Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 20:39 UTC

General

  • Target

    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe

  • Size

    430KB

  • MD5

    d2cb2c4500e5de56bf8255e34610a8c0

  • SHA1

    35f1ee92571f47828e822f621783d67d6252b1d2

  • SHA256

    de90bac4129ff264b8b6b68f3d03f5ae2a0bc830fe3519ddd970580d7836b352

  • SHA512

    8c9db4eb14328b286b82e40e86814aa48b21d48b06c4a4929208c419a9f5b98414ab1f18d227b21dc9233187d284a2e0f0a3dbc221b2020a41f148b988482696

  • SSDEEP

    12288:vB3F2de/oZcYi9HvuVQknab8m0p7vxWA:vFYdeccYi9H2yknPp7gA

Malware Config

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2500

Network

  • flag-us
    DNS
    iplogger.org
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    iplogger.org
    IN A
  • flag-us
    DNS
    iplogger.org
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    iplogger.org
    IN A
  • flag-us
    DNS
    iplogger.org
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    iplogger.org
    IN A
  • flag-us
    DNS
    iplogger.org
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    iplogger.org
    IN A
  • flag-us
    DNS
    iplogger.org
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    iplogger.org
    IN A
  • flag-us
    DNS
    gclean-soft.com
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    gclean-soft.com
    IN A
    Response
  • flag-us
    DNS
    iplogger.org
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    iplogger.org
    IN A
    Response
    iplogger.org
    IN A
    172.67.74.161
    iplogger.org
    IN A
    104.26.3.46
    iplogger.org
    IN A
    104.26.2.46
  • flag-us
    GET
    http://iplogger.org/1nLz47
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    172.67.74.161:80
    Request
    GET /1nLz47 HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 || Windows: Admin
    Host: iplogger.org
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 07 Sep 2024 20:39:25 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: https://iplogger.org/1nLz47#80
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T3l%2FlHZ0WpNoFMBXDKVuENBd3uBhYGvmSgefAevNpiYsOr%2F0VEhGRsLIBCYZYbIPAtfGACWjZ9wXj3%2BA%2Fcs5DJQa3JuA9q6SyTJEU9Z6CXEBikwsKWI0ed0jXOWTbw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bf9820f1a15d1fd-LHR
  • flag-us
    GET
    https://iplogger.org/1nL
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    172.67.74.161:443
    Request
    GET /1nL HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 || Windows: Admin
    Host: iplogger.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 20:39:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    memory: 0.42596435546875
    expires: Sat, 07 Sep 2024 20:39:25 +0000
    strict-transport-security: max-age=31536000
    x-frame-options: SAMEORIGIN
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vmuFiUu6657SM6I1vGOb6Ys7d55OqCBqeGGdiQCsx0kys%2BRRo%2FmZ4ZrqdPnR7nrTtmK05G00XqSL%2BPq4gKXPFP0OowFZnJjmF%2FS17F6q%2BvrqVOqyR6fBaWb%2FxytK0w%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bf982111bc1637f-LHR
  • flag-us
    GET
    https://iplogger.org/1tn
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    172.67.74.161:443
    Request
    GET /1tn HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 || Windows: Admin
    Host: iplogger.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 20:39:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    memory: 0.42596435546875
    expires: Sat, 07 Sep 2024 20:39:25 +0000
    strict-transport-security: max-age=31536000
    x-frame-options: SAMEORIGIN
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wktJRh9a0JniZ1Ujgd%2FDCsc6X89gm943JdvhBC98SzKugbNDbqFm5eC0y634nhwx0mfZLlv0xV7pBI2ykIFEHNHX71%2Biq4f4HvIryQYPztAzzrkEb1OJ7ZSnE%2FTGUw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Report-To: {"endpoints":[{"url":"https:\/\/csp-reporting.cloudflare.com\/cdn-cgi\/script_monitor\/report?m=Hdqwyk4iTfYWguTScm0JmG1sDa1cTfPbA_e9v3AurOk-1725741565-1.0.1.1-tvaKp_ZAdF9BI9dVMQ_eik0RFee4CchphV2vzZX2WgP0Zi8YdGNKZgmC1ufGrc.JAgskiJtUhbgKQZ9to3G51ceB23mgBZiiT.j6g1trU5CKTlFB0rkpzgz4tAINIY1JuLsU8eHXgYdO0daRwuYB.A"}],"group":"cf-csp-endpoint","max_age":86400}
    Content-Security-Policy-Report-Only: script-src 'none'; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?m=Hdqwyk4iTfYWguTScm0JmG1sDa1cTfPbA_e9v3AurOk-1725741565-1.0.1.1-tvaKp_ZAdF9BI9dVMQ_eik0RFee4CchphV2vzZX2WgP0Zi8YdGNKZgmC1ufGrc.JAgskiJtUhbgKQZ9to3G51ceB23mgBZiiT.j6g1trU5CKTlFB0rkpzgz4tAINIY1JuLsU8eHXgYdO0daRwuYB.A; report-to cf-csp-endpoint
    Server: cloudflare
    CF-RAY: 8bf982125d5a637f-LHR
  • flag-us
    GET
    https://iplogger.org/1PM
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    172.67.74.161:443
    Request
    GET /1PM HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 || Windows: Admin
    Host: iplogger.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 20:39:26 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    memory: 0.42596435546875
    expires: Sat, 07 Sep 2024 20:39:26 +0000
    strict-transport-security: max-age=31536000
    x-frame-options: SAMEORIGIN
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5KQOKLzGboelgwo1zBOYBKaSO%2F2UCOBcxbqwqTdlkf55CPyKH37CdFH6icaGjTnTRp5RgnIu0hjCXLDB%2Fy6dlRfmLX%2FVGGiG6oj52vuBllLDk7jJE1h58Brdcf2bWw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bf982138f70637f-LHR
  • flag-us
    GET
    https://iplogger.org/1z9
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    172.67.74.161:443
    Request
    GET /1z9 HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 || Windows: Admin
    Host: iplogger.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 20:39:26 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    memory: 0.42596435546875
    expires: Sat, 07 Sep 2024 20:39:26 +0000
    strict-transport-security: max-age=31536000
    x-frame-options: SAMEORIGIN
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g%2F%2BC%2BC50RQL73BXvFwBcW271QoXVvFMKD2lGUTKnUSvynve9UaKDayUY5CDM3gx%2FSM4SCsJJf%2F42EMmGHtYj1DUU%2FP%2F1q1Evo%2Fssu2pZpiSZfhGqcRb%2FGtZ%2B1%2FVDOg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bf98214a8d7637f-LHR
  • flag-us
    GET
    http://iplogger.org/1tnbw7
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    172.67.74.161:80
    Request
    GET /1tnbw7 HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 || Windows: Admin
    Host: iplogger.org
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 07 Sep 2024 20:39:25 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: https://iplogger.org/1tnbw7#80
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zvao1ivpX%2FzvvISWLFpzESnYw69UkhS6ZZBq1DqBw0GpDIg2BXpQ%2F2aEWzKUDGKIUJtSmH%2FGi2Ett6gxmS0zyuC1sdhpw1tRQzhYMueUadVlIQsNT6r7DhAEkUYZfw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bf98211aac0416a-LHR
  • flag-us
    GET
    http://iplogger.org/1PMX37
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    172.67.74.161:80
    Request
    GET /1PMX37 HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 || Windows: Admin
    Host: iplogger.org
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 07 Sep 2024 20:39:25 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: https://iplogger.org/1PMX37#80
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mr1UpQHGiD1m40qbdtUspJMus1JPH9%2BYTR3PS3nthLCRuqzd3YXilIoUpbFuU5B%2FaOEpa27biKqzV4CfdG6D2RnL7r%2BFp8TPXyhH5UaTpbYUG4mr72w5k2ftWwZo5w%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bf98212fe89368f-LHR
  • flag-us
    GET
    http://iplogger.org/1z9A57
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    172.67.74.161:80
    Request
    GET /1z9A57 HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 || Windows: Admin
    Host: iplogger.org
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 07 Sep 2024 20:39:26 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: https://iplogger.org/1z9A57#80
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0JepR7%2B8zbV0maxtHL3dzEy6oygrdFeKa4mWsZZnYaqT7Dq6LF4h2UKBKn%2F5ON%2BDWLB63YO%2BTkD8KACRvbTeCbU7pFyBXo9GnmR4kTZohez1SAJpIlI0lZ6B%2Bm17Pg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bf982143b9193de-LHR
  • flag-us
    DNS
    g-cleaner.info
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    g-cleaner.info
    IN A
    Response
  • 172.67.74.161:80
    http://iplogger.org/1nLz47
    http
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    494 B
    985 B
    5
    4

    HTTP Request

    GET http://iplogger.org/1nLz47

    HTTP Response

    301
  • 172.67.74.161:443
    https://iplogger.org/1z9
    tls, http
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    2.8kB
    45.1kB
    31
    50

    HTTP Request

    GET https://iplogger.org/1nL

    HTTP Response

    200

    HTTP Request

    GET https://iplogger.org/1tn

    HTTP Response

    200

    HTTP Request

    GET https://iplogger.org/1PM

    HTTP Response

    200

    HTTP Request

    GET https://iplogger.org/1z9

    HTTP Response

    200
  • 172.67.74.161:80
    http://iplogger.org/1tnbw7
    http
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    494 B
    983 B
    5
    4

    HTTP Request

    GET http://iplogger.org/1tnbw7

    HTTP Response

    301
  • 172.67.74.161:80
    http://iplogger.org/1PMX37
    http
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    494 B
    983 B
    5
    4

    HTTP Request

    GET http://iplogger.org/1PMX37

    HTTP Response

    301
  • 172.67.74.161:80
    http://iplogger.org/1z9A57
    http
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    494 B
    987 B
    5
    4

    HTTP Request

    GET http://iplogger.org/1z9A57

    HTTP Response

    301
  • 8.8.8.8:53
    iplogger.org
    dns
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    290 B
    5

    DNS Request

    iplogger.org

    DNS Request

    iplogger.org

    DNS Request

    iplogger.org

    DNS Request

    iplogger.org

    DNS Request

    iplogger.org

  • 8.8.8.8:53
    gclean-soft.com
    dns
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    61 B
    134 B
    1
    1

    DNS Request

    gclean-soft.com

  • 8.8.8.8:53
    iplogger.org
    dns
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    58 B
    106 B
    1
    1

    DNS Request

    iplogger.org

    DNS Response

    172.67.74.161
    104.26.3.46
    104.26.2.46

  • 8.8.8.8:53
    g-cleaner.info
    dns
    d2cb2c4500e5de56bf8255e34610a8c0_JaffaCakes118.exe
    60 B
    139 B
    1
    1

    DNS Request

    g-cleaner.info

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2500-1-0x0000000000660000-0x0000000000760000-memory.dmp

    Filesize

    1024KB

  • memory/2500-2-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2500-3-0x0000000000660000-0x0000000000760000-memory.dmp

    Filesize

    1024KB

  • memory/2500-4-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2500-5-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2500-6-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.