Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 20:17 UTC

General

  • Target

    14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe

  • Size

    165KB

  • MD5

    14c916f564d38ab6a1f2433acb77b40c

  • SHA1

    fb1840eca54075edf9daf1afe6abbd8ca254bb5e

  • SHA256

    5ea3ba4978a6d36f509aa3bcf8b11fe6b6ce0bcae53afeb20a1bfd97c9af56c1

  • SHA512

    3ddcd21a371b4d7ef6b7fbbeaa637439935644bc11aca931f0bb81df2f46561d7a878ef4be0bd6eb3a7e51c8b601fcc050634f3aab96ac508511026e258c1bec

  • SSDEEP

    3072:Y4HCWau/PlYeuL7ZLFh6Ca6cbL9l2hzB3fJCC6j8+Er6ez4w:HiI/PlY37ZLF4Ca6WABqBOvsw

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Local\Temp\ins8397\ins8397.exe
      "C:\Users\Admin\AppData\Local\Temp\ins8397\ins8397.exe" ins.exe /e6932806 /u50d1d9d5-cf90-407c-820a-35e05bc06f2f
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2116

Network

  • flag-us
    DNS
    api.socdn.com
    ins8397.exe
    Remote address:
    8.8.8.8:53
    Request
    api.socdn.com
    IN A
    Response
    api.socdn.com
    IN CNAME
    615321.parkingcrew.net
    615321.parkingcrew.net
    IN A
    13.248.148.254
    615321.parkingcrew.net
    IN A
    76.223.26.96
  • flag-us
    GET
    http://api.socdn.com/installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/config
    ins8397.exe
    Remote address:
    13.248.148.254:80
    Request
    GET /installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/config HTTP/1.1
    User-Agent: DownloadMR/3.0.21 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;m=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F;northstar)
    Accept-Language: en-US
    Host: api.socdn.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Accept-Ch: viewport-width
    Accept-Ch: dpr
    Accept-Ch: device-memory
    Accept-Ch: rtt
    Accept-Ch: downlink
    Accept-Ch: ect
    Accept-Ch: ua
    Accept-Ch: ua-full-version
    Accept-Ch: ua-platform
    Accept-Ch: ua-platform-version
    Accept-Ch: ua-arch
    Accept-Ch: ua-model
    Accept-Ch: ua-mobile
    Accept-Ch-Lifetime: 30
    Content-Type: text/html; charset=UTF-8
    Date: Fri, 04 Oct 2024 20:17:42 GMT
    Server: Caddy
    Server: nginx
    Vary: Accept-Encoding
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_DHvbVZ6DQVzckbTKO7jkIuRK8uk3Q5jNDpbHOqzq9hf2alf2C3xYQzGNltcjAltNoD8O6A5edZUWhghlb0y00w==
    X-Buckets: bucket102
    X-Domain: socdn.com
    X-Language: english
    X-Pcrew-Blocked-Reason: hosting network
    X-Pcrew-Ip-Organization: Datacamp
    X-Redirect: skenzo
    X-Subdomain: api
    X-Template: tpl_CleanPeppermintBlack_twoclick
    Transfer-Encoding: chunked
  • flag-us
    POST
    http://api.socdn.com/installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/event
    ins8397.exe
    Remote address:
    13.248.148.254:80
    Request
    POST /installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/event HTTP/1.1
    User-Agent: DownloadMR/3.0.21 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;m=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F;northstar)
    Accept-Language: en-US
    Content-Type: application/x-www-form-urlencoded
    Host: api.socdn.com
    Content-Length: 3401
    Expect: 100-continue
    Response
    HTTP/1.1 100 Continue
    Server: Caddy
  • flag-us
    DNS
    ins8397.exe
    Remote address:
    13.248.148.254:80
    Response
    HTTP/1.1 200 OK
    Accept-Ch: viewport-width
    Accept-Ch: dpr
    Accept-Ch: device-memory
    Accept-Ch: rtt
    Accept-Ch: downlink
    Accept-Ch: ect
    Accept-Ch: ua
    Accept-Ch: ua-full-version
    Accept-Ch: ua-platform
    Accept-Ch: ua-platform-version
    Accept-Ch: ua-arch
    Accept-Ch: ua-model
    Accept-Ch: ua-mobile
    Accept-Ch-Lifetime: 30
    Content-Type: text/html; charset=UTF-8
    Date: Fri, 04 Oct 2024 20:17:42 GMT
    Server: Caddy
    Server: nginx
    Vary: Accept-Encoding
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_CBd+jIb6Vt3earOrtGLAhAn9E/WD5SP1pwbjc63SL8wXPimN7iKIMJwYUXc+iurjd/36LHj+JVIuDig41PNrkw==
    X-Buckets: bucket102
    X-Domain: socdn.com
    X-Language: english
    X-Pcrew-Blocked-Reason: hosting network
    X-Pcrew-Ip-Organization: Datacamp
    X-Redirect: skenzo
    X-Subdomain: api
    X-Template: tpl_CleanPeppermintBlack_twoclick
    Transfer-Encoding: chunked
  • 13.248.148.254:80
    http://api.socdn.com/installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/event
    http
    ins8397.exe
    4.8kB
    9.0kB
    13
    14

    HTTP Request

    GET http://api.socdn.com/installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/config

    HTTP Response

    200

    HTTP Request

    POST http://api.socdn.com/installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/event

    HTTP Response

    100

    HTTP Response

    200
  • 8.8.8.8:53
    api.socdn.com
    dns
    ins8397.exe
    59 B
    127 B
    1
    1

    DNS Request

    api.socdn.com

    DNS Response

    13.248.148.254
    76.223.26.96

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\ins8397\ins8397.exe

    Filesize

    257KB

    MD5

    ae117f47bd80e5dcf72cf81347fceb73

    SHA1

    1cd3e4c5fc9fb317b7a8eae6c94d53078800b635

    SHA256

    49b0ec8a4000cb30f15b318bef4b6f59be2d0f7365be4c4b2b4fd5607e16e23c

    SHA512

    72d322ec9b13e9ede1967707129f2941328ec75487aa5ea205eab0780ef26c33f253204ce08932052a6ed19d13bd62e68b4f795ef17717b9f31e5a76a9f0c16f

  • memory/2116-20-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2116-17-0x0000000074771000-0x0000000074772000-memory.dmp

    Filesize

    4KB

  • memory/2116-18-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2116-19-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2116-21-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2116-22-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2116-25-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2116-26-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2120-3-0x0000000002010000-0x0000000002020000-memory.dmp

    Filesize

    64KB

  • memory/2120-0-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

  • memory/2120-23-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

  • memory/2120-24-0x0000000002010000-0x0000000002020000-memory.dmp

    Filesize

    64KB

  • memory/2120-27-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.