Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

fe0fc4697b...18.exe

windows7-x64

10

fe0fc4697b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 07:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe

  • Size

    784KB

  • MD5

    fe0fc4697ba657b752715617a0a0927a

  • SHA1

    c245c4420da5e0f9d4b3d826546bc1af2ad5129d

  • SHA256

    9173e6228b5fc87965595c14258746ab987ba27a2275941a656b4acd33574012

  • SHA512

    59454db295faf1c8548c913ae3a75aab9c092a1d2ac82f5d7c274a7b233f06790eb027f074dd8de2ea3287d6915501e9dd8f0365c1d88c9843bbd7ef3d7d35d1

  • SSDEEP

    12288:fh24r4ddezt3ow+kpv0qT+yBTQqatfb5hQKGQSgWoBFQpOwjabdelqYy:fh24ztYfuBEx36gW42ubde4

Score
10/10
xmrigdiscoveryminerupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 7 IoCs
    miner
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:3856

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    100.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    100.209.201.84.in-addr.arpa
    dns
    73 B
     133 B
     1
    1

    DNS Request

    100.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe
    Filesize

    784KB

    MD5

    f3b75ba5591498b703551af1a9122453

    SHA1

    d14f43d0bb20471bf1aa1bfe08b1554ce864800b

    SHA256

    713431ffe00a79e67035904ab52db069a653b8e71b136bedec949f0b4606b036

    SHA512

    9c9181f4add0c2d2e35a7f1bbc22ba7f263a6b192e37b4d463c3b6867b9e0502ab226e8c9ee02a740f8e97bb0ad72b235f2489c6c593357d42a639ec04fbadc4

    Download Submit

  • memory/216-0-0x0000000000400000-0x0000000000712000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/216-1-0x00000000017F0000-0x00000000018B4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/216-2-0x0000000000400000-0x0000000000593000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/216-13-0x0000000000400000-0x0000000000593000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3856-12-0x0000000000400000-0x0000000000712000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3856-19-0x0000000001AA0000-0x0000000001B64000-memory.dmp

    Filesize

    784KB

    Download

  • memory/3856-14-0x0000000000400000-0x0000000000593000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3856-27-0x0000000005310000-0x00000000054A3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3856-20-0x0000000000400000-0x0000000000587000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3856-30-0x00000000005A0000-0x000000000071F000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3856-31-0x0000000000400000-0x0000000000587000-memory.dmp

    Filesize

    1.5MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.