Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 05:29 UTC

General

  • Target

    dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe

  • Size

    4.4MB

  • MD5

    dbe54b757c3022bfef90adce8329fb90

  • SHA1

    c04db0b2b712161333c84b8c8b5754771e92aae8

  • SHA256

    cdbb95ad47fddb9a7395b08a1d54a7dadc57b4b0f77faa82236cd7a9138c6a0b

  • SHA512

    a1de56a2f8a774869d55cde8bf20c28a996e52b465f680beada937839e595340f349658b1c39640fe1dfc562dea11b7f905ecdec399b567a216a0f6e155b14a1

  • SSDEEP

    24576:6y14jj33AIVUidgL3u3Bkrg+yylaSIbb4gBSwIg194ObZpk3ersoHll6IVvNkzG3:WXndRAVYSozv95yCFZCLT6ye

Score
6/10

Malware Config

Signatures

  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe"
    1⤵
    • Checks for any installed AV software in registry
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    PID:2880

Network

  • flag-us
    DNS
    ec2-52-87-100-16.compute-1.amazonaws.com
    dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ec2-52-87-100-16.compute-1.amazonaws.com
    IN A
    Response
    ec2-52-87-100-16.compute-1.amazonaws.com
    IN A
    52.87.100.16
  • flag-us
    POST
    http://ec2-52-87-100-16.compute-1.amazonaws.com/stat/col.php
    dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
    Remote address:
    52.87.100.16:80
    Request
    POST /stat/col.php HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
    Content-Length: 1082
    Host: ec2-52-87-100-16.compute-1.amazonaws.com
    Response
    HTTP/1.1 401 Unauthorized
    Server: nginx/1.10.1
    Date: Thu, 12 Sep 2024 05:29:45 GMT
    Content-Type: text/html
    Content-Length: 597
    Connection: keep-alive
    WWW-Authenticate: Basic realm="closed site"
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    alt.tubgiants.host
    dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    alt.tubgiants.host
    IN A
    Response
  • flag-us
    DNS
    com.bushesstocking.icu
    dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    com.bushesstocking.icu
    IN A
    Response
  • flag-us
    DNS
    16.100.87.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    16.100.87.52.in-addr.arpa
    IN PTR
    Response
    16.100.87.52.in-addr.arpa
    IN PTR
    ec2-52-87-100-16 compute-1 amazonawscom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.87.100.16:80
    http://ec2-52-87-100-16.compute-1.amazonaws.com/stat/col.php
    http
    dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
    1.6kB
    972 B
    6
    4

    HTTP Request

    POST http://ec2-52-87-100-16.compute-1.amazonaws.com/stat/col.php

    HTTP Response

    401
  • 8.8.8.8:53
    ec2-52-87-100-16.compute-1.amazonaws.com
    dns
    dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
    86 B
    102 B
    1
    1

    DNS Request

    ec2-52-87-100-16.compute-1.amazonaws.com

    DNS Response

    52.87.100.16

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    alt.tubgiants.host
    dns
    dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
    64 B
    129 B
    1
    1

    DNS Request

    alt.tubgiants.host

  • 8.8.8.8:53
    com.bushesstocking.icu
    dns
    dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
    68 B
    133 B
    1
    1

    DNS Request

    com.bushesstocking.icu

  • 8.8.8.8:53
    16.100.87.52.in-addr.arpa
    dns
    71 B
    125 B
    1
    1

    DNS Request

    16.100.87.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2880-2-0x0000000002D00000-0x0000000002E2E000-memory.dmp

    Filesize

    1.2MB

  • memory/2880-4-0x0000000000402000-0x0000000000403000-memory.dmp

    Filesize

    4KB

  • memory/2880-3-0x0000000002D00000-0x0000000002E2E000-memory.dmp

    Filesize

    1.2MB

  • memory/2880-7-0x0000000000400000-0x0000000000FBD000-memory.dmp

    Filesize

    11.7MB

  • memory/2880-8-0x0000000000400000-0x0000000000FBD000-memory.dmp

    Filesize

    11.7MB

  • memory/2880-9-0x0000000000400000-0x0000000000FBD000-memory.dmp

    Filesize

    11.7MB

  • memory/2880-11-0x0000000002D00000-0x0000000002E2E000-memory.dmp

    Filesize

    1.2MB

  • memory/2880-10-0x0000000000400000-0x0000000000FBD000-memory.dmp

    Filesize

    11.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.