4baef42f07124b819866990e97745c2d44a95340fa0a54b8d4eddf7f2a30086c

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 00:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
Size

124KB
MD5

a09c0fad3033777e3051d6aee28e22f2
SHA1

f262f770a2fd61034101961cf7e59f436e5ec4e2
SHA256

4baef42f07124b819866990e97745c2d44a95340fa0a54b8d4eddf7f2a30086c
SHA512

26d85b626767686ef0967f00dc4e223efbf979664c6f11fad656b96730d2b81e4078c7de4c168bce9b5892bb487377aea8f72c65535a8a31895d0ca96e6efa7a
SSDEEP

3072:Q9gg2CUptT76YtFD0PvqM28GSff3KDRZHt5HX00C9L:6/Ur6YtaPDj455k0a

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2164	trivax1.Bin.exe

Loads dropped DLL 2 IoCs

pid	Process
2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2460-2-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2460-3-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2460-7-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2164-17-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2164-27-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\trivax1.Bin.exe = "C:\\trivax1.Bin\\trivax1.Bin.exe"	trivax1.Bin.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trivax1.Bin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PhishingFilter	trivax1.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	trivax1.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	trivax1.Bin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery	trivax1.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	trivax1.Bin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe
2164	trivax1.Bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
Token: SeDebugPrivilege	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
Token: SeDebugPrivilege	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
Token: SeDebugPrivilege	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe
Token: SeDebugPrivilege	2164	trivax1.Bin.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1196	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	21
PID 2460 wrote to memory of 380	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	3
PID 2460 wrote to memory of 432	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	5
PID 2460 wrote to memory of 492	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	7
PID 2460 wrote to memory of 500	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	8
PID 2460 wrote to memory of 592	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	9
PID 2460 wrote to memory of 672	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	10
PID 2460 wrote to memory of 744	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	11
PID 2460 wrote to memory of 816	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	12
PID 2460 wrote to memory of 856	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	13
PID 2460 wrote to memory of 976	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	15
PID 2460 wrote to memory of 236	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	16
PID 2460 wrote to memory of 112	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	17
PID 2460 wrote to memory of 1060	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	18
PID 2460 wrote to memory of 1116	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	19
PID 2460 wrote to memory of 1168	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	20
PID 2460 wrote to memory of 1196	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	21
PID 2460 wrote to memory of 2044	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	23
PID 2460 wrote to memory of 1424	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	24
PID 2460 wrote to memory of 1612	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	25
PID 2460 wrote to memory of 2360	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	26
PID 2460 wrote to memory of 2160	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	27
PID 2460 wrote to memory of 1856	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2164	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2164	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2164	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2164	2460	a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe	31
PID 2164 wrote to memory of 1196	2164	trivax1.Bin.exe	21
PID 2164 wrote to memory of 380	2164	trivax1.Bin.exe	3
PID 2164 wrote to memory of 432	2164	trivax1.Bin.exe	5
PID 2164 wrote to memory of 492	2164	trivax1.Bin.exe	7
PID 2164 wrote to memory of 500	2164	trivax1.Bin.exe	8
PID 2164 wrote to memory of 592	2164	trivax1.Bin.exe	9
PID 2164 wrote to memory of 672	2164	trivax1.Bin.exe	10
PID 2164 wrote to memory of 744	2164	trivax1.Bin.exe	11
PID 2164 wrote to memory of 816	2164	trivax1.Bin.exe	12
PID 2164 wrote to memory of 856	2164	trivax1.Bin.exe	13
PID 2164 wrote to memory of 976	2164	trivax1.Bin.exe	15
PID 2164 wrote to memory of 236	2164	trivax1.Bin.exe	16
PID 2164 wrote to memory of 112	2164	trivax1.Bin.exe	17
PID 2164 wrote to memory of 1060	2164	trivax1.Bin.exe	18
PID 2164 wrote to memory of 1116	2164	trivax1.Bin.exe	19
PID 2164 wrote to memory of 1168	2164	trivax1.Bin.exe	20
PID 2164 wrote to memory of 1196	2164	trivax1.Bin.exe	21
PID 2164 wrote to memory of 2044	2164	trivax1.Bin.exe	23
PID 2164 wrote to memory of 1424	2164	trivax1.Bin.exe	24
PID 2164 wrote to memory of 1612	2164	trivax1.Bin.exe	25
PID 2164 wrote to memory of 2360	2164	trivax1.Bin.exe	26
PID 2164 wrote to memory of 2160	2164	trivax1.Bin.exe	27
PID 2164 wrote to memory of 1856	2164	trivax1.Bin.exe	28
PID 2164 wrote to memory of 2460	2164	trivax1.Bin.exe	30
PID 2164 wrote to memory of 988	2164	trivax1.Bin.exe	32

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:592
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2044
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1612
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
  2⤵
  PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:816
- C:\Windows\system32\Dwm.exe
  "C:\Windows\system32\Dwm.exe"
  2⤵
  PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:856
- \\?\C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:236

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1060

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\trivax1.Bin\trivax1.Bin.exe
    "C:\trivax1.Bin\trivax1.Bin.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:2360

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2160

Network

DNS

traxbax.com

trivax1.Bin.exe

Remote address:

8.8.8.8:53

Request

traxbax.com

IN A

Response
DNS

www.microsoft.com

trivax1.Bin.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

95.100.245.144
GET

http://www.microsoft.com/

trivax1.Bin.exe

Remote address:

95.100.245.144:80

Request

GET / HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: www.microsoft.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: text/html
ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
Server: AkamaiNetStorage
Content-Length: 201253
Expires: Sat, 17 Aug 2024 00:57:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 17 Aug 2024 00:57:25 GMT
Connection: keep-alive
GET

http://www.microsoft.com/

trivax1.Bin.exe

Remote address:

95.100.245.144:80

Request

GET / HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: www.microsoft.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: text/html
ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
Server: AkamaiNetStorage
Content-Length: 201253
Expires: Sat, 17 Aug 2024 00:57:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 17 Aug 2024 00:57:45 GMT
Connection: keep-alive
GET

http://www.microsoft.com/

trivax1.Bin.exe

Remote address:

95.100.245.144:80

Request

GET / HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: www.microsoft.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: text/html
ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
Server: AkamaiNetStorage
Content-Length: 201253
Expires: Sat, 17 Aug 2024 00:58:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 17 Aug 2024 00:58:08 GMT
Connection: keep-alive
GET

http://www.microsoft.com/

trivax1.Bin.exe

Remote address:

95.100.245.144:80

Request

GET / HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: www.microsoft.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: text/html
ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
Server: AkamaiNetStorage
Content-Length: 201253
Expires: Sat, 17 Aug 2024 00:58:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 17 Aug 2024 00:58:30 GMT
Connection: keep-alive
GET

http://www.microsoft.com/

trivax1.Bin.exe

Remote address:

95.100.245.144:80

Request

GET / HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: www.microsoft.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: text/html
ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
Server: AkamaiNetStorage
Content-Length: 201253
Expires: Sat, 17 Aug 2024 00:58:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 17 Aug 2024 00:58:53 GMT
Connection: keep-alive
GET

http://www.microsoft.com/

trivax1.Bin.exe

Remote address:

95.100.245.144:80

Request

GET / HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: www.microsoft.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: text/html
ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
Server: AkamaiNetStorage
Content-Length: 201253
Expires: Sat, 17 Aug 2024 00:59:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 17 Aug 2024 00:59:13 GMT
Connection: keep-alive
GET

http://www.microsoft.com/

trivax1.Bin.exe

Remote address:

95.100.245.144:80

Request

GET / HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: www.microsoft.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: text/html
ETag: "85de642e1467807f64f7e10807df3869:1711562737.176211"
Last-Modified: Tue, 26 Mar 2024 18:16:43 GMT
Server: AkamaiNetStorage
Content-Length: 201253
Expires: Sat, 17 Aug 2024 00:59:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 17 Aug 2024 00:59:35 GMT
Connection: keep-alive
DNS

itunesgiftstore.com

trivax1.Bin.exe

Remote address:

8.8.8.8:53

Request

itunesgiftstore.com

IN A

Response
DNS

googlestat.org

trivax1.Bin.exe

Remote address:

8.8.8.8:53

Request

googlestat.org

IN A

Response
DNS

uploadbit.org

trivax1.Bin.exe

Remote address:

8.8.8.8:53

Request

uploadbit.org

IN A

Response

213.155.21.32:8080

a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe

52 B
1
95.100.245.144:80

http://www.microsoft.com/

http

trivax1.Bin.exe

32.6kB
1.5MB
652
1046

HTTP Request

GET http://www.microsoft.com/

HTTP Response

200

HTTP Request

GET http://www.microsoft.com/

HTTP Response

200

HTTP Request

GET http://www.microsoft.com/

HTTP Response

200

HTTP Request

GET http://www.microsoft.com/

HTTP Response

200

HTTP Request

GET http://www.microsoft.com/

HTTP Response

200

HTTP Request

GET http://www.microsoft.com/

HTTP Response

200

HTTP Request

GET http://www.microsoft.com/

HTTP Response

200

8.8.8.8:53

traxbax.com

dns

trivax1.Bin.exe

57 B
130 B
1
1

DNS Request

traxbax.com
8.8.8.8:53

www.microsoft.com

dns

trivax1.Bin.exe

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

95.100.245.144
8.8.8.8:53

itunesgiftstore.com

dns

trivax1.Bin.exe

65 B
138 B
1
1

DNS Request

itunesgiftstore.com
8.8.8.8:53

googlestat.org

dns

trivax1.Bin.exe

60 B
142 B
1
1

DNS Request

googlestat.org
8.8.8.8:53

uploadbit.org

dns

trivax1.Bin.exe

59 B
141 B
1
1

DNS Request

uploadbit.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\trivax1.Bin\config.bin

Filesize
3KB

MD5
96f4ed1e6523ea5fd57e457fe8e12977

SHA1
9c48d689c0d46dd4b30f3441715a384014993be2

SHA256
3e017d7f2bcc0fa41a28f1403d006ab19e46c209b276151c0e53ebda7fe50f64

SHA512
51f9c662f29090a940a6d231e8bf607f43368f73e415edc3138b2ae5f47ab7fb8c96f460e0c822549923c33077c2794aa01586941cecf0f2be739f096a351a08

Download Submit
\trivax1.Bin\trivax1.Bin.exe

Filesize
124KB

MD5
a09c0fad3033777e3051d6aee28e22f2

SHA1
f262f770a2fd61034101961cf7e59f436e5ec4e2

SHA256
4baef42f07124b819866990e97745c2d44a95340fa0a54b8d4eddf7f2a30086c

SHA512
26d85b626767686ef0967f00dc4e223efbf979664c6f11fad656b96730d2b81e4078c7de4c168bce9b5892bb487377aea8f72c65535a8a31895d0ca96e6efa7a

Download Submit
memory/1196-78-0x000000000BB50000-0x000000000BB9F000-memory.dmp

Filesize
316KB

Download
memory/1196-20-0x000000000BAD0000-0x000000000BB15000-memory.dmp

Filesize
276KB

Download
memory/2164-16-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-23-0x0000000000480000-0x00000000004C5000-memory.dmp

Filesize
276KB

Download
memory/2164-31-0x0000000000480000-0x00000000004C5000-memory.dmp

Filesize
276KB

Download
memory/2164-15-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-27-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-17-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-30-0x0000000000480000-0x00000000004C5000-memory.dmp

Filesize
276KB

Download
memory/2460-0-0x0000000000402000-0x0000000000405000-memory.dmp

Filesize
12KB

Download
memory/2460-3-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2460-24-0x0000000000402000-0x0000000000405000-memory.dmp

Filesize
12KB

Download
memory/2460-2-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2460-7-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2460-1-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2460-4-0x00000000002E0000-0x00000000002E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.