Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 00:57 UTC

General

  • Target

    a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe

  • Size

    124KB

  • MD5

    a09c0fad3033777e3051d6aee28e22f2

  • SHA1

    f262f770a2fd61034101961cf7e59f436e5ec4e2

  • SHA256

    4baef42f07124b819866990e97745c2d44a95340fa0a54b8d4eddf7f2a30086c

  • SHA512

    26d85b626767686ef0967f00dc4e223efbf979664c6f11fad656b96730d2b81e4078c7de4c168bce9b5892bb487377aea8f72c65535a8a31895d0ca96e6efa7a

  • SSDEEP

    3072:Q9gg2CUptT76YtFD0PvqM28GSff3KDRZHt5HX00C9L:6/Ur6YtaPDj455k0a

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:380
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        2⤵
          PID:492
        • C:\Windows\system32\lsm.exe
          C:\Windows\system32\lsm.exe
          2⤵
            PID:500
        • C:\Windows\system32\winlogon.exe
          winlogon.exe
          1⤵
            PID:432
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            1⤵
              PID:592
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                2⤵
                  PID:2044
                • C:\Windows\system32\wbem\wmiprvse.exe
                  C:\Windows\system32\wbem\wmiprvse.exe
                  2⤵
                    PID:1612
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                    2⤵
                      PID:988
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k RPCSS
                    1⤵
                      PID:672
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                      1⤵
                        PID:744
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                        1⤵
                          PID:816
                          • C:\Windows\system32\Dwm.exe
                            "C:\Windows\system32\Dwm.exe"
                            2⤵
                              PID:1168
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs
                            1⤵
                              PID:856
                              • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                wmiadap.exe /F /T /R
                                2⤵
                                  PID:1856
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService
                                1⤵
                                  PID:976
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k NetworkService
                                  1⤵
                                    PID:236
                                  • C:\Windows\System32\spoolsv.exe
                                    C:\Windows\System32\spoolsv.exe
                                    1⤵
                                      PID:112
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                      1⤵
                                        PID:1060
                                      • C:\Windows\system32\taskhost.exe
                                        "taskhost.exe"
                                        1⤵
                                          PID:1116
                                        • C:\Windows\Explorer.EXE
                                          C:\Windows\Explorer.EXE
                                          1⤵
                                            PID:1196
                                            • C:\Users\Admin\AppData\Local\Temp\a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
                                              "C:\Users\Admin\AppData\Local\Temp\a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe"
                                              2⤵
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:2460
                                              • C:\trivax1.Bin\trivax1.Bin.exe
                                                "C:\trivax1.Bin\trivax1.Bin.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                • Adds Run key to start application
                                                • System Location Discovery: System Language Discovery
                                                • Modifies Internet Explorer Phishing Filter
                                                • Modifies Internet Explorer settings
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:2164
                                          • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                            "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                            1⤵
                                              PID:1424
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                              1⤵
                                                PID:2360
                                              • C:\Windows\system32\sppsvc.exe
                                                C:\Windows\system32\sppsvc.exe
                                                1⤵
                                                  PID:2160

                                                Network

                                                • flag-us
                                                  DNS
                                                  traxbax.com
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  8.8.8.8:53
                                                  Request
                                                  traxbax.com
                                                  IN A
                                                  Response
                                                • flag-us
                                                  DNS
                                                  www.microsoft.com
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  8.8.8.8:53
                                                  Request
                                                  www.microsoft.com
                                                  IN A
                                                  Response
                                                  www.microsoft.com
                                                  IN CNAME
                                                  www.microsoft.com-c-3.edgekey.net
                                                  www.microsoft.com-c-3.edgekey.net
                                                  IN CNAME
                                                  www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
                                                  www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
                                                  IN CNAME
                                                  e13678.dscb.akamaiedge.net
                                                  e13678.dscb.akamaiedge.net
                                                  IN A
                                                  95.100.245.144
                                                • flag-gb
                                                  GET
                                                  http://www.microsoft.com/
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  95.100.245.144:80
                                                  Request
                                                  GET / HTTP/1.1
                                                  User-Agent: Microsoft Internet Explorer
                                                  Host: www.microsoft.com
                                                  Cache-Control: no-cache
                                                  Response
                                                  HTTP/1.1 200 OK
                                                  Accept-Ranges: bytes
                                                  Content-Type: text/html
                                                  ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
                                                  Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
                                                  Server: AkamaiNetStorage
                                                  Content-Length: 201253
                                                  Expires: Sat, 17 Aug 2024 00:57:25 GMT
                                                  Cache-Control: max-age=0, no-cache, no-store
                                                  Pragma: no-cache
                                                  Date: Sat, 17 Aug 2024 00:57:25 GMT
                                                  Connection: keep-alive
                                                • flag-gb
                                                  GET
                                                  http://www.microsoft.com/
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  95.100.245.144:80
                                                  Request
                                                  GET / HTTP/1.1
                                                  User-Agent: Microsoft Internet Explorer
                                                  Host: www.microsoft.com
                                                  Cache-Control: no-cache
                                                  Response
                                                  HTTP/1.1 200 OK
                                                  Accept-Ranges: bytes
                                                  Content-Type: text/html
                                                  ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
                                                  Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
                                                  Server: AkamaiNetStorage
                                                  Content-Length: 201253
                                                  Expires: Sat, 17 Aug 2024 00:57:45 GMT
                                                  Cache-Control: max-age=0, no-cache, no-store
                                                  Pragma: no-cache
                                                  Date: Sat, 17 Aug 2024 00:57:45 GMT
                                                  Connection: keep-alive
                                                • flag-gb
                                                  GET
                                                  http://www.microsoft.com/
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  95.100.245.144:80
                                                  Request
                                                  GET / HTTP/1.1
                                                  User-Agent: Microsoft Internet Explorer
                                                  Host: www.microsoft.com
                                                  Cache-Control: no-cache
                                                  Response
                                                  HTTP/1.1 200 OK
                                                  Accept-Ranges: bytes
                                                  Content-Type: text/html
                                                  ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
                                                  Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
                                                  Server: AkamaiNetStorage
                                                  Content-Length: 201253
                                                  Expires: Sat, 17 Aug 2024 00:58:08 GMT
                                                  Cache-Control: max-age=0, no-cache, no-store
                                                  Pragma: no-cache
                                                  Date: Sat, 17 Aug 2024 00:58:08 GMT
                                                  Connection: keep-alive
                                                • flag-gb
                                                  GET
                                                  http://www.microsoft.com/
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  95.100.245.144:80
                                                  Request
                                                  GET / HTTP/1.1
                                                  User-Agent: Microsoft Internet Explorer
                                                  Host: www.microsoft.com
                                                  Cache-Control: no-cache
                                                  Response
                                                  HTTP/1.1 200 OK
                                                  Accept-Ranges: bytes
                                                  Content-Type: text/html
                                                  ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
                                                  Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
                                                  Server: AkamaiNetStorage
                                                  Content-Length: 201253
                                                  Expires: Sat, 17 Aug 2024 00:58:30 GMT
                                                  Cache-Control: max-age=0, no-cache, no-store
                                                  Pragma: no-cache
                                                  Date: Sat, 17 Aug 2024 00:58:30 GMT
                                                  Connection: keep-alive
                                                • flag-gb
                                                  GET
                                                  http://www.microsoft.com/
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  95.100.245.144:80
                                                  Request
                                                  GET / HTTP/1.1
                                                  User-Agent: Microsoft Internet Explorer
                                                  Host: www.microsoft.com
                                                  Cache-Control: no-cache
                                                  Response
                                                  HTTP/1.1 200 OK
                                                  Accept-Ranges: bytes
                                                  Content-Type: text/html
                                                  ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
                                                  Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
                                                  Server: AkamaiNetStorage
                                                  Content-Length: 201253
                                                  Expires: Sat, 17 Aug 2024 00:58:53 GMT
                                                  Cache-Control: max-age=0, no-cache, no-store
                                                  Pragma: no-cache
                                                  Date: Sat, 17 Aug 2024 00:58:53 GMT
                                                  Connection: keep-alive
                                                • flag-gb
                                                  GET
                                                  http://www.microsoft.com/
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  95.100.245.144:80
                                                  Request
                                                  GET / HTTP/1.1
                                                  User-Agent: Microsoft Internet Explorer
                                                  Host: www.microsoft.com
                                                  Cache-Control: no-cache
                                                  Response
                                                  HTTP/1.1 200 OK
                                                  Accept-Ranges: bytes
                                                  Content-Type: text/html
                                                  ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
                                                  Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
                                                  Server: AkamaiNetStorage
                                                  Content-Length: 201253
                                                  Expires: Sat, 17 Aug 2024 00:59:13 GMT
                                                  Cache-Control: max-age=0, no-cache, no-store
                                                  Pragma: no-cache
                                                  Date: Sat, 17 Aug 2024 00:59:13 GMT
                                                  Connection: keep-alive
                                                • flag-gb
                                                  GET
                                                  http://www.microsoft.com/
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  95.100.245.144:80
                                                  Request
                                                  GET / HTTP/1.1
                                                  User-Agent: Microsoft Internet Explorer
                                                  Host: www.microsoft.com
                                                  Cache-Control: no-cache
                                                  Response
                                                  HTTP/1.1 200 OK
                                                  Accept-Ranges: bytes
                                                  Content-Type: text/html
                                                  ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
                                                  Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
                                                  Server: AkamaiNetStorage
                                                  Content-Length: 201253
                                                  Expires: Sat, 17 Aug 2024 00:59:35 GMT
                                                  Cache-Control: max-age=0, no-cache, no-store
                                                  Pragma: no-cache
                                                  Date: Sat, 17 Aug 2024 00:59:35 GMT
                                                  Connection: keep-alive
                                                • flag-us
                                                  DNS
                                                  itunesgiftstore.com
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  8.8.8.8:53
                                                  Request
                                                  itunesgiftstore.com
                                                  IN A
                                                  Response
                                                • flag-us
                                                  DNS
                                                  googlestat.org
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  8.8.8.8:53
                                                  Request
                                                  googlestat.org
                                                  IN A
                                                  Response
                                                • flag-us
                                                  DNS
                                                  uploadbit.org
                                                  trivax1.Bin.exe
                                                  Remote address:
                                                  8.8.8.8:53
                                                  Request
                                                  uploadbit.org
                                                  IN A
                                                  Response
                                                • 213.155.21.32:8080
                                                  a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
                                                  52 B
                                                  1
                                                • 95.100.245.144:80
                                                  http://www.microsoft.com/
                                                  http
                                                  trivax1.Bin.exe
                                                  32.6kB
                                                  1.5MB
                                                  652
                                                  1046

                                                  HTTP Request

                                                  GET http://www.microsoft.com/

                                                  HTTP Response

                                                  200

                                                  HTTP Request

                                                  GET http://www.microsoft.com/

                                                  HTTP Response

                                                  200

                                                  HTTP Request

                                                  GET http://www.microsoft.com/

                                                  HTTP Response

                                                  200

                                                  HTTP Request

                                                  GET http://www.microsoft.com/

                                                  HTTP Response

                                                  200

                                                  HTTP Request

                                                  GET http://www.microsoft.com/

                                                  HTTP Response

                                                  200

                                                  HTTP Request

                                                  GET http://www.microsoft.com/

                                                  HTTP Response

                                                  200

                                                  HTTP Request

                                                  GET http://www.microsoft.com/

                                                  HTTP Response

                                                  200
                                                • 8.8.8.8:53
                                                  traxbax.com
                                                  dns
                                                  trivax1.Bin.exe
                                                  57 B
                                                  130 B
                                                  1
                                                  1

                                                  DNS Request

                                                  traxbax.com

                                                • 8.8.8.8:53
                                                  www.microsoft.com
                                                  dns
                                                  trivax1.Bin.exe
                                                  63 B
                                                  230 B
                                                  1
                                                  1

                                                  DNS Request

                                                  www.microsoft.com

                                                  DNS Response

                                                  95.100.245.144

                                                • 8.8.8.8:53
                                                  itunesgiftstore.com
                                                  dns
                                                  trivax1.Bin.exe
                                                  65 B
                                                  138 B
                                                  1
                                                  1

                                                  DNS Request

                                                  itunesgiftstore.com

                                                • 8.8.8.8:53
                                                  googlestat.org
                                                  dns
                                                  trivax1.Bin.exe
                                                  60 B
                                                  142 B
                                                  1
                                                  1

                                                  DNS Request

                                                  googlestat.org

                                                • 8.8.8.8:53
                                                  uploadbit.org
                                                  dns
                                                  trivax1.Bin.exe
                                                  59 B
                                                  141 B
                                                  1
                                                  1

                                                  DNS Request

                                                  uploadbit.org

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\trivax1.Bin\config.bin

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  96f4ed1e6523ea5fd57e457fe8e12977

                                                  SHA1

                                                  9c48d689c0d46dd4b30f3441715a384014993be2

                                                  SHA256

                                                  3e017d7f2bcc0fa41a28f1403d006ab19e46c209b276151c0e53ebda7fe50f64

                                                  SHA512

                                                  51f9c662f29090a940a6d231e8bf607f43368f73e415edc3138b2ae5f47ab7fb8c96f460e0c822549923c33077c2794aa01586941cecf0f2be739f096a351a08

                                                • \trivax1.Bin\trivax1.Bin.exe

                                                  Filesize

                                                  124KB

                                                  MD5

                                                  a09c0fad3033777e3051d6aee28e22f2

                                                  SHA1

                                                  f262f770a2fd61034101961cf7e59f436e5ec4e2

                                                  SHA256

                                                  4baef42f07124b819866990e97745c2d44a95340fa0a54b8d4eddf7f2a30086c

                                                  SHA512

                                                  26d85b626767686ef0967f00dc4e223efbf979664c6f11fad656b96730d2b81e4078c7de4c168bce9b5892bb487377aea8f72c65535a8a31895d0ca96e6efa7a

                                                • memory/1196-78-0x000000000BB50000-0x000000000BB9F000-memory.dmp

                                                  Filesize

                                                  316KB

                                                • memory/1196-20-0x000000000BAD0000-0x000000000BB15000-memory.dmp

                                                  Filesize

                                                  276KB

                                                • memory/2164-16-0x0000000000400000-0x0000000000477000-memory.dmp

                                                  Filesize

                                                  476KB

                                                • memory/2164-23-0x0000000000480000-0x00000000004C5000-memory.dmp

                                                  Filesize

                                                  276KB

                                                • memory/2164-31-0x0000000000480000-0x00000000004C5000-memory.dmp

                                                  Filesize

                                                  276KB

                                                • memory/2164-15-0x0000000000400000-0x0000000000477000-memory.dmp

                                                  Filesize

                                                  476KB

                                                • memory/2164-27-0x0000000000400000-0x0000000000477000-memory.dmp

                                                  Filesize

                                                  476KB

                                                • memory/2164-17-0x0000000000400000-0x0000000000477000-memory.dmp

                                                  Filesize

                                                  476KB

                                                • memory/2164-30-0x0000000000480000-0x00000000004C5000-memory.dmp

                                                  Filesize

                                                  276KB

                                                • memory/2460-0-0x0000000000402000-0x0000000000405000-memory.dmp

                                                  Filesize

                                                  12KB

                                                • memory/2460-3-0x0000000000400000-0x0000000000477000-memory.dmp

                                                  Filesize

                                                  476KB

                                                • memory/2460-24-0x0000000000402000-0x0000000000405000-memory.dmp

                                                  Filesize

                                                  12KB

                                                • memory/2460-2-0x0000000000400000-0x0000000000477000-memory.dmp

                                                  Filesize

                                                  476KB

                                                • memory/2460-7-0x0000000000400000-0x0000000000477000-memory.dmp

                                                  Filesize

                                                  476KB

                                                • memory/2460-1-0x0000000000400000-0x0000000000477000-memory.dmp

                                                  Filesize

                                                  476KB

                                                • memory/2460-4-0x00000000002E0000-0x00000000002E2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                We care about your privacy.

                                                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.