Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f982bb575b...18.exe

windows7-x64

10

f982bb575b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 02:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe

  • Size

    191KB

  • MD5

    f982bb575ba66968c52bee025037085c

  • SHA1

    e378fbbc27e03a6756ff6c31ca147f15b879f899

  • SHA256

    8f1be4d249817876e6bbb833b24c8a052549578aa8d3c4d17f28dbdc5e548d19

  • SHA512

    5032dd00e23ec8ba841f876d52188aecad197bb4986acea6d358593be8c03fca0542d7b529e04d20f26d42913707299c49bdd03a74e159305f23b9944b5c0482

  • SSDEEP

    3072:n5eiXBEtdBcTBhbtjk0PiQWceVm7rSJDx6VxIo/YeylXe4dJM:oM2lEhbNjM7T0Vmo/slpq

Score
10/10
discoverypersistencespywarestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2760
    • C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2520

Network

  • flag-us
    DNS
    lostpropaganda.net
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    lostpropaganda.net
    IN A
    Response
  • flag-us
    DNS
    zonedg.com
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonedg.com
    IN A
    Response
  • flag-us
    DNS
    zonedg.com
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonedg.com
    IN A
    Response
  • flag-us
    DNS
    wwwdatastore.com
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    wwwdatastore.com
    IN A
    Response
  • flag-us
    DNS
    archiveforfiles.com
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    archiveforfiles.com
    IN A
    Response
    archiveforfiles.com
    IN A
    81.169.145.159
  • flag-de
    GET
    http://archiveforfiles.com/blog/images/3521.jpg?v57=39&tq=gKZEtzyMv5rJqxG1J42pzMffBvEj0OjbwvgS917X65rJqlLfgPiWW1cg
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    Remote address:
    81.169.145.159:80
    Request
    GET /blog/images/3521.jpg?v57=39&tq=gKZEtzyMv5rJqxG1J42pzMffBvEj0OjbwvgS917X65rJqlLfgPiWW1cg HTTP/1.0
    Connection: close
    Host: archiveforfiles.com
    Accept: */*
    User-Agent: mozilla/2.0
    Response
    HTTP/1.1 404 Not Found
    Date: Fri, 27 Sep 2024 02:06:36 GMT
    Server: Apache/2.4.62 (Unix)
    Content-Length: 196
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
  • flag-us
    DNS
    www.google.com
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.228
  • flag-gb
    GET
    http://www.google.com/
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    Remote address:
    142.250.187.228:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 200 OK
    Date: Fri, 27 Sep 2024 02:07:15 GMT
    Expires: -1
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=ISO-8859-1
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-Z6oHta12nza7NVXMTat5_Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Server: gws
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7cpadYXnRt-0mG2Za2f4UrFV3WL-P3jQf7vW6No_eSzxTfhsBaWtIw; expires=Wed, 26-Mar-2025 02:07:15 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Accept-Ranges: none
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://www.google.com/
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    Remote address:
    142.250.187.228:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 27 Sep 2024 02:07:16 GMT
    Expires: -1
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=ISO-8859-1
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-zq9RRBOb5V-5eVK0V9W4bQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Server: gws
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7crfMQTJ7kUiHLfP4jjBg19LC3f_fkH0J1ERQMtPPJm7eJaAisrP0KI; expires=Wed, 26-Mar-2025 02:07:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Accept-Ranges: none
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
  • 81.169.145.159:80
    http://archiveforfiles.com/blog/images/3521.jpg?v57=39&tq=gKZEtzyMv5rJqxG1J42pzMffBvEj0OjbwvgS917X65rJqlLfgPiWW1cg
    http
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    419 B
     586 B
     5
    5

    HTTP Request

    GET http://archiveforfiles.com/blog/images/3521.jpg?v57=39&tq=gKZEtzyMv5rJqxG1J42pzMffBvEj0OjbwvgS917X65rJqlLfgPiWW1cg

    HTTP Response

    404
  • 142.250.187.228:80
    http://www.google.com/
    http
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    1.2kB
     56.9kB
     25
    44

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    200
  • 142.250.187.228:80
    http://www.google.com/
    http
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    1.3kB
     56.9kB
     26
    44

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    200
  • 127.0.0.1:51152
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
  • 8.8.8.8:53
    lostpropaganda.net
    dns
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    64 B
     137 B
     1
    1

    DNS Request

    lostpropaganda.net

  • 8.8.8.8:53
    zonedg.com
    dns
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    56 B
     129 B
     1
    1

    DNS Request

    zonedg.com

  • 8.8.8.8:53
    zonedg.com
    dns
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    56 B
     129 B
     1
    1

    DNS Request

    zonedg.com

  • 8.8.8.8:53
    wwwdatastore.com
    dns
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    wwwdatastore.com

  • 8.8.8.8:53
    archiveforfiles.com
    dns
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    65 B
     81 B
     1
    1

    DNS Request

    archiveforfiles.com

    DNS Response

    81.169.145.159

  • 8.8.8.8:53
    www.google.com
    dns
    f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.228

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2A30.C76
    Filesize

    1KB

    MD5

    177703220a4fbeb7ed7e797524adb4d5

    SHA1

    fd1be4942df131f37c4966de15827d896fe122a1

    SHA256

    0b34c2eb361de1f118f883547e1fd65c2a9c58195982a282f0985183904a28ef

    SHA512

    16029e3b74eadc889dc11416dfc49ba8b07bfdda0b75eb6088cb2c9cea57aa9a74ebe13d02ba6b222a57c4c240ca7d67103fba2967f5001d06c352c68cc9eafa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2A30.C76
    Filesize

    1KB

    MD5

    aa494d75ef91343c5ddf8b8060657468

    SHA1

    fc55fde27ae4d680c6f819c95f58d1b1a0a7dffa

    SHA256

    7dba3bc58f6381cd166a9522b870d27ad971d8955e4a1f731d6dc6c9bc4f097e

    SHA512

    d54eb77d15323420814cb9308e6c6e505fb81bc2a5ef649674020fb8ee62ae2e9ce4067ac8d0f29d8b090b135ece381b789aafb213c6d50a02ff6424bfbdb2d0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2A30.C76
    Filesize

    600B

    MD5

    7051c6a230bb18f634e05275290c81b2

    SHA1

    2ae6c1b7612d1f3220570c50ca5424e55b255133

    SHA256

    a6ad1c397a0479ea44024c5d59ce8224ffaf72b1c4ba415e363c152355120642

    SHA512

    8d4d0df6096291077be88fcf05792bb2342843ca442c6fe3727ced70feacf91d7cb726cc57f2118fb28bc7464b0d7027d600bb376da69c5be717fe509c9e076d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2A30.C76
    Filesize

    996B

    MD5

    9e1f152b29c4b077269b591ec878f771

    SHA1

    768b5e5f05d40b48138d3f6414c5495ce3d90dfb

    SHA256

    2f8180e60bb4ed21716f0ebbc8b2e0feb3f066670ffad2c93467407e6c3842ec

    SHA512

    a093b986c4cbac71edd6c51bc75f57d76bee8794a261cfcae360a5885c978009434e86704929c28c2ff7e515a6899e049b8aaa92446cf410561d74c2326d05ed

    Download Submit

  • memory/2520-79-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2520-80-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2632-77-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2632-1-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2632-15-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2632-2-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2632-185-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2760-13-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2760-12-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.