Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 18:05 UTC
Static task
static1
Behavioral task
behavioral1
Sample
7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
-
Size
39KB
-
MD5
7523bedad24c9e3bdcbeeae7ff0d9e73
-
SHA1
d82940508b186b80dbfe3038bdac15320bab720f
-
SHA256
a65b7f236802505674c6d9daeb6f3ab0e0f680f9f678e1e90d353a8088a14fb7
-
SHA512
42e1960f5acaadb09715b512f813f719f0e60d346c60b996f91951766050ae599e5db702ef7b2302a2ac4230ded6e6ff0ffaf828a227bb086322753bea7a5cc2
-
SSDEEP
768:Ob6gwXYPv5O1eTGvmqLNILZ2/qBtgbWIQzTGf/:Ob6gwXYnc1eTqgZ3tgbWIQy
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
Processes
Network
-
Remote address:8.8.8.8:53Requesthome.51.comIN AResponsehome.51.comIN CNAMEhome.51.com.dsa.dnsv1.com.cnhome.51.com.dsa.dnsv1.com.cnIN CNAMEppjzolql.sched.d0.tdnsdp1.cnppjzolql.sched.d0.tdnsdp1.cnIN A221.204.43.242ppjzolql.sched.d0.tdnsdp1.cnIN A119.188.180.230ppjzolql.sched.d0.tdnsdp1.cnIN A58.251.62.110ppjzolql.sched.d0.tdnsdp1.cnIN A58.251.62.189ppjzolql.sched.d0.tdnsdp1.cnIN A58.144.235.61ppjzolql.sched.d0.tdnsdp1.cnIN A116.162.203.111ppjzolql.sched.d0.tdnsdp1.cnIN A58.251.62.192ppjzolql.sched.d0.tdnsdp1.cnIN A1.56.98.101ppjzolql.sched.d0.tdnsdp1.cnIN A112.84.131.82ppjzolql.sched.d0.tdnsdp1.cnIN A116.177.225.247ppjzolql.sched.d0.tdnsdp1.cnIN A211.97.95.244ppjzolql.sched.d0.tdnsdp1.cnIN A118.212.138.173ppjzolql.sched.d0.tdnsdp1.cnIN A112.84.131.83ppjzolql.sched.d0.tdnsdp1.cnIN A58.251.62.191ppjzolql.sched.d0.tdnsdp1.cnIN A116.136.188.184
-
Remote address:8.8.8.8:53Requestblog.myspace.cnIN AResponseblog.myspace.cnIN A3.64.163.50
-
Remote address:8.8.8.8:53Requesthi.baidu.comIN AResponsehi.baidu.comIN CNAMEim.n.shifen.comim.n.shifen.comIN CNAMEin.m.wshifen.comin.m.wshifen.comIN A104.193.88.126in.m.wshifen.comIN A104.193.88.125
-
GEThttp://hi.baidu.com/jack27309937/blog/item/817557e9494440e9b3fb9541.html7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exeRemote address:104.193.88.126:80RequestGET /jack27309937/blog/item/817557e9494440e9b3fb9541.html HTTP/1.1
Host: hi.baidu.com
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Jul 2024 22:24:40 GMT
Location: https://infoflow.baidu.com
-
Remote address:8.8.8.8:53Requestinfoflow.baidu.comIN AResponseinfoflow.baidu.comIN CNAMEim.n.shifen.comim.n.shifen.comIN CNAMEin.m.wshifen.comin.m.wshifen.comIN A104.193.88.126in.m.wshifen.comIN A104.193.88.125
-
Remote address:104.193.88.126:443RequestGET / HTTP/1.1
Host: infoflow.baidu.com
Cache-Control: no-cache
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 4546
Content-Security-Policy: base-uri 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' 'report-sample' blob: baidu: *.infoflow.baidu.com *.im.baidu.com zhiqiu.baidu.com passport.baidu.com passport.bdimg.com cdnjs.cloudflare.com uuap.baidu.com uuap.baidu-int.com *.weiyun.baidu.com wappass.baidu.com hi-static.bj.bcebos.com ops-wps.cdn.bcebos.com wps-office-static.cdn.bcebos.com code.bdstatic.com knowledge-infoflow.cdn.bcebos.com knowledge-infoflow.bj.bcebos.com workflow.cdn.bcebos.com hi-static.cdn.bcebos.com ufosdk.baidu.com office-online.baidu.com office-online-gray.baidu.com hidoc-office-online-gray.weiyun.baidu.com uflow.baidu-int.com uflow-gray.baidu-int.com jsdk.baidu.com libs.baidu.com fe.bdimg.com hmcdn.baidu.com hm.baidu.com himonitor.baidu.com cdn.bootcss.com:* qapm.baidu.com *.qatest.baidu.com *.cdn.bcebos.com *.bcebos.com; object-src 'self'; frame-src 'self' baidu: *.infoflow.baidu.com *.im.baidu.com *.neisou.baidu-int.com passport.baidu.com uuap.baidu.com uuap.baidu-int.com hmcdn.baidu.com hm.baidu.com office-service.baidu.com office-service-gray.baidu.com office-gray.weiyun.baidu.com http://office-service-gray.baidu.com https://office-service-gray.baidu.com http://office-gray.weiyun.baidu.com https://office-gray.weiyun.baidu.com ufosdk.baidu.com http://office-online.baidu.com https://office-online.baidu.com office-online-gray.baidu.com hidoc-office-online-gray.weiyun.baidu.com learn.baidu.com wvjbscheme: webviewprogressproxy: data:; report-uri https://log.im.baidu.com/gc/csp-report https://report-uri.baidu.com/report?app=hi
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Jul 2024 22:24:42 GMT
Env: online
Etag: "661924a9-11c2"
Last-Modified: Fri, 12 Apr 2024 12:10:17 GMT
Server: openresty
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 2
X-Logid: 472167408420653056
X-Xss-Protection: 1;mode=block
-
Remote address:8.8.8.8:53Requestblog.sina.com.cnIN AResponseblog.sina.com.cnIN CNAMEblogx.sina.com.cnblogx.sina.com.cnIN A202.108.0.52
-
Remote address:8.8.8.8:53Request37440.5p5p.infoIN AResponse
-
Remote address:8.8.8.8:53Request37440.5p5p.infoIN AResponse
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.18.190.80a1363.dscg.akamai.netIN A2.18.190.71
-
Remote address:2.18.190.80:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
ETag: 0x8DCA14B323B2CC0
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: ff7d3404-301e-006c-4d37-d3bc7d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 26 Jul 2024 22:25:12 GMT
Connection: keep-alive
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
104.193.88.126:80http://hi.baidu.com/jack27309937/blog/item/817557e9494440e9b3fb9541.htmlhttp7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe535 B 550 B 9 8
HTTP Request
GET http://hi.baidu.com/jack27309937/blog/item/817557e9494440e9b3fb9541.htmlHTTP Response
302 -
104.193.88.126:443https://infoflow.baidu.com/tls, http7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe1.2kB 12.8kB 15 19
HTTP Request
GET https://infoflow.baidu.com/HTTP Response
200 -
152 B 3
-
152 B 3
-
399 B 1.7kB 4 4
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
152 B 3
-
57 B 379 B 1 1
DNS Request
home.51.com
DNS Response
221.204.43.242119.188.180.23058.251.62.11058.251.62.18958.144.235.61116.162.203.11158.251.62.1921.56.98.101112.84.131.82116.177.225.247211.97.95.244118.212.138.173112.84.131.8358.251.62.191116.136.188.184
-
61 B 77 B 1 1
DNS Request
blog.myspace.cn
DNS Response
3.64.163.50
-
58 B 143 B 1 1
DNS Request
hi.baidu.com
DNS Response
104.193.88.126104.193.88.125
-
64 B 149 B 1 1
DNS Request
infoflow.baidu.com
DNS Response
104.193.88.126104.193.88.125
-
62 B 98 B 1 1
DNS Request
blog.sina.com.cn
DNS Response
202.108.0.52
-
122 B 280 B 2 2
DNS Request
37440.5p5p.info
DNS Request
37440.5p5p.info
-
63 B 162 B 1 1
DNS Request
crl.microsoft.com
DNS Response
2.18.190.802.18.190.71