Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

41b1a97220...18.exe

windows7-x64

7

41b1a97220...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 12:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41b1a972205a513bad7d2968ad841452_JaffaCakes118.exe

  • Size

    200KB

  • MD5

    41b1a972205a513bad7d2968ad841452

  • SHA1

    fcf05750508beccecb4804627ae061d0f1062da2

  • SHA256

    d855def96303fe7aa3c65760d6583ad821ff75e38dcb3e880147132ef0ebefe5

  • SHA512

    fb581c63dab1d0d580c6bb0723e51f7666139d7deb87fb35185f8ed30f2326f433ead435ae5c02e52d8e6ff195fefe03212c0618fe9f7e12dab76f162b7d7dec

  • SSDEEP

    3072:z06hibes47Knd9KNx2gMRBvc457TkoWhZAybh4m5m:z06he3nnnMx2gcvx57YoWPr4mg

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41b1a972205a513bad7d2968ad841452_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\41b1a972205a513bad7d2968ad841452_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\a.exe
      "C:\a.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:696
      • C:\Documents and Settings\1.exe
        "C:\Documents and Settings\1.exe"
        3⤵
        • Executes dropped EXE
        PID:1104

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=0474E0CFA5E169FE39EDF474A4C6681C; domain=.bing.com; expires=Thu, 07-Aug-2025 12:38:57 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C79E76345D264AA8A719100CCD86AD32 Ref B: LON04EDGE0716 Ref C: 2024-07-13T12:38:57Z
    date: Sat, 13 Jul 2024 12:38:57 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0474E0CFA5E169FE39EDF474A4C6681C
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=mTyW-nBmYImRg6sA6ke7k6Tg0dPf-w2OJFNJcXpK_L0; domain=.bing.com; expires=Thu, 07-Aug-2025 12:38:57 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1194AFC4DBA841B79D57A7DE1E166200 Ref B: LON04EDGE0716 Ref C: 2024-07-13T12:38:57Z
    date: Sat, 13 Jul 2024 12:38:57 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0474E0CFA5E169FE39EDF474A4C6681C; MSPTC=mTyW-nBmYImRg6sA6ke7k6Tg0dPf-w2OJFNJcXpK_L0
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0F7C949C08464DCB8A2B275922A36FFE Ref B: LON04EDGE0716 Ref C: 2024-07-13T12:38:57Z
    date: Sat, 13 Jul 2024 12:38:57 GMT
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid=
    tls, http2
    2.0kB
     9.3kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d79f33a08af04eb9a8c6139440752014&localId=w:2199DD2E-A1D9-6377-4DC2-EDD793B3B417&deviceId=6825836757717110&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\1.exe
    Filesize

    7KB

    MD5

    ed15f2b4113204402c46a0e516165715

    SHA1

    c034ec5fe281494f933ed6bb312b9e607b1f9ff1

    SHA256

    a2ff51aed42c85af59e18d576095be46eb8b45e43ba97e70f86c4df99bc74deb

    SHA512

    413efb2c3f562bea358a1e4f34e6366216ff8eac7aa5e8cb346265fb7db7a31fba897f6d743d90becca261f318980ac0822ca3b4adfb34f892ebcd08fce4311c

    Download Submit

  • C:\a.exe
    Filesize

    96KB

    MD5

    57dc599041e7caa1903cb728c24bdecf

    SHA1

    85a96ce06c1ed514f854c26d5e9cae3d01d06c02

    SHA256

    51c5917ddcaa159c4cad91a18f54d9bda8d8ca2072350d48e18c93c957229a7a

    SHA512

    70f592561929dbcf31c23b0a6fc43ef5173193ef09b6f56ada800dfd547221e88cc72dbe58cb3a47b5a7a062ef52c0fb1663ba45ca2a9bc69717e533469e88e6

    Download Submit

  • memory/696-10-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/696-23-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1168-0-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1168-12-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.