Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

31c8aa055a...18.exe

windows7-x64

7

31c8aa055a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 20:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31c8aa055a6ed4bae3f7033db90a402d_JaffaCakes118.exe

  • Size

    60KB

  • MD5

    31c8aa055a6ed4bae3f7033db90a402d

  • SHA1

    56e862391cfb330a833a6de31ad201e3f0448f6e

  • SHA256

    ee19b772c6943edf3507232f0a5a6dd9a48ae2fc496f5770e4a9675e387378c7

  • SHA512

    c076001ff4018d605e403c7ff15c45f018baa8b96e2c8ae94145ca801695d4ffce061903486a5110d836c4007fbddc73dd3bfbc20a1309e1674b5dcd7df9a004

  • SSDEEP

    1536:xf4exGDkeZ4mOoSgJEAJJyA4yL6j22HpkVkJGjr:p4eYZ4+1JXJJxwTpUVf

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 4 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31c8aa055a6ed4bae3f7033db90a402d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\31c8aa055a6ed4bae3f7033db90a402d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\SysWOW64\wscript.exe
      wscript.exe /nologo "C:\Users\Admin\AppData\Local\Temp\5879.mk3"
      2⤵
        PID:4124

    Network

    • flag-us
      DNS
      wwwe.iu-yt.info
      31c8aa055a6ed4bae3f7033db90a402d_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      wwwe.iu-yt.info
      IN A
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=3180095196106C64205A1DE697AB6D90; domain=.bing.com; expires=Sun, 03-Aug-2025 20:41:03 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4465B24D2851445683CD90C7DE895209 Ref B: LON04EDGE0815 Ref C: 2024-07-09T20:41:03Z
      date: Tue, 09 Jul 2024 20:41:03 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3180095196106C64205A1DE697AB6D90
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=V9ngdugae-P9XVvamoKkFHyRN491-JCiZB2DBWveTyk; domain=.bing.com; expires=Sun, 03-Aug-2025 20:41:04 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 8D3C86FBB8734222A17BA2F5B61B188C Ref B: LON04EDGE0815 Ref C: 2024-07-09T20:41:03Z
      date: Tue, 09 Jul 2024 20:41:03 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3180095196106C64205A1DE697AB6D90; MSPTC=V9ngdugae-P9XVvamoKkFHyRN491-JCiZB2DBWveTyk
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F65BCB1F60AB4F3E8C1A9B1B8356B93D Ref B: LON04EDGE0815 Ref C: 2024-07-09T20:41:04Z
      date: Tue, 09 Jul 2024 20:41:03 GMT
    • flag-us
      DNS
      go.iu-yt.info
      31c8aa055a6ed4bae3f7033db90a402d_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      go.iu-yt.info
      IN A
      Response
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      168.117.168.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      168.117.168.52.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=
      tls, http2
      2.0kB
       9.3kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5c2b69b14b744728a9905a96fe5597d&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=

      HTTP Response

      204
    • 8.8.8.8:53
      wwwe.iu-yt.info
      dns
      31c8aa055a6ed4bae3f7033db90a402d_JaffaCakes118.exe
      61 B
       140 B
       1
      1

      DNS Request

      wwwe.iu-yt.info

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       151 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      go.iu-yt.info
      dns
      31c8aa055a6ed4bae3f7033db90a402d_JaffaCakes118.exe
      59 B
       138 B
       1
      1

      DNS Request

      go.iu-yt.info

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
       143 B
       1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      134.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      134.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      168.117.168.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      168.117.168.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsxA588.tmp\InetLoad.dll
      Filesize

      18KB

      MD5

      994669c5737b25c26642c94180e92fa2

      SHA1

      d8a1836914a446b0e06881ce1be8631554adafde

      SHA256

      bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

      SHA512

      d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsxA588.tmp\nsRandom.dll
      Filesize

      21KB

      MD5

      ab467b8dfaa660a0f0e5b26e28af5735

      SHA1

      596abd2c31eaff3479edf2069db1c155b59ce74d

      SHA256

      db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

      SHA512

      7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

      Download Submit

    • memory/4920-7-0x0000000002290000-0x00000000022A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4920-8-0x0000000002290000-0x00000000022A2000-memory.dmp

      Filesize

      72KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.