Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

104f03b8c2...18.exe

windows7-x64

7

104f03b8c2...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$PLUGINSDI...er.exe

windows7-x64

7

$PLUGINSDI...er.exe

windows10-2004-x64

7

$PLUGINSDIR/mism.exe

windows7-x64

7

$PLUGINSDIR/mism.exe

windows10-2004-x64

7

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    131s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 19:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe

  • Size

    209KB

  • MD5

    104f03b8c2a1c3fef07ad40252eabaf0

  • SHA1

    0bb24d93dfa55faae4f638b0afe7baa07060a821

  • SHA256

    0ca066f7c7593213a2d2460e4e2d1e047be07bee9b81b4285105f35e6757fdb5

  • SHA512

    ddff96e38d191f2e8584e62d47b80fa46f4c0087cfe9c5aa758ebb96a22e674bdbad3b90435de50a14612fdf29d4198c599d2f30bcbc811d4a6df151769101c4

  • SSDEEP

    6144:8e34jgKL+k+imkXFjMvKf0XFwS4+gGlYqPsu4uO:Sh+7oSvKmFwS4csL

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mism.exe
      "C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mism.exe" -ctid=CT3295790
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2416
    • C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mconduitinstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mconduitinstaller.exe" -ctid=CT3307181 -ie -ff -ch -installid=cidEVX -defaultsearch=false -startpage=false -searchrevert=false
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2388

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    ism-usage.conduit-data.com
    mism.exe
    Remote address:
    8.8.8.8:53
    Request
    ism-usage.conduit-data.com
    IN A
    Response
    ism-usage.conduit-data.com
    IN A
    127.0.0.1
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    storage.conduit.com
    mconduitinstaller.exe
    Remote address:
    8.8.8.8:53
    Request
    storage.conduit.com
    IN A
    Response
    storage.conduit.com
    IN CNAME
    storage.va.conduit.com
    storage.va.conduit.com
    IN A
    199.101.114.141
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    usage.integration.toolbar.conduit-services.com
    mconduitinstaller.exe
    Remote address:
    8.8.8.8:53
    Request
    usage.integration.toolbar.conduit-services.com
    IN A
    Response
    usage.integration.toolbar.conduit-services.com
    IN CNAME
    origin-integrationusage.conduit-services.com
    origin-integrationusage.conduit-services.com
    IN CNAME
    usage.integration.toolbar.ams.conduit-services.com
    usage.integration.toolbar.ams.conduit-services.com
    IN A
    195.78.120.115
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 127.0.0.1:80
    mism.exe
  • 199.101.114.141:80
    storage.conduit.com
    mism.exe
    260 B
     5
  • 199.101.114.141:80
    storage.conduit.com
    mism.exe
    260 B
     5
  • 199.101.114.141:80
    storage.conduit.com
    mism.exe
    260 B
     5
  • 127.0.0.1:80
    mism.exe
  • 195.78.120.115:80
    usage.integration.toolbar.conduit-services.com
    mconduitinstaller.exe
    260 B
     5
  • 199.101.114.141:80
    storage.conduit.com
    mconduitinstaller.exe
    260 B
     5
  • 199.101.114.141:80
    storage.conduit.com
    mconduitinstaller.exe
    260 B
     5
  • 199.101.114.141:80
    storage.conduit.com
    mconduitinstaller.exe
    260 B
     5
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    140 B
     144 B
     2
    1

    DNS Request

    58.55.71.13.in-addr.arpa

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    ism-usage.conduit-data.com
    dns
    mism.exe
    72 B
     88 B
     1
    1

    DNS Request

    ism-usage.conduit-data.com

    DNS Response

    127.0.0.1

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    storage.conduit.com
    dns
    mconduitinstaller.exe
    65 B
     106 B
     1
    1

    DNS Request

    storage.conduit.com

    DNS Response

    199.101.114.141

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    146 B
     147 B
     2
    1

    DNS Request

    133.211.185.52.in-addr.arpa

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    usage.integration.toolbar.conduit-services.com
    dns
    mconduitinstaller.exe
    92 B
     190 B
     1
    1

    DNS Request

    usage.integration.toolbar.conduit-services.com

    DNS Response

    195.78.120.115

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mconduitinstaller.exe
    Filesize

    79KB

    MD5

    446623160a87bcb075c3b9a3c8827ca9

    SHA1

    3afb53ddfc81a47e4335b232481f8d3a7469b1e5

    SHA256

    7df4c34b251c34f098d75248d779b1aa5e2a2b08625ada510392a5f363cb15ba

    SHA512

    5e883d4fc8f6bc25a46b17f081028b3f1964b45c6ebfd907c8fd9d9f36fe0fec25cff2859c8a905b0aac2c863898af88bbcb35e3291f7e453c53be5678d75f16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mism.exe
    Filesize

    79KB

    MD5

    cb7d8f3ee1cdb0b87f2e82425f429096

    SHA1

    3e37507bbd4c0287689634b2cdd77e59679681af

    SHA256

    da7802010b8a3e1e1d34c6bb735c397d22d65eae71dcb41e6f960c8eb61860ab

    SHA512

    4f7b59da39fad51da5acaf112e98da7f4cec64cccfcdee046ecde6ec701c2573927e3f7ae12f261a4e4a49f0785ac61eafa3bb05258e2175162dc6071365ce0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskB8E1.tmp\InetC.dll
    Filesize

    23KB

    MD5

    7760daf1b6a7f13f06b25b5a09137ca1

    SHA1

    cc5a98ea3aa582de5428c819731e1faeccfcf33a

    SHA256

    5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

    SHA512

    d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskB8E1.tmp\System.dll
    Filesize

    11KB

    MD5

    bf712f32249029466fa86756f5546950

    SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.