Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ba83148da9...18.exe

windows7-x64

7

ba83148da9...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    62s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 05:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe

  • Size

    36KB

  • MD5

    ba83148da9e019f23e3dd564491cee71

  • SHA1

    4b3ec807e2c610c3c4737157c1cf7c02c1f4b28c

  • SHA256

    9c595737b3de0df56574d6aa102e5f8cd92cdc8f5cbd748abab285a2267a25de

  • SHA512

    1b0f761ea846dde2dfa2d3ebd41673ea251122785c4cc4de38212dc7b33282a522cc5a779853078cf78e0b98f380ab1f7cd7b2bbd744f9943435e1c2f11d52fa

  • SSDEEP

    384:9xxyXIZZSO9W4ui0Ch2FBvvikkth9Tjbacva8px0HxCfJCpLHGfJCpL3:9eXIe14uwh2TvvQhRjbacva8tfGGf2

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies data under HKEY_USERS 27 IoCs
  • Modifies registry class 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies data under HKEY_USERS
    • Modifies registry class
    PID:1752

Network

  • flag-us
    DNS
    69sexsearch.com
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    69sexsearch.com
    IN A
    Response
  • flag-us
    DNS
    dapsol.com
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    dapsol.com
    IN A
    Response
    dapsol.com
    IN A
    50.6.160.83
  • flag-us
    GET
    http://dapsol.com/private/X/6.exe
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    Remote address:
    50.6.160.83:80
    Request
    GET /private/X/6.exe HTTP/1.1
    Host: dapsol.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Fri, 23 Aug 2024 05:23:46 GMT
    Server: Apache
    Upgrade: h2,h2c
    Connection: Upgrade
    Last-Modified: Tue, 28 Nov 2023 22:21:16 GMT
    Accept-Ranges: bytes
    Content-Length: 746
    Vary: Accept-Encoding
    Content-Type: text/html
  • flag-us
    DNS
    realsearch.cc
    Remote address:
    8.8.8.8:53
    Request
    realsearch.cc
    IN A
    Response
    realsearch.cc
    IN A
    95.216.33.150
  • flag-fi
    GET
    http://realsearch.cc/?gv=666165658560678160846655146D383C3CFC3E3D395155
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    Remote address:
    95.216.33.150:80
    Request
    GET /?gv=666165658560678160846655146D383C3CFC3E3D395155 HTTP/1.1
    Host: realsearch.cc
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.14.1
    Date: Fri, 23 Aug 2024 05:24:31 GMT
    Content-Type: text/html
    Content-Length: 185
    Connection: keep-alive
    Location: https://realsearch.cc/?gv=666165658560678160846655146D383C3CFC3E3D395155
  • 50.6.160.83:80
    http://dapsol.com/private/X/6.exe
    http
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    582 B
     1.2kB
     11
    4

    HTTP Request

    GET http://dapsol.com/private/X/6.exe

    HTTP Response

    404
  • 95.216.33.150:80
    http://realsearch.cc/?gv=666165658560678160846655146D383C3CFC3E3D395155
    http
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    365 B
     644 B
     6
    5

    HTTP Request

    GET http://realsearch.cc/?gv=666165658560678160846655146D383C3CFC3E3D395155

    HTTP Response

    301
  • 95.216.33.150:443
    realsearch.cc
    tls
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    394 B
     219 B
     5
    5
  • 95.216.33.150:443
    realsearch.cc
    tls
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    356 B
     219 B
     5
    5
  • 95.216.33.150:443
    realsearch.cc
    tls
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    288 B
     219 B
     5
    5
  • 95.216.33.150:443
    realsearch.cc
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    190 B
     92 B
     4
    2
  • 8.8.8.8:53
    69sexsearch.com
    dns
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    61 B
     134 B
     1
    1

    DNS Request

    69sexsearch.com

  • 8.8.8.8:53
    dapsol.com
    dns
    ba83148da9e019f23e3dd564491cee71_JaffaCakes118.exe
    56 B
     72 B
     1
    1

    DNS Request

    dapsol.com

    DNS Response

    50.6.160.83

  • 8.8.8.8:53
    realsearch.cc
    dns
    59 B
     75 B
     1
    1

    DNS Request

    realsearch.cc

    DNS Response

    95.216.33.150

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\ld1-1-.dll
    Filesize

    1KB

    MD5

    b4be0374e3765ed179238fc33392c1d4

    SHA1

    fae17ee8a9ef768299d33f334d8e6a49ca6d350e

    SHA256

    cb702709318aa3ecaa574d8ecee7067098f74317dde40e4d057cb50cbeea8442

    SHA512

    9258731d2c656dc64f2ea4bd8e32662c212e577927f735eef5a718b02546c2cbf1215964b0e4e33cb1b6f218021be11dcb22b7c7c46691e6c24faf019822e53d

    Download Submit

  • \Windows\SysWOW64\nC-syn.dll
    Filesize

    2KB

    MD5

    b7e6e91e7a8efbc7a2014ceb6961da1d

    SHA1

    451fc2c2d7aed9efbdaa7d2ce3839a1488eb17cb

    SHA256

    dd90a0ca50ab0c7668f5184166d7848b1d773ae2b862382f18c85d3c18cb02c9

    SHA512

    c0de05b5c4be627b1bbd334c40de3c336b6a3265eecb428a8fdcc4d9ccb7b0e2ffc5cdaf6a02859b8f20dbe6feaa3acf176418b2ae13831706507a38532d9261

    Download Submit

  • \Windows\SysWOW64\schewico.dll
    Filesize

    2KB

    MD5

    831c549c3903dce08aff4225a0731b5d

    SHA1

    3c94df395a2b0cfdf7922c54e978620c7f7e4574

    SHA256

    a8217ea2fc079a115a28a6c365bfaabd7ce261d5d3454d853f9592c7a53706a0

    SHA512

    b287b618e93396f2e424c9f67764e7180150bbb5c8cd0ebff6f56a1737e6ecf70bb754a36f9f3715e6f5a7dc0ae85453b10c01b75b10700368a023357068c7a6

    Download Submit

  • \Windows\SysWOW64\vement.dll
    Filesize

    9KB

    MD5

    1641cf2bce0ad11f826c42646fa60a92

    SHA1

    557bc9148ce2ea29e0d2f28d55003ff84fada10d

    SHA256

    df60ee913a28e9154b4deaddafcd70c4580f0a946dceb28995ed73bdcfcd29f0

    SHA512

    723dec4e1dba2ff8f474247fe270d018145e229e5d7f201d517a0ef6ec8f397fc4d2196e116b5ac7ef9166fc07af1c012f9b079805d9738132780fca044eff7c

    Download Submit

  • memory/1752-11-0x0000000010000000-0x0000000010003000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1752-14-0x0000000000260000-0x0000000000264000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1752-15-0x0000000000261000-0x0000000000262000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1752-20-0x0000000000260000-0x0000000000264000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1752-19-0x0000000000270000-0x0000000000273000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1752-27-0x0000000000260000-0x0000000000264000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1752-26-0x0000000000370000-0x0000000000373000-memory.dmp

    Filesize

    12KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.