Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 04:19 UTC

General

  • Target

    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    d10f3e52e0170d2ba634bdcfa9ecb43e

  • SHA1

    41f0d67afed5c0838ef0adb047c34875ec80c5b0

  • SHA256

    6f2642da0cee6e4ed6866607761f92effdcf21171a0540abbe519732eaffdcf7

  • SHA512

    bcd18abc261ea0382656610ba42085bf184c5faf8772cf7bee9b279185eec9bb1a0a52509ff0c1cd3b9279a1cdca329dba41649d9d262f032f1ec14132731228

  • SSDEEP

    24576:6ArW/8hh0FQAq7c8nA7YMv3+DpBNPRI9ovlG4XozaEhptdPYfCG6bYVxXNVD8pVv:6e0mfW3YNPRRlG4saIprQNy

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2484
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:992

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    htl5656556.u1.luyouxia.net
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    htl5656556.u1.luyouxia.net
    IN A
    Response
    htl5656556.u1.luyouxia.net
    IN CNAME
    u1.luyouxia.net
    u1.luyouxia.net
    IN CNAME
    b1.luyouxia.net
    b1.luyouxia.net
    IN A
    123.99.198.201
    b1.luyouxia.net
    IN A
    111.173.80.157
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
  • 123.99.198.201:53071
    htl5656556.u1.luyouxia.net
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    260 B
    5
  • 123.99.198.201:53071
    htl5656556.u1.luyouxia.net
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    260 B
    5
  • 123.99.198.201:53071
    htl5656556.u1.luyouxia.net
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    260 B
    5
  • 123.99.198.201:53071
    htl5656556.u1.luyouxia.net
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    260 B
    5
  • 123.99.198.201:53071
    htl5656556.u1.luyouxia.net
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    260 B
    5
  • 123.99.198.201:53071
    htl5656556.u1.luyouxia.net
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    260 B
    5
  • 123.99.198.201:53071
    htl5656556.u1.luyouxia.net
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    260 B
    5
  • 123.99.198.201:53071
    htl5656556.u1.luyouxia.net
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    52 B
    1
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    htl5656556.u1.luyouxia.net
    dns
    d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
    72 B
    135 B
    1
    1

    DNS Request

    htl5656556.u1.luyouxia.net

    DNS Response

    123.99.198.201
    111.173.80.157

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    22.236.111.52.in-addr.arpa

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    2004bcee923b0e0222f4cab87c2c2a3d

    SHA1

    0a3c122b7cfe403403d913ecc1b328480b1bfc2a

    SHA256

    f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

    SHA512

    cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    735B

    MD5

    41de862d61a3e071cd3050e2eadf59ab

    SHA1

    0ac21f7a7dbb9e2ba601ba84ce4d0ba86cf119d1

    SHA256

    1e46176cab0c32ed1b78663d61c1729c6d1a7bbc79f02cebb604c0de1109c844

    SHA512

    65ddafeae0ad19104a342efd2b77a064736ea796a2d9f802f6081e55e6a2d383990f5e8a8558257cf8c9a905fc1baa2bf8efba7db802555a788abc36f80461ba

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    23f637a3810959f3cab1406b9b0904bb

    SHA1

    9d3e0c425c156c72e167a07155066880566e649f

    SHA256

    1d02e25a23156be13afa686f1bb5437ce9591f02c985a9f1028c895f90ba72b0

    SHA512

    83b66add76ba76a5ca6fc95f01c5d19a9758dce475d87f0da065d769e661b7d01d3b848164cc74f824aabf38c64a79af927d6deb47558153010b949386d8fd53

  • memory/2608-0-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2608-16-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2608-19-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2608-22-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2608-26-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2608-29-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2608-32-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2608-35-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.