Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2024, 05:29 UTC
Static task
static1
Behavioral task
behavioral1
Sample
dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
-
Size
4.4MB
-
MD5
dbe54b757c3022bfef90adce8329fb90
-
SHA1
c04db0b2b712161333c84b8c8b5754771e92aae8
-
SHA256
cdbb95ad47fddb9a7395b08a1d54a7dadc57b4b0f77faa82236cd7a9138c6a0b
-
SHA512
a1de56a2f8a774869d55cde8bf20c28a996e52b465f680beada937839e595340f349658b1c39640fe1dfc562dea11b7f905ecdec399b567a216a0f6e155b14a1
-
SSDEEP
24576:6y14jj33AIVUidgL3u3Bkrg+yylaSIbb4gBSwIg194ObZpk3ersoHll6IVvNkzG3:WXndRAVYSozv95yCFZCLT6ye
Malware Config
Signatures
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe"1⤵
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2880
Network
-
Remote address:8.8.8.8:53Requestec2-52-87-100-16.compute-1.amazonaws.comIN AResponseec2-52-87-100-16.compute-1.amazonaws.comIN A52.87.100.16
-
POSThttp://ec2-52-87-100-16.compute-1.amazonaws.com/stat/col.phpdbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exeRemote address:52.87.100.16:80RequestPOST /stat/col.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
Content-Length: 1082
Host: ec2-52-87-100-16.compute-1.amazonaws.com
ResponseHTTP/1.1 401 Unauthorized
Date: Thu, 12 Sep 2024 05:29:45 GMT
Content-Type: text/html
Content-Length: 597
Connection: keep-alive
WWW-Authenticate: Basic realm="closed site"
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestalt.tubgiants.hostIN AResponse
-
Remote address:8.8.8.8:53Requestcom.bushesstocking.icuIN AResponse
-
Remote address:8.8.8.8:53Request16.100.87.52.in-addr.arpaIN PTRResponse16.100.87.52.in-addr.arpaIN PTRec2-52-87-100-16 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
52.87.100.16:80http://ec2-52-87-100-16.compute-1.amazonaws.com/stat/col.phphttpdbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe1.6kB 972 B 6 4
HTTP Request
POST http://ec2-52-87-100-16.compute-1.amazonaws.com/stat/col.phpHTTP Response
401
-
8.8.8.8:53ec2-52-87-100-16.compute-1.amazonaws.comdnsdbe54b757c3022bfef90adce8329fb90_JaffaCakes118.exe86 B 102 B 1 1
DNS Request
ec2-52-87-100-16.compute-1.amazonaws.com
DNS Response
52.87.100.16
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
64 B 129 B 1 1
DNS Request
alt.tubgiants.host
-
68 B 133 B 1 1
DNS Request
com.bushesstocking.icu
-
71 B 125 B 1 1
DNS Request
16.100.87.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
74.32.126.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa