Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

f01124777f...18.exe

windows7-x64

9

f01124777f...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    94s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 15:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f01124777fc9f2d7906a9063ed556e4d_JaffaCakes118.exe

  • Size

    564KB

  • MD5

    f01124777fc9f2d7906a9063ed556e4d

  • SHA1

    4be3c9ff3a6fbd376d496e633a78437eed59fbc9

  • SHA256

    7f8f2aa71e66cfaadefef2e68d66781a23a73ff71ee9e4f49ea4642c84bedf81

  • SHA512

    7361b364787bc22613680a9baa254f3dfcc482f7daa7f38f557b5c68e0d3ce67e8b84405d6e591b5289e481b9b2b2b2a72d7f7f31cce12343237a90b9b5db61b

  • SSDEEP

    12288:MUeEBWNGT8ZbgCRF67n9LiK6XK86W0b4SZA4uOKJ:MUeZGT2dRF6Ea3JC9J

Score
9/10
discoveryevasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f01124777fc9f2d7906a9063ed556e4d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f01124777fc9f2d7906a9063ed556e4d_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\n6198\s6198.exe
      "C:\Users\Admin\AppData\Local\Temp\n6198\s6198.exe" ins.exe /t 54146cb6561ca3db098b45b4 /u 76873fd7-d775-11e3-8a58-80c16e6f498c /e 12912908 /h 13a9a3.api.socdn.com /v "C:\Users\Admin\AppData\Local\Temp\f01124777fc9f2d7906a9063ed556e4d_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 1464
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4600
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 3900
      2⤵
      • Program crash
      PID:3856
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 540 -ip 540
    1⤵
      PID:1524

    Network

    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.143.123.92.in-addr.arpa
      IN PTR
      Response
      240.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-240deploystaticakamaitechnologiescom
    • flag-us
      DNS
      ocsp.thawte.com
      s6198.exe
      Remote address:
      8.8.8.8:53
      Request
      ocsp.thawte.com
      IN A
      Response
      ocsp.thawte.com
      IN CNAME
      mpki-ocsp.digicert.com
      mpki-ocsp.digicert.com
      IN CNAME
      fp3011.wpc.2be4.phicdn.net
      fp3011.wpc.2be4.phicdn.net
      IN CNAME
      fp3011.wpc.phicdn.net
      fp3011.wpc.phicdn.net
      IN A
      152.199.19.74
    • flag-de
      GET
      http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
      s6198.exe
      Remote address:
      152.199.19.74:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: ocsp.thawte.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 5936
      Cache-Control: public, max-age=300
      Content-Type: application/ocsp-response
      Date: Sat, 21 Sep 2024 15:12:13 GMT
      Last-Modified: Sat, 21 Sep 2024 13:33:17 GMT
      Server: ECAcc (lhc/789F)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 5
    • flag-de
      POST
      http://ocsp.thawte.com/
      s6198.exe
      Remote address:
      152.199.19.74:80
      Request
      POST / HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Content-Type: application/ocsp-request
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Content-Length: 83
      Host: ocsp.thawte.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 1537
      Cache-Control: public, max-age=300
      Content-Type: application/ocsp-response
      Date: Sat, 21 Sep 2024 15:12:13 GMT
      Last-Modified: Sat, 21 Sep 2024 14:46:36 GMT
      Server: ECAcc (lhc/78B5)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 5
    • flag-us
      DNS
      crl.thawte.com
      s6198.exe
      Remote address:
      8.8.8.8:53
      Request
      crl.thawte.com
      IN A
      Response
      crl.thawte.com
      IN CNAME
      crl-symcprod.digicert.com
      crl-symcprod.digicert.com
      IN CNAME
      crl.edge.digicert.com
      crl.edge.digicert.com
      IN CNAME
      fp2e7a.wpc.2be4.phicdn.net
      fp2e7a.wpc.2be4.phicdn.net
      IN CNAME
      fp2e7a.wpc.phicdn.net
      fp2e7a.wpc.phicdn.net
      IN A
      192.229.221.95
    • flag-se
      GET
      http://crl.thawte.com/ThawtePCA.crl
      s6198.exe
      Remote address:
      192.229.221.95:80
      Request
      GET /ThawtePCA.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: crl.thawte.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 265
      Cache-Control: public, max-age=3600
      Content-Type: application/pkix-crl
      Date: Sat, 21 Sep 2024 15:12:13 GMT
      Last-Modified: Sat, 21 Sep 2024 15:07:48 GMT
      Server: ECAcc (lhd/35A2)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 604
    • flag-us
      DNS
      th.symcd.com
      s6198.exe
      Remote address:
      8.8.8.8:53
      Request
      th.symcd.com
      IN A
      Response
      th.symcd.com
      IN CNAME
      mpki-ocsp.digicert.com
      mpki-ocsp.digicert.com
      IN CNAME
      fp3011.wpc.2be4.phicdn.net
      fp3011.wpc.2be4.phicdn.net
      IN CNAME
      fp3011.wpc.phicdn.net
      fp3011.wpc.phicdn.net
      IN A
      152.199.19.74
    • flag-de
      GET
      http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHZYrMFbM9k6vVqWcYHe%2BQE%3D
      s6198.exe
      Remote address:
      152.199.19.74:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHZYrMFbM9k6vVqWcYHe%2BQE%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: th.symcd.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 5731
      Cache-Control: public, max-age=300
      Content-Type: application/ocsp-response
      Date: Sat, 21 Sep 2024 15:12:13 GMT
      Last-Modified: Sat, 21 Sep 2024 13:36:43 GMT
      Server: ECAcc (lhc/7935)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 5
    • flag-de
      GET
      http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHZYrMFbM9k6vVqWcYHe%2BQE%3D
      s6198.exe
      Remote address:
      152.199.19.74:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHZYrMFbM9k6vVqWcYHe%2BQE%3D HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: th.symcd.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 5731
      Cache-Control: public, max-age=300
      Content-Type: application/ocsp-response
      Date: Sat, 21 Sep 2024 15:12:13 GMT
      Last-Modified: Sat, 21 Sep 2024 13:36:43 GMT
      Server: ECAcc (lhc/7935)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 5
    • flag-us
      DNS
      th.symcb.com
      s6198.exe
      Remote address:
      8.8.8.8:53
      Request
      th.symcb.com
      IN A
      Response
      th.symcb.com
      IN CNAME
      crl-symcprod.digicert.com
      crl-symcprod.digicert.com
      IN CNAME
      crl.edge.digicert.com
      crl.edge.digicert.com
      IN CNAME
      fp2e7a.wpc.2be4.phicdn.net
      fp2e7a.wpc.2be4.phicdn.net
      IN CNAME
      fp2e7a.wpc.phicdn.net
      fp2e7a.wpc.phicdn.net
      IN A
      192.229.221.95
    • flag-se
      GET
      http://th.symcb.com/th.crl
      s6198.exe
      Remote address:
      192.229.221.95:80
      Request
      GET /th.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: th.symcb.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 2792
      Cache-Control: public, max-age=3600
      Content-Type: application/pkix-crl
      Date: Sat, 21 Sep 2024 15:12:13 GMT
      Last-Modified: Sat, 21 Sep 2024 14:25:42 GMT
      Server: ECAcc (lhd/35B2)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 80217
    • flag-us
      DNS
      74.19.199.152.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.19.199.152.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.42.69.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.42.69.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      25.140.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.140.123.92.in-addr.arpa
      IN PTR
      Response
      25.140.123.92.in-addr.arpa
      IN PTR
      a92-123-140-25deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 152.199.19.74:80
      http://ocsp.thawte.com/
      http
      s6198.exe
      849 B
       954 B
       7
      5

      HTTP Request

      GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

      HTTP Response

      200

      HTTP Request

      POST http://ocsp.thawte.com/

      HTTP Response

      200
    • 192.229.221.95:80
      http://crl.thawte.com/ThawtePCA.crl
      http
      s6198.exe
      358 B
       1.1kB
       5
      3

      HTTP Request

      GET http://crl.thawte.com/ThawtePCA.crl

      HTTP Response

      200
    • 152.199.19.74:80
      http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHZYrMFbM9k6vVqWcYHe%2BQE%3D
      http
      s6198.exe
      783 B
       914 B
       6
      4

      HTTP Request

      GET http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHZYrMFbM9k6vVqWcYHe%2BQE%3D

      HTTP Response

      200

      HTTP Request

      GET http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHZYrMFbM9k6vVqWcYHe%2BQE%3D

      HTTP Response

      200
    • 192.229.221.95:80
      http://th.symcb.com/th.crl
      http
      s6198.exe
      1.7kB
       83.1kB
       34
      62

      HTTP Request

      GET http://th.symcb.com/th.crl

      HTTP Response

      200
    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      240.143.123.92.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      240.143.123.92.in-addr.arpa

    • 8.8.8.8:53
      ocsp.thawte.com
      dns
      s6198.exe
      61 B
       175 B
       1
      1

      DNS Request

      ocsp.thawte.com

      DNS Response

      152.199.19.74

    • 8.8.8.8:53
      crl.thawte.com
      dns
      s6198.exe
      60 B
       200 B
       1
      1

      DNS Request

      crl.thawte.com

      DNS Response

      192.229.221.95

    • 8.8.8.8:53
      th.symcd.com
      dns
      s6198.exe
      58 B
       172 B
       1
      1

      DNS Request

      th.symcd.com

      DNS Response

      152.199.19.74

    • 8.8.8.8:53
      th.symcb.com
      dns
      s6198.exe
      58 B
       198 B
       1
      1

      DNS Request

      th.symcb.com

      DNS Response

      192.229.221.95

    • 8.8.8.8:53
      74.19.199.152.in-addr.arpa
      dns
      72 B
       143 B
       1
      1

      DNS Request

      74.19.199.152.in-addr.arpa

    • 8.8.8.8:53
      73.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      73.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      241.42.69.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      241.42.69.40.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      25.140.123.92.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      25.140.123.92.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\n6198\s6198.exe
      Filesize

      411KB

      MD5

      13b0085a03720e67fb8c73db3f14609e

      SHA1

      ddf811f21e6c066b644d03e6751e16efb0fbecce

      SHA256

      f9449897f9ca99b99837ad322c8b6737e7a47e3827b6a4c073c6ca8911d8c340

      SHA512

      39b95dce14b3eea6f191d4dbaaff87ebbc8f3b6982e7b4ee5ebeed83d3b7397441665f25dec5eb9f8a1f3b12f4ddcd604d5852b781f592488263161c0d620e82

      Download Submit

    • memory/4796-14-0x00007FFE04175000-0x00007FFE04176000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4796-15-0x00007FFE03EC0000-0x00007FFE04861000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4796-16-0x00007FFE03EC0000-0x00007FFE04861000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4796-36-0x000000001C380000-0x000000001C38E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4796-39-0x000000001CCB0000-0x000000001D17E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4796-40-0x000000001D220000-0x000000001D2BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4796-41-0x00007FFE03EC0000-0x00007FFE04861000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4796-48-0x00007FFE03EC0000-0x00007FFE04861000-memory.dmp

      Filesize

      9.6MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.