Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
30/09/2024, 08:34 UTC
General
-
Target
00688ae25905629cebfa03f2409dd2d2_JaffaCakes118.exe
-
Size
160KB
-
MD5
00688ae25905629cebfa03f2409dd2d2
-
SHA1
9dd42a5039cde5e5a1e88e5dc86cb2e0374544d5
-
SHA256
b92c27726ee432d4f7f902f13d2949ea0ed8a43445ad04bc9a03f316b2316dab
-
SHA512
4678d3d1fe19c729a88d633487f81475be2b3766aff91c343489e80069f9a358699da39fce06ad2a57e8b2c7d93e3031885f0e8b42ace6267e16c8862062a9aa
-
SSDEEP
3072:a+R0hajiERTWntMGQhGzRRlKOogPbtL5wbNhYJWfln5lw3myinp:aJ2yR0QbtLONhtlKml
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00688ae25905629cebfa03f2409dd2d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00688ae25905629cebfa03f2409dd2d2_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
Network
-
DNSwww.888.comRemote address:8.8.8.8:53Requestwww.888.comIN AResponsewww.888.comIN CNAMEd15djvuktw4vyy.cloudfront.netd15djvuktw4vyy.cloudfront.netIN A65.9.95.48d15djvuktw4vyy.cloudfront.netIN A65.9.95.11d15djvuktw4vyy.cloudfront.netIN A65.9.95.121d15djvuktw4vyy.cloudfront.netIN A65.9.95.4 -
DNSwww.888.comRemote address:8.8.8.8:53Requestwww.888.comIN AResponsewww.888.comIN CNAMEd15djvuktw4vyy.cloudfront.netd15djvuktw4vyy.cloudfront.netIN A65.9.95.48d15djvuktw4vyy.cloudfront.netIN A65.9.95.121d15djvuktw4vyy.cloudfront.netIN A65.9.95.4d15djvuktw4vyy.cloudfront.netIN A65.9.95.11
-
DNSsetupscon1.888.comRemote address:8.8.8.8:53Requestsetupscon1.888.comIN AResponsesetupscon1.888.comIN A91.109.250.1
-
DNSsetupscon1.888.comRemote address:8.8.8.8:53Requestsetupscon1.888.comIN AResponsesetupscon1.888.comIN A91.109.250.1
-
GEThttp://www.888.com/clientip.htmRemote address:65.9.95.48:80RequestGET /clientip.htm HTTP/1.1
Host: www.888.com
User-Agent: RLMultySocket
ResponseHTTP/1.1 302 Moved Temporarily
Content-Length: 0
Connection: keep-alive
Date: Mon, 30 Sep 2024 08:34:53 GMT
Cache-Control: max-age=1800, must-revalidate
X-Wcs-Correlation-Id: xWQ1dVAxAEsMou7UeO66gtJ3yKPZAct2tHTmKTM0dK4vUmPwHCvcbA==
Location: http://www.888promos.com/clientip.htm?country=gbr&lang=en&sr=1927680&testData=%7b%22orig-lp%22%3a%22http%3a%2f%2fwww.888.com%2fclientip.htm%22%2c%22currentvisittype%22%3a%22Unknown%22%2c%22strategy%22%3a%22UnknownStrategy%22%2c%22strategysource%22%3a%22previousvisit%22%7d
strict-transport-security: max-age=31536000; includeSubDomains; preload
Set-Cookie: 888Attribution=1; max-age=900; domain=888.com; path=/; samesite=lax; httponly
Set-Cookie: 888Cookie=lang%3Den%26OSR%3D1927680; max-age=604800; domain=888.com; path=/; samesite=lax; httponly
Apigw-Requestid: e6RbNghcDoEEP1w=
Vary: Cookie,Cookie
X-Cache: Miss from cloudfront
Via: 1.1 0c8bf5614b4bcc3e76982cb7ff9a7662.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: PRG50-C1
Alt-Svc: h3=":443"; ma=86400
X-Amz-Cf-Id: xWQ1dVAxAEsMou7UeO66gtJ3yKPZAct2tHTmKTM0dK4vUmPwHCvcbA==
-
DNSwww.888promos.comRemote address:8.8.8.8:53Requestwww.888promos.comIN AResponsewww.888promos.comIN A217.147.127.160
-
GEThttp://entvisittype%22%3a%22Unknown%22%2c%22strategy%22%3a%22UnknownStrategy%22%2c%22strategysource%22%3a%22previousvisit%22%7d/clientip.htm?country=gbr&lang=en&sr=1927680&testData=%7b%22orig-lp%22%3a%22http%3a%2f%2fwww.888.com%2fclientip.htm%22%2c%22currentvisittype%22%3a%22Unknown%22%2c%22strategy%22%3a%22UnknownStrategy%22%2c%22strategysource%22%3a%22previousvisit%22%7dRemote address:217.147.127.160:80RequestGET /clientip.htm?country=gbr&lang=en&sr=1927680&testData=%7b%22orig-lp%22%3a%22http%3a%2f%2fwww.888.com%2fclientip.htm%22%2c%22currentvisittype%22%3a%22Unknown%22%2c%22strategy%22%3a%22UnknownStrategy%22%2c%22strategysource%22%3a%22previousvisit%22%7d HTTP/1.1
Host: entvisittype%22%3a%22Unknown%22%2c%22strategy%22%3a%22UnknownStrategy%22%2c%22strategysource%22%3a%22previousvisit%22%7d
User-Agent: RLMultySocket
-
65.9.95.48:80http://www.888.com/clientip.htmhttp
HTTP Request
GET http://www.888.com/clientip.htmHTTP Response
302 -
91.109.250.1:80setupscon1.888.com
-
91.109.250.1:80setupscon1.888.com
-
217.147.127.160:80http://entvisittype%22%3a%22Unknown%22%2c%22strategy%22%3a%22UnknownStrategy%22%2c%22strategysource%22%3a%22previousvisit%22%7d/clientip.htm?country=gbr&lang=en&sr=1927680&testData=%7b%22orig-lp%22%3a%22http%3a%2f%2fwww.888.com%2fclientip.htm%22%2c%22currentvisittype%22%3a%22Unknown%22%2c%22strategy%22%3a%22UnknownStrategy%22%2c%22strategysource%22%3a%22previousvisit%22%7dhttp
HTTP Request
GET http://entvisittype%22%3a%22Unknown%22%2c%22strategy%22%3a%22UnknownStrategy%22%2c%22strategysource%22%3a%22previousvisit%22%7d/clientip.htm?country=gbr&lang=en&sr=1927680&testData=%7b%22orig-lp%22%3a%22http%3a%2f%2fwww.888.com%2fclientip.htm%22%2c%22currentvisittype%22%3a%22Unknown%22%2c%22strategy%22%3a%22UnknownStrategy%22%2c%22strategysource%22%3a%22previousvisit%22%7d
-
8.8.8.8:53www.888.comdns
DNS Request
www.888.com
DNS Response
65.9.95.4865.9.95.1165.9.95.12165.9.95.4
-
8.8.8.8:53www.888.comdns
DNS Request
www.888.com
DNS Response
65.9.95.4865.9.95.12165.9.95.465.9.95.11
-
8.8.8.8:53setupscon1.888.comdns
DNS Request
setupscon1.888.com
DNS Response
91.109.250.1
-
8.8.8.8:53setupscon1.888.comdns
DNS Request
setupscon1.888.com
DNS Response
91.109.250.1
-
8.8.8.8:53www.888promos.comdns
DNS Request
www.888promos.com
DNS Response
217.147.127.160