Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 08:30 UTC

General

  • Target

    ef69f69b764bbd6bb5b442b777ec1591_JaffaCakes118.html

  • Size

    4KB

  • MD5

    ef69f69b764bbd6bb5b442b777ec1591

  • SHA1

    b75e35fbb2779d10b1dafe9c547307876e595739

  • SHA256

    1ff56bd0e1a4c339c94951140de19cb6f5816dcd9850ea760d8720ecf3a305c0

  • SHA512

    1cab5090aabf658f0efa4df944f31f75d14c32775fc2b73dbcbce53b68a82f05837846f6da0e2d66fe58e958f5639a42d229b0145ee5ff977fb2f85c5a4c8dfd

  • SSDEEP

    96:Pk7yJozTGknaEFHVKDZTBJl7sNjtXATIQFMA5e3fhrvDJUgwa71D5iJ8oQ8sd:Pk7yY1aEFHVKtF37sNjtXATIQFM93pD1

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ef69f69b764bbd6bb5b442b777ec1591_JaffaCakes118.html
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa33e46f8,0x7ffaa33e4708,0x7ffaa33e4718
      2⤵
        PID:2932
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        2⤵
          PID:1844
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3552
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
          2⤵
            PID:536
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
            2⤵
              PID:4592
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
              2⤵
                PID:2936
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                2⤵
                  PID:2192
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:456
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
                  2⤵
                    PID:1608
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
                    2⤵
                      PID:2872
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
                      2⤵
                        PID:364
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
                        2⤵
                          PID:3508
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2397485818319168027,11987752771028005546,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4776
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:2956
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:112

                          Network

                          • flag-us
                            DNS
                            133.211.185.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            133.211.185.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            cdn-adef.akamaized.net
                            msedge.exe
                            Remote address:
                            8.8.8.8:53
                            Request
                            cdn-adef.akamaized.net
                            IN A
                            Response
                            cdn-adef.akamaized.net
                            IN CNAME
                            a326.d.akamai.net
                            a326.d.akamai.net
                            IN A
                            88.221.134.64
                            a326.d.akamai.net
                            IN A
                            88.221.134.43
                          • flag-gb
                            GET
                            https://cdn-adef.akamaized.net/images/jump-favicon.ico
                            msedge.exe
                            Remote address:
                            88.221.134.64:443
                            Request
                            GET /images/jump-favicon.ico HTTP/1.1
                            Host: cdn-adef.akamaized.net
                            Connection: keep-alive
                            sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
                            DNT: 1
                            sec-ch-ua-mobile: ?0
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
                            Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                            Sec-Fetch-Site: cross-site
                            Sec-Fetch-Mode: no-cors
                            Sec-Fetch-Dest: image
                            Accept-Encoding: gzip, deflate, br
                            Accept-Language: en-US,en;q=0.9
                            Response
                            HTTP/1.1 200 OK
                            x-amz-id-2: a7oQ3vrOTLPWbWSrt1Y20VodimJiyKhAOu3cM/bL0T87DfCcyQNbZZ6BoOp1i8JC5IcS+g2s0go=
                            x-amz-request-id: 0PJ95JXPNMW6RXHT
                            Last-Modified: Wed, 07 Nov 2018 10:05:44 GMT
                            ETag: "4cdf3256cd7b8ec3917adb79d6bf457e"
                            Accept-Ranges: bytes
                            Content-Type: image/x-icon
                            Server: AmazonS3
                            Content-Length: 4103
                            Date: Sat, 21 Sep 2024 08:30:49 GMT
                            Connection: keep-alive
                            Alt-Svc: h3-Q050=":443"; ma=93600,quic=":443"; ma=93600; v="46,43"
                          • flag-us
                            DNS
                            74.32.126.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            74.32.126.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            0.205.248.87.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            0.205.248.87.in-addr.arpa
                            IN PTR
                            Response
                            0.205.248.87.in-addr.arpa
                            IN PTR
                            https-87-248-205-0lgwllnwnet
                          • flag-us
                            DNS
                            64.134.221.88.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            64.134.221.88.in-addr.arpa
                            IN PTR
                            Response
                            64.134.221.88.in-addr.arpa
                            IN PTR
                            a88-221-134-64deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            228.249.119.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            228.249.119.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            86.23.85.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            86.23.85.13.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            171.39.242.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            171.39.242.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            171.39.242.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            171.39.242.20.in-addr.arpa
                            IN PTR
                          • flag-us
                            DNS
                            79.190.18.2.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            79.190.18.2.in-addr.arpa
                            IN PTR
                            Response
                            79.190.18.2.in-addr.arpa
                            IN PTR
                            a2-18-190-79deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            79.190.18.2.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            79.190.18.2.in-addr.arpa
                            IN PTR
                          • flag-us
                            DNS
                            31.243.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            31.243.111.52.in-addr.arpa
                            IN PTR
                            Response
                          • 88.221.134.64:443
                            https://cdn-adef.akamaized.net/images/jump-favicon.ico
                            tls, http
                            msedge.exe
                            2.7kB
                            9.6kB
                            13
                            15

                            HTTP Request

                            GET https://cdn-adef.akamaized.net/images/jump-favicon.ico

                            HTTP Response

                            200
                          • 8.8.8.8:53
                            133.211.185.52.in-addr.arpa
                            dns
                            73 B
                            147 B
                            1
                            1

                            DNS Request

                            133.211.185.52.in-addr.arpa

                          • 8.8.8.8:53
                            cdn-adef.akamaized.net
                            dns
                            msedge.exe
                            68 B
                            128 B
                            1
                            1

                            DNS Request

                            cdn-adef.akamaized.net

                            DNS Response

                            88.221.134.64
                            88.221.134.43

                          • 8.8.8.8:53
                            74.32.126.40.in-addr.arpa
                            dns
                            71 B
                            157 B
                            1
                            1

                            DNS Request

                            74.32.126.40.in-addr.arpa

                          • 8.8.8.8:53
                            0.205.248.87.in-addr.arpa
                            dns
                            71 B
                            116 B
                            1
                            1

                            DNS Request

                            0.205.248.87.in-addr.arpa

                          • 8.8.8.8:53
                            64.134.221.88.in-addr.arpa
                            dns
                            72 B
                            137 B
                            1
                            1

                            DNS Request

                            64.134.221.88.in-addr.arpa

                          • 224.0.0.251:5353
                            455 B
                            7
                          • 8.8.8.8:53
                            228.249.119.40.in-addr.arpa
                            dns
                            73 B
                            159 B
                            1
                            1

                            DNS Request

                            228.249.119.40.in-addr.arpa

                          • 8.8.8.8:53
                            86.23.85.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            86.23.85.13.in-addr.arpa

                          • 8.8.8.8:53
                            171.39.242.20.in-addr.arpa
                            dns
                            144 B
                            158 B
                            2
                            1

                            DNS Request

                            171.39.242.20.in-addr.arpa

                            DNS Request

                            171.39.242.20.in-addr.arpa

                          • 8.8.8.8:53
                            79.190.18.2.in-addr.arpa
                            dns
                            140 B
                            133 B
                            2
                            1

                            DNS Request

                            79.190.18.2.in-addr.arpa

                            DNS Request

                            79.190.18.2.in-addr.arpa

                          • 8.8.8.8:53
                            31.243.111.52.in-addr.arpa
                            dns
                            72 B
                            158 B
                            1
                            1

                            DNS Request

                            31.243.111.52.in-addr.arpa

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            53bc70ecb115bdbabe67620c416fe9b3

                            SHA1

                            af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

                            SHA256

                            b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

                            SHA512

                            cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            e765f3d75e6b0e4a7119c8b14d47d8da

                            SHA1

                            cc9f7c7826c2e1a129e7d98884926076c3714fc0

                            SHA256

                            986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

                            SHA512

                            a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            292B

                            MD5

                            69a2e4f3f15757b7990d81289528c591

                            SHA1

                            a98bfc2e00977ca2e1f2d637924b66727547a66f

                            SHA256

                            a2ae55be55ce45dd771b0ece24feebfdaf0a8f2bbd3c4e25ba07baa01ccd614f

                            SHA512

                            a45b19dc5d8e32460336a7286e675b92c865f5018f85abeec09c7e9b5fa0e3838234783217027e733d515c6df808a66dfd40454b4664326c9530835455ccd2df

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            80187a1d305ad408fb3100b66d0b785d

                            SHA1

                            ffb363a3d324e5ee5b7c3fe8b51e104c686f9bd7

                            SHA256

                            1882166506ed54e9aaf17f1655517cbaeb2c3165dfd72e17ffc50f0fc47fba60

                            SHA512

                            9e2d2a6b11f0fe7e23b6239c94546f73daa9ce41e31f63e6f760d10ddf52c4ce900b6ecff8a568e58a9de3dfc79e04fdc9be511ea7505bc535cb4722a7eca698

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            9c2e59e8fefa589b0cfafab03b995058

                            SHA1

                            8bfef530c624c8d62abdc6c81ec3ef0d3085c306

                            SHA256

                            293f5de9820d8bf7bebd0ec2c5d30f37c4fd12c5a3fe5352312a8c4c50775bce

                            SHA512

                            7bcf67f201c5d3291574adfd436344c60ede2109fc2c69efb33c034b6f655b2306ea1ecc069eae2dec8462e27e053e59cf500c3658384a7b162083ebebeb6a61

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            c6d16165c5b2851c4e78bd32d3cbc666

                            SHA1

                            ababc7b18bafe612275f4d995d82111828f11d35

                            SHA256

                            66e7c36b9a50e41ef51aaa24e76c0df8a97d30609886e9ea3fdaa00887f4f2af

                            SHA512

                            386df1c397619e0b20d3a166d8c71056827ce5da96ce3a0fae248413e3163e902b0303abf6d745b3872bb8f19b8f6d7e9b4f36ef0b6e96e8909120d6323f9b46

                          We care about your privacy.

                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.