Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fe5e87793b...18.exe

windows7-x64

7

fe5e87793b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 10:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe5e87793bd593704c445ee702364dc1_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    fe5e87793bd593704c445ee702364dc1

  • SHA1

    76a41905e7677b561f77e921f21512c7cfe4c6e7

  • SHA256

    4bf8697c50719052475e4e63d86223f74d94ebc046d90550f64132b223ecdb87

  • SHA512

    8a7f22d16ef8b3047e79feb32a5537abec0bbc0faa26e1f52038b61bfb63ba7e54f9f37abeb537ed150823854c6aa3d08dc5cfedca5865da52d0ae3d23812ab6

  • SSDEEP

    12288:XsM+aTA3c+FK1vrlVYBVignBtZnfVq4cz1i5pP9kPQiH:8V4W8hqBYgnBLfVqx1WjkvH

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe5e87793bd593704c445ee702364dc1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe5e87793bd593704c445ee702364dc1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3396

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    search.hemailaccessonline.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    search.hemailaccessonline.com
    IN A
    Response
    search.hemailaccessonline.com
    IN A
    52.201.40.141
    search.hemailaccessonline.com
    IN A
    23.21.184.137
  • flag-us
    DNS
    ie.search.yahoo.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    ie.search.yahoo.com
    IN A
    Response
    ie.search.yahoo.com
    IN CNAME
    ds-global3.l7.search.ystg1.b.yahoo.com
    ds-global3.l7.search.ystg1.b.yahoo.com
    IN A
    212.82.100.137
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-ie
    GET
    https://ie.search.yahoo.com/os
    IEXPLORE.EXE
    Remote address:
    212.82.100.137:443
    Request
    GET /os HTTP/2.0
    host: ie.search.yahoo.com
    accept: */*
    accept-language: en-US
    user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
    accept-encoding: gzip, deflate
    cache-control: no-cache
    Response
    HTTP/2.0 200
    date: Sun, 29 Sep 2024 10:50:43 GMT
    p3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
    cache-control: private, max-age=3600
    expires: Sun, 29 Sep 2024 11:50:43 GMT
    content-length: 134
    content-type: application/x-suggestions+xml; charset=utf-8
    x-envoy-upstream-service-time: 16
    server: ATS
    age: 0
    strict-transport-security: max-age=31536000
    x-content-type-options: nosniff
    x-xss-protection: 1; mode=block; report=https://csp.search.yahoo.com/xssreport
    referrer-policy: no-referrer-when-downgrade
  • flag-us
    DNS
    137.100.82.212.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    137.100.82.212.in-addr.arpa
    IN PTR
    Response
    137.100.82.212.in-addr.arpa
    IN PTR
    ats1l7searchvipir2yahoocom
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    161.19.199.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    161.19.199.152.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 212.82.100.137:443
    ie.search.yahoo.com
    tls, http2
    IEXPLORE.EXE
    1.1kB
     5.9kB
     15
    11
  • 212.82.100.137:443
    https://ie.search.yahoo.com/os
    tls, http2
    IEXPLORE.EXE
    1.3kB
     6.6kB
     17
    13

    HTTP Request

    GET https://ie.search.yahoo.com/os

    HTTP Response

    200
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls, http2
    IEXPLORE.EXE
    1.2kB
     8.2kB
     15
    13
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    search.hemailaccessonline.com
    dns
    IEXPLORE.EXE
    75 B
     107 B
     1
    1

    DNS Request

    search.hemailaccessonline.com

    DNS Response

    52.201.40.141
    23.21.184.137

  • 8.8.8.8:53
    ie.search.yahoo.com
    dns
    IEXPLORE.EXE
    65 B
     124 B
     1
    1

    DNS Request

    ie.search.yahoo.com

    DNS Response

    212.82.100.137

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    137.100.82.212.in-addr.arpa
    dns
    73 B
     119 B
     1
    1

    DNS Request

    137.100.82.212.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    161.19.199.152.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    161.19.199.152.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
     106 B
     1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    d08423737246250d0c3c50ea390cd1c4

    SHA1

    5b48dab1d90ac5357dafd6ad8b6990da92aaf75a

    SHA256

    7714ff60052145ab9a2bdd947fbbec0572c02389256b2db314f2670764862789

    SHA512

    67f5c7e7078f4fb5216b91b31e6b38c5497324413f8fc79cd662cad952a808453289b3ef2226fa377812bfc93697f11e5d6e064dc0e5f80b1a6b15dc516eb10e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    d433ff1298e2f61f27df4e8d2003d37d

    SHA1

    561de842d8df1804d006ae2535ae79c92ecf2219

    SHA256

    dd8a54355339d29bbff535131881a9e2c0941ca5fdb1f9481d507c65e68356d9

    SHA512

    0c2d6d7d426d66866c44db86185725a55c0c7e87ec2aa530170af4d23bf191f705e927556b6af91320d89b381eda7ff18321689d32e4c61702dc827fec4ed028

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OD2FK6XO\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.