Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16/08/2024, 06:00 UTC
Static task
static1
Behavioral task
behavioral1
Sample
9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
-
Size
284KB
-
MD5
9d3512c1635a67cfc4dd87c7a12e361f
-
SHA1
932277e69ee648aafdacadf9bdca4f1246f9ca46
-
SHA256
6c3a498158b5c884210afb416d669bf6cdec59363d36fbef4ef9dec891dba8de
-
SHA512
d996928a601a079a1d0dd1f4586b4ed87f6ba14af56f3d7cc06346bea4f62600dc13d17f8807d2b1c6e15a28ac84ef21c563075dd3de41bdee0b02d4b59e0f1d
-
SSDEEP
6144:ANH6qwy0iixyYE/92YR3zB80j7eWrpRx27/U:AYdXZxy6YR3zKSx27
Malware Config
Extracted
gcleaner
gcl-page.biz
194.145.227.161
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload 5 IoCs
resource yara_rule behavioral1/memory/1712-2-0x0000000000220000-0x000000000024F000-memory.dmp family_onlylogger behavioral1/memory/1712-3-0x0000000000400000-0x0000000000431000-memory.dmp family_onlylogger behavioral1/memory/1712-5-0x0000000000220000-0x000000000024F000-memory.dmp family_onlylogger behavioral1/memory/1712-7-0x0000000000400000-0x0000000000431000-memory.dmp family_onlylogger behavioral1/memory/1712-6-0x0000000000400000-0x0000000000876000-memory.dmp family_onlylogger -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestgcl-page.bizIN AResponsegcl-page.bizIN A15.197.192.55
-
Remote address:15.197.192.55:80RequestGET /check.php?pub=mixazed HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: 8C-KF-sG-sQ-H-A
Host: gcl-page.biz
ResponseHTTP/1.1 200 OK
Date: Fri, 16 Aug 2024 06:00:16 GMT
Content-Type: text/html
Content-Length: 126
Connection: keep-alive
-
GEThttp://gcl-page.biz/stats/save.php?pub=mixazed&reason=09d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exeRemote address:15.197.192.55:80RequestGET /stats/save.php?pub=mixazed&reason=0 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: 8C-KF-sG-sQ-H-A
Host: gcl-page.biz
ResponseHTTP/1.1 200 OK
Date: Fri, 16 Aug 2024 06:00:17 GMT
Content-Type: text/html
Content-Length: 135
Connection: keep-alive
-
15.197.192.55:80http://gcl-page.biz/stats/save.php?pub=mixazed&reason=0http9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe612 B 1.1kB 6 6
HTTP Request
GET http://gcl-page.biz/check.php?pub=mixazedHTTP Response
200HTTP Request
GET http://gcl-page.biz/stats/save.php?pub=mixazed&reason=0HTTP Response
200 -
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3