Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 18:04 UTC

General

  • Target

    4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe

  • Size

    12KB

  • MD5

    4acd0e56eef405eabbb4a564569a271a

  • SHA1

    eadbc3a2deff7309466453d0dc0eb4309207dd95

  • SHA256

    ac4847a294868161b51a036c60b1aba13db69cd65099197026e7487aeab0a386

  • SHA512

    9f8006d131ef97140cfaf82dbf7908377894949b19bcf5c3def0f6ae7846113456664eac15ea4c3f9b630cca4d9b693172d65edd03a7deb34e881b5b86b7bd27

  • SSDEEP

    384:izNVKpUpi24JkaLuR46IsdAKQ8ubGOoWk5:wGH3O6EPIs9OoWI

Score
8/10

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:444
    • \??\c:\users\admin\appdata\local\temp\4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe
      c:\users\admin\appdata\local\temp\4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Sets service image path in registry
        • Deletes itself
        PID:2936

Network

  • flag-us
    DNS
    ddosmanager.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    ddosmanager.org
    IN A
    Response
  • flag-us
    DNS
    ddosmanager.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    ddosmanager.org
    IN A
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    227.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.143.123.92.in-addr.arpa
    IN PTR
    Response
    227.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-227deploystaticakamaitechnologiescom
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    147.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.142.123.92.in-addr.arpa
    IN PTR
    Response
    147.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-147deploystaticakamaitechnologiescom
  • flag-us
    DNS
    20.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.210.23.2.in-addr.arpa
    IN PTR
    Response
    20.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-20deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    ddosmanager.org
    dns
    svchost.exe
    122 B
    286 B
    2
    2

    DNS Request

    ddosmanager.org

    DNS Request

    ddosmanager.org

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    227.143.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    227.143.123.92.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    147.142.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    147.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    20.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    20.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\mssrv32.exe

    Filesize

    12KB

    MD5

    4acd0e56eef405eabbb4a564569a271a

    SHA1

    eadbc3a2deff7309466453d0dc0eb4309207dd95

    SHA256

    ac4847a294868161b51a036c60b1aba13db69cd65099197026e7487aeab0a386

    SHA512

    9f8006d131ef97140cfaf82dbf7908377894949b19bcf5c3def0f6ae7846113456664eac15ea4c3f9b630cca4d9b693172d65edd03a7deb34e881b5b86b7bd27

  • memory/444-1-0x0000000015110000-0x0000000015119000-memory.dmp

    Filesize

    36KB

  • memory/2936-2-0x0000000015110000-0x0000000015119000-memory.dmp

    Filesize

    36KB

  • memory/2936-5-0x0000000015110000-0x0000000015119000-memory.dmp

    Filesize

    36KB

  • memory/2936-6-0x0000000015110000-0x0000000015119000-memory.dmp

    Filesize

    36KB

  • memory/2936-7-0x0000000015110000-0x0000000015119000-memory.dmp

    Filesize

    36KB

  • memory/3096-3-0x0000000015110000-0x0000000015119000-memory.dmp

    Filesize

    36KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.