76cb3078dda103f5193e0a111_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\2fa475e76cb3078dda103f5193e0a111_JaffaCakes118.dll
      2⤵
      • Server Software Component: Terminal Services DLL
      PID:2336
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k dtcGep
    1⤵
    • Drops file in System32 directory
    PID:2068

Network

  • flag-us
    DNS
    ip.qq.com
    dtcGep
    Remote address:
    8.8.8.8:53
    Request
    ip.qq.com
    IN A
    Response
    ip.qq.com
    IN A
    0.0.0.1
  • flag-us
    DNS
    ip.knowsky.com
    dtcGep
    Remote address:
    8.8.8.8:53
    Request
    ip.knowsky.com
    IN A
    Response
    ip.knowsky.com
    IN A
    104.21.6.75
    ip.knowsky.com
    IN A
    172.67.134.154
  • flag-us
    GET
    http://ip.knowsky.com/
    dtcGep
    Remote address:
    104.21.6.75:80
    Request
    GET / HTTP/1.1
    Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
    Accept-Language:zh-cn
    UA-CPU: x86
    Accept-Encoding: gzip, deflate
    Referer: http://www.baidu.com/s?wd=IP%B2%E9%D1%AF
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    Host: ip.knowsky.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 09 Jul 2024 11:52:25 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Tue, 09 Jul 2024 12:52:25 GMT
    Location: https://ip.knowsky.com/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vtdKx3GL2ZjMEV3UK%2FcKCjFvZVj3yec8dKfxk3%2BJ1N6RO54AouJgTUi9466goIR4Siq%2F0w0syLuJldVGajXtOnqHM6USOfiNWrZzvRevf1buFlTATUe5fDZ0JigPlhmjcA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    Server: cloudflare
    CF-RAY: 8a081b98ca8a633d-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    ie.800801.com
    dtcGep
    Remote address:
    8.8.8.8:53
    Request
    ie.800801.com
    IN A
    Response
  • flag-us
    DNS
    if.800801.com
    dtcGep
    Remote address:
    8.8.8.8:53
    Request
    if.800801.com
    IN A
    Response
  • 104.21.6.75:80
    http://ip.knowsky.com/
    http
    dtcGep
    657 B
     1.0kB
     5
    4

    HTTP Request

    GET http://ip.knowsky.com/

    HTTP Response

    301
  • 8.8.8.8:53
    ip.qq.com
    dns
    dtcGep
    55 B
     71 B
     1
    1

    DNS Request

    ip.qq.com

    DNS Response

    0.0.0.1

  • 8.8.8.8:53
    ip.knowsky.com
    dns
    dtcGep
    60 B
     92 B
     1
    1

    DNS Request

    ip.knowsky.com

    DNS Response

    104.21.6.75
    172.67.134.154

  • 8.8.8.8:53
    ie.800801.com
    dns
    dtcGep
    59 B
     127 B
     1
    1

    DNS Request

    ie.800801.com

  • 8.8.8.8:53
    if.800801.com
    dns
    dtcGep
    59 B
     127 B
     1
    1

    DNS Request

    if.800801.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\8629022a4c.dll
    Filesize

    126B

    MD5

    1b7faf50521bd25a580b95feae0b492e

    SHA1

    de797434cb27b0b5497ef4eb58edcec37a95b5ff

    SHA256

    34eefcf9b26e00ef0b8d339fe11ada71680293fecd5aaed8299f25ca0c0bab45

    SHA512

    283edd324745e8ca1e5886f2c30510eb3ab7eee4b6db4a33c6cfefad24acade9ca3f5772f81548e151fede9a247cfc44cf431f710d9c5f2c1f86437abd52b939

    Download Submit

  • C:\Windows\SysWOW64\8629022a4c.dll
    Filesize

    114B

    MD5

    17c5f43c69e4a0ed8fd19f78f178b507

    SHA1

    34b9c493ed5abb06e02d08a889bd4c5eb6e5f9e5

    SHA256

    d3bbfd1b8a970ef25ede98247b76e50eec2a945ef0cfaf9dcf7f28f6fe98f2b2

    SHA512

    417fd1afbf482f84c125785b998868f7de962aafbd2556ab340f370c93e0876cabb1134f079dcb473bc969173355036da212d9ecde9b066e959b7d58abfc686d

    Download Submit

  • memory/2068-1-0x0000000002620000-0x0000000002737000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2068-9-0x0000000002620000-0x0000000002737000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2068-30-0x0000000002620000-0x0000000002737000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2336-0-0x0000000001DF0000-0x0000000001F07000-memory.dmp

    Filesize

    1.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.