Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

0745b720c0...18.exe

windows7-x64

7

0745b720c0...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 20:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    0745b720c0330c64f6047024027b0fe7

  • SHA1

    b10bed81a1245e84f34378307d24e0c38f28ee06

  • SHA256

    742d365f0f9001602ee3c0734bcef4a44cde92fd29a69d48247b1ac60a30e726

  • SHA512

    742e5831bbd41aa8ad0e8161cbdc41d8d4d994c01ff9358933d0f93f4f7fdbcedc24a779f4a5ced499bdc138e0f3b37edbc835fcd976bdfe06d17457a8b891de

  • SSDEEP

    24576:foYx5sXo6cgL8/b2FAiU4DhEr/cJzz00F5JAn/KJd3AouffPD/gEOao3bzMUXuGH:forXVg/bU9URUZQuoivYPD/71orzMiNH

Score
7/10
adwarediscoveryspywarestealer

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\PlaySushi\PSText.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\PlaySushi\PSText.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2900

Network

  • flag-us
    DNS
    www.playsushi.com
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.playsushi.com
    IN A
    Response
    www.playsushi.com
    IN CNAME
    traff-3.hugedomains.com
    traff-3.hugedomains.com
    IN CNAME
    hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com
    hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com
    IN A
    3.19.116.195
    hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com
    IN A
    3.18.7.81
  • flag-us
    GET
    http://www.playsushi.com/aj/inst.php?p=tLT%2Fyu7CwdO1u7G6sLGyyPD65vXgt7b%2FssG0x7e7xbTGu7a2tLfAwv%2Bj%2F7Ozs7Kzs7Oz%2F8zI%2F8zI
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    Remote address:
    3.19.116.195:80
    Request
    GET /aj/inst.php?p=tLT%2Fyu7CwdO1u7G6sLGyyPD65vXgt7b%2FssG0x7e7xbTGu7a2tLfAwv%2Bj%2F7Ozs7Kzs7Oz%2F8zI%2F8zI HTTP/1.1
    User-Agent: psi v2.0.366
    Host: www.playsushi.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Tue, 01 Oct 2024 20:17:59 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=playsushi.com
  • flag-us
    DNS
    www.hugedomains.com
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.hugedomains.com
    IN A
    Response
    www.hugedomains.com
    IN A
    172.67.70.191
    www.hugedomains.com
    IN A
    104.26.6.37
    www.hugedomains.com
    IN A
    104.26.7.37
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=playsushi.com
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    Remote address:
    172.67.70.191:443
    Request
    GET /domain_profile.cfm?d=playsushi.com HTTP/1.1
    User-Agent: psi v2.0.366
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Tue, 01 Oct 2024 20:18:00 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: site_version_phase=108; expires=Fri, 26-Sep-2025 20:18:00 GMT; path=/
    set-cookie: site_version=HDv3; expires=Fri, 26-Sep-2025 20:18:00 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=COAqe1fnY5O2y1%2Fyp6qcPwmOSzZVnrJV5yNxAgt2EFIK9ZYUrbW9uROH%2BNNF8v0jnySBaecQZ27fOO2wx%2FHh0JwQkPH2NnPwXMWbUJDXcI%2F8oKt%2BX%2BJF%2B0GyjZcOg1W6tXB%2BqAY%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8cbf23b13e5a94d9-LHR
  • flag-us
    DNS
    c.pki.goog
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.227
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    Remote address:
    142.250.179.227:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Tue, 01 Oct 2024 19:45:21 GMT
    Expires: Tue, 01 Oct 2024 20:35:21 GMT
    Cache-Control: public, max-age=3000
    Age: 1959
    Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    Remote address:
    142.250.179.227:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Tue, 01 Oct 2024 19:30:15 GMT
    Expires: Tue, 01 Oct 2024 20:20:15 GMT
    Cache-Control: public, max-age=3000
    Age: 2865
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.19.117.10
    a1363.dscg.akamai.net
    IN A
    2.19.117.18
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.19.117.10:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
    Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
    ETag: 0x8DCDDD1E3AF2C76
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 0d86e878-601e-0013-6cbc-0f73e6000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Tue, 01 Oct 2024 20:18:30 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    2.22.45.146
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    2.22.45.146:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: cyz+t2uRxNE5eKALjGZu1w==
    Last-Modified: Sun, 18 Aug 2024 00:23:49 GMT
    ETag: 0x8DCBF1C07FCB4BF
    x-ms-request-id: 3d9a63db-b01e-003f-7816-f39f49000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Tue, 01 Oct 2024 20:18:31 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV1b378e25.0
    ms-cv-esi: CASMicrosoftCV1b378e25.0
    X-RTag: RT
  • 3.19.116.195:80
    http://www.playsushi.com/aj/inst.php?p=tLT%2Fyu7CwdO1u7G6sLGyyPD65vXgt7b%2FssG0x7e7xbTGu7a2tLfAwv%2Bj%2F7Ozs7Kzs7Oz%2F8zI%2F8zI
    http
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    748 B
     284 B
     12
    3

    HTTP Request

    GET http://www.playsushi.com/aj/inst.php?p=tLT%2Fyu7CwdO1u7G6sLGyyPD65vXgt7b%2FssG0x7e7xbTGu7a2tLfAwv%2Bj%2F7Ozs7Kzs7Oz%2F8zI%2F8zI

    HTTP Response

    302
  • 172.67.70.191:443
    https://www.hugedomains.com/domain_profile.cfm?d=playsushi.com
    tls, http
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    1.8kB
     49.2kB
     29
    47

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=playsushi.com

    HTTP Response

    200
  • 142.250.179.227:80
    http://c.pki.goog/r/r4.crl
    http
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    606 B
     5.0kB
     8
    6

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 2.19.117.10:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
     1.7kB
     4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 2.22.45.146:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    393 B
     1.7kB
     4
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 8.8.8.8:53
    www.playsushi.com
    dns
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    63 B
     193 B
     1
    1

    DNS Request

    www.playsushi.com

    DNS Response

    3.19.116.195
    3.18.7.81

  • 8.8.8.8:53
    www.hugedomains.com
    dns
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    65 B
     113 B
     1
    1

    DNS Request

    www.hugedomains.com

    DNS Response

    172.67.70.191
    104.26.6.37
    104.26.7.37

  • 8.8.8.8:53
    c.pki.goog
    dns
    0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.179.227

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.19.117.10
    2.19.117.18

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    2.22.45.146

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\PlaySushi\PSText.dll
    Filesize

    338KB

    MD5

    5b423b4dcae4f711c0eff1ded431e29e

    SHA1

    b86518fd4dcb4197fea1f46e72b8d031d82f0523

    SHA256

    7aef51bfd9461e2770c96738808f22140db7f31e5b2c33fa7bdb72e3ebf53e02

    SHA512

    c063058cbc7fb567092141b7d574ac34dfd7b343329935385c4eff990a988b587bbebd672e8eb52f8671044c222093d8db7ad22634209a111cfac20df8cf1fac

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.