Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

e1910ce7fa...18.exe

windows7-x64

10

e1910ce7fa...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 02:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1910ce7fa51b3d99c1664c632949cdd_JaffaCakes118.exe

  • Size

    980KB

  • MD5

    e1910ce7fa51b3d99c1664c632949cdd

  • SHA1

    4067b985c86512cb46ffd36605a82e3d3f852d16

  • SHA256

    74f3534ec10a5a34cab4aa07b77c148538340dba599bcb8b6d1fde298d0d9e21

  • SHA512

    f634e1ca2e4399c6b4c4d805757d8b7283a5aa2bdc8d8528345fc88c2445c2f67ba2411601857e13e2c0985228f0c182f5b600dbf1b1c55c1c6437f387ec0972

  • SSDEEP

    24576:U4nNKtIhYR/76mf0HU8JLni1LjNvocD/0jnhqLP8+Gxek:U4NK2Y/92Lni11voc7MIYxH

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1910ce7fa51b3d99c1664c632949cdd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e1910ce7fa51b3d99c1664c632949cdd_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2684
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
    1⤵
      PID:3436

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      244.244.23.193.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      244.244.23.193.in-addr.arpa
      IN PTR
      Response
      244.244.23.193.in-addr.arpa
      IN PTR
      dannenbergtorauthde
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 193.23.244.244:443
      www.3q7sibj.com
      tls
      e1910ce7fa51b3d99c1664c632949cdd_JaffaCakes118.exe
      3.0kB
       6.2kB
       12
      10
    • 127.0.0.1:49875
      e1910ce7fa51b3d99c1664c632949cdd_JaffaCakes118.exe
    • 76.73.17.194:9090
      e1910ce7fa51b3d99c1664c632949cdd_JaffaCakes118.exe
      260 B
       5
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      244.244.23.193.in-addr.arpa
      dns
      73 B
       108 B
       1
      1

      DNS Request

      244.244.23.193.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      48.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2684-0-0x0000000002380000-0x0000000002455000-memory.dmp

      Filesize

      852KB

      Download

    • memory/2684-1-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-2-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-5-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-4-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-8-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-7-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-3-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-11-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-12-0x0000000002380000-0x0000000002455000-memory.dmp

      Filesize

      852KB

      Download

    • memory/2684-13-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-14-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-15-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-16-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-17-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-18-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-19-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-22-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-23-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-24-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-25-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-26-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2684-27-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.