Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 18:05 UTC

General

  • Target

    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe

  • Size

    39KB

  • MD5

    7523bedad24c9e3bdcbeeae7ff0d9e73

  • SHA1

    d82940508b186b80dbfe3038bdac15320bab720f

  • SHA256

    a65b7f236802505674c6d9daeb6f3ab0e0f680f9f678e1e90d353a8088a14fb7

  • SHA512

    42e1960f5acaadb09715b512f813f719f0e60d346c60b996f91951766050ae599e5db702ef7b2302a2ac4230ded6e6ff0ffaf828a227bb086322753bea7a5cc2

  • SSDEEP

    768:Ob6gwXYPv5O1eTGvmqLNILZ2/qBtgbWIQzTGf/:Ob6gwXYnc1eTqgZ3tgbWIQy

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1828

Network

  • flag-us
    DNS
    home.51.com
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    home.51.com
    IN A
    Response
    home.51.com
    IN CNAME
    home.51.com.dsa.dnsv1.com.cn
    home.51.com.dsa.dnsv1.com.cn
    IN CNAME
    ppjzolql.sched.d0.tdnsdp1.cn
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    221.204.43.242
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    119.188.180.230
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    58.251.62.110
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    58.251.62.189
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    58.144.235.61
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    116.162.203.111
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    58.251.62.192
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    1.56.98.101
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    112.84.131.82
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    116.177.225.247
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    211.97.95.244
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    118.212.138.173
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    112.84.131.83
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    58.251.62.191
    ppjzolql.sched.d0.tdnsdp1.cn
    IN A
    116.136.188.184
  • flag-us
    DNS
    blog.myspace.cn
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    blog.myspace.cn
    IN A
    Response
    blog.myspace.cn
    IN A
    3.64.163.50
  • flag-us
    DNS
    hi.baidu.com
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    hi.baidu.com
    IN A
    Response
    hi.baidu.com
    IN CNAME
    im.n.shifen.com
    im.n.shifen.com
    IN CNAME
    in.m.wshifen.com
    in.m.wshifen.com
    IN A
    104.193.88.126
    in.m.wshifen.com
    IN A
    104.193.88.125
  • flag-us
    GET
    http://hi.baidu.com/jack27309937/blog/item/817557e9494440e9b3fb9541.html
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    Remote address:
    104.193.88.126:80
    Request
    GET /jack27309937/blog/item/817557e9494440e9b3fb9541.html HTTP/1.1
    Host: hi.baidu.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Content-Length: 49
    Content-Type: text/html; charset=utf-8
    Date: Fri, 26 Jul 2024 22:24:40 GMT
    Location: https://infoflow.baidu.com
  • flag-us
    DNS
    infoflow.baidu.com
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    infoflow.baidu.com
    IN A
    Response
    infoflow.baidu.com
    IN CNAME
    im.n.shifen.com
    im.n.shifen.com
    IN CNAME
    in.m.wshifen.com
    in.m.wshifen.com
    IN A
    104.193.88.126
    in.m.wshifen.com
    IN A
    104.193.88.125
  • flag-us
    GET
    https://infoflow.baidu.com/
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    Remote address:
    104.193.88.126:443
    Request
    GET / HTTP/1.1
    Host: infoflow.baidu.com
    Cache-Control: no-cache
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Connection: keep-alive
    Content-Length: 4546
    Content-Security-Policy: base-uri 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' 'report-sample' blob: baidu: *.infoflow.baidu.com *.im.baidu.com zhiqiu.baidu.com passport.baidu.com passport.bdimg.com cdnjs.cloudflare.com uuap.baidu.com uuap.baidu-int.com *.weiyun.baidu.com wappass.baidu.com hi-static.bj.bcebos.com ops-wps.cdn.bcebos.com wps-office-static.cdn.bcebos.com code.bdstatic.com knowledge-infoflow.cdn.bcebos.com knowledge-infoflow.bj.bcebos.com workflow.cdn.bcebos.com hi-static.cdn.bcebos.com ufosdk.baidu.com office-online.baidu.com office-online-gray.baidu.com hidoc-office-online-gray.weiyun.baidu.com uflow.baidu-int.com uflow-gray.baidu-int.com jsdk.baidu.com libs.baidu.com fe.bdimg.com hmcdn.baidu.com hm.baidu.com himonitor.baidu.com cdn.bootcss.com:* qapm.baidu.com *.qatest.baidu.com *.cdn.bcebos.com *.bcebos.com; object-src 'self'; frame-src 'self' baidu: *.infoflow.baidu.com *.im.baidu.com *.neisou.baidu-int.com passport.baidu.com uuap.baidu.com uuap.baidu-int.com hmcdn.baidu.com hm.baidu.com office-service.baidu.com office-service-gray.baidu.com office-gray.weiyun.baidu.com http://office-service-gray.baidu.com https://office-service-gray.baidu.com http://office-gray.weiyun.baidu.com https://office-gray.weiyun.baidu.com ufosdk.baidu.com http://office-online.baidu.com https://office-online.baidu.com office-online-gray.baidu.com hidoc-office-online-gray.weiyun.baidu.com learn.baidu.com wvjbscheme: webviewprogressproxy: data:; report-uri https://log.im.baidu.com/gc/csp-report https://report-uri.baidu.com/report?app=hi
    Content-Type: text/html; charset=utf-8
    Date: Fri, 26 Jul 2024 22:24:42 GMT
    Env: online
    Etag: "661924a9-11c2"
    Last-Modified: Fri, 12 Apr 2024 12:10:17 GMT
    Server: openresty
    Vary: Accept-Encoding
    X-Envoy-Upstream-Service-Time: 2
    X-Logid: 472167408420653056
    X-Xss-Protection: 1;mode=block
  • flag-us
    DNS
    blog.sina.com.cn
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    blog.sina.com.cn
    IN A
    Response
    blog.sina.com.cn
    IN CNAME
    blogx.sina.com.cn
    blogx.sina.com.cn
    IN A
    202.108.0.52
  • flag-us
    DNS
    37440.5p5p.info
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    37440.5p5p.info
    IN A
    Response
  • flag-us
    DNS
    37440.5p5p.info
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    37440.5p5p.info
    IN A
    Response
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.18.190.80
    a1363.dscg.akamai.net
    IN A
    2.18.190.71
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.18.190.80:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
    Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
    ETag: 0x8DCA14B323B2CC0
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: ff7d3404-301e-006c-4d37-d3bc7d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Fri, 26 Jul 2024 22:25:12 GMT
    Connection: keep-alive
  • 221.204.43.242:80
    home.51.com
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    152 B
    3
  • 119.188.180.230:80
    home.51.com
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    152 B
    3
  • 58.251.62.110:80
    home.51.com
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    152 B
    3
  • 3.64.163.50:80
    blog.myspace.cn
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    152 B
    3
  • 104.193.88.126:80
    http://hi.baidu.com/jack27309937/blog/item/817557e9494440e9b3fb9541.html
    http
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    535 B
    550 B
    9
    8

    HTTP Request

    GET http://hi.baidu.com/jack27309937/blog/item/817557e9494440e9b3fb9541.html

    HTTP Response

    302
  • 104.193.88.126:443
    https://infoflow.baidu.com/
    tls, http
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    1.2kB
    12.8kB
    15
    19

    HTTP Request

    GET https://infoflow.baidu.com/

    HTTP Response

    200
  • 202.108.0.52:80
    blog.sina.com.cn
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    152 B
    3
  • 58.251.62.189:80
    home.51.com
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    152 B
    3
  • 2.18.190.80:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
    1.7kB
    4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 58.144.235.61:80
    home.51.com
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    152 B
    3
  • 8.8.8.8:53
    home.51.com
    dns
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    57 B
    379 B
    1
    1

    DNS Request

    home.51.com

    DNS Response

    221.204.43.242
    119.188.180.230
    58.251.62.110
    58.251.62.189
    58.144.235.61
    116.162.203.111
    58.251.62.192
    1.56.98.101
    112.84.131.82
    116.177.225.247
    211.97.95.244
    118.212.138.173
    112.84.131.83
    58.251.62.191
    116.136.188.184

  • 8.8.8.8:53
    blog.myspace.cn
    dns
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    61 B
    77 B
    1
    1

    DNS Request

    blog.myspace.cn

    DNS Response

    3.64.163.50

  • 8.8.8.8:53
    hi.baidu.com
    dns
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    58 B
    143 B
    1
    1

    DNS Request

    hi.baidu.com

    DNS Response

    104.193.88.126
    104.193.88.125

  • 8.8.8.8:53
    infoflow.baidu.com
    dns
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    64 B
    149 B
    1
    1

    DNS Request

    infoflow.baidu.com

    DNS Response

    104.193.88.126
    104.193.88.125

  • 8.8.8.8:53
    blog.sina.com.cn
    dns
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    62 B
    98 B
    1
    1

    DNS Request

    blog.sina.com.cn

    DNS Response

    202.108.0.52

  • 8.8.8.8:53
    37440.5p5p.info
    dns
    7523bedad24c9e3bdcbeeae7ff0d9e73_JaffaCakes118.exe
    122 B
    280 B
    2
    2

    DNS Request

    37440.5p5p.info

    DNS Request

    37440.5p5p.info

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
    162 B
    1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.18.190.80
    2.18.190.71

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1828-0-0x0000000000400000-0x000000000040AAF0-memory.dmp

    Filesize

    42KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.