Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 18:19 UTC
Static task
static1
Behavioral task
behavioral1
Sample
46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe
-
Size
35KB
-
MD5
46f8b0698e85357a979a2cf854d7dc16
-
SHA1
7565cb6ebc36a669bdd8937f2eeb67778a9180fe
-
SHA256
88f39cfd787dda1b94de96b48b9ceb921ebea0b0f69f97389a82a90585676ea1
-
SHA512
a90aafdc1bceb297264671f5b4d11a07114f207cbcfd61cbeb43cdb62957b6696c35dfd0859efa88912ef89e17df5e1287ae6fdb5e9ae009987cc918b5babc62
-
SSDEEP
384:QyWMPvsytDWW80X+xT9o25TyrHLM7+qdDvFpwyVuP3x5Ylo/LsL7LkLbg:8HgDWt9TU8p9/wyV+3xelozA/o
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 312 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swapdisk = "C:\\Windows\\system32\\rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\32014333.dll,Call" 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2388 wrote to memory of 312 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 86 PID 2388 wrote to memory of 312 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 86 PID 2388 wrote to memory of 312 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 86 PID 2388 wrote to memory of 3076 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 87 PID 2388 wrote to memory of 3076 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 87 PID 2388 wrote to memory of 3076 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\32014333.dll,Call2⤵
- Loads dropped DLL
PID:312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "2⤵PID:3076
-
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A13.107.21.237dual-a-0034.a-msedge.netIN A204.79.197.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0ECBE1B4DFFB67351EB8F508DE1B662C; domain=.bing.com; expires=Fri, 08-Aug-2025 18:20:05 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D5ABB661A0B34AFBA707886E071AFAA9 Ref B: LON04EDGE1217 Ref C: 2024-07-14T18:20:05Z
date: Sun, 14 Jul 2024 18:20:05 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0ECBE1B4DFFB67351EB8F508DE1B662C
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Z76wDOiACjgMDg3Oa2BMpQzEFhbhsW7Ny8Z2FeIaxag; domain=.bing.com; expires=Fri, 08-Aug-2025 18:20:05 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DFF77194AE974E48A80F3F74C3E38A6B Ref B: LON04EDGE1217 Ref C: 2024-07-14T18:20:05Z
date: Sun, 14 Jul 2024 18:20:05 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0ECBE1B4DFFB67351EB8F508DE1B662C; MSPTC=Z76wDOiACjgMDg3Oa2BMpQzEFhbhsW7Ny8Z2FeIaxag
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 343C2AB506DF4CEC81A2DDA88D55762C Ref B: LON04EDGE1217 Ref C: 2024-07-14T18:20:05Z
date: Sun, 14 Jul 2024 18:20:05 GMT
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.21.107.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request147.142.123.92.in-addr.arpaIN PTRResponse147.142.123.92.in-addr.arpaIN PTRa92-123-142-147deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request31.243.111.52.in-addr.arpaIN PTRResponse
-
13.107.21.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=tls, http22.0kB 9.3kB 21 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f080f444f1354358a82a34da8c41d2fb&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=HTTP Response
204
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
13.107.21.237204.79.197.237
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
237.21.107.13.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
147.142.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
31.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD54e432912db8c425eee68e2a459b5a0a3
SHA1749a25deb96febc23d906c9c26308d5f0520a4b6
SHA2565d79e6b5f32d6bea323988c63ec4273207e92c845b745ddc4921626049fadf0d
SHA512ece43a4a1f47d0613f284fed3cb4d9f0600336fe2352942dff07042bce7da059db8f28240b8b034b94c4c417b11fceaf4530fa55800ebb20fe87ac95dbe7b6be
-
Filesize
210B
MD58c8de60b3256d675f36c9d9f1cc69ad6
SHA119b9a812f5f08b87d4d0198e043edc751062c705
SHA256ce53002a60ceaddad11cdae49973a876c04de3b53381375dfa9508ee0de81c3c
SHA51233a214d47020bdb7a94a2f66f110ac418b1d17997e39e329c73b7a94de8eb34e7d7987bca32454d81e39ce5888c33e2fe193ba00abbd608b5582be7935c6dc46