Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

163e8df577...18.exe

windows7-x64

7

163e8df577...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    96s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 04:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    163e8df577ef8722e408912466367f50_JaffaCakes118.exe

  • Size

    514KB

  • MD5

    163e8df577ef8722e408912466367f50

  • SHA1

    9df6fd0508a900bbf6213b4b0529ad7b2a84bfe7

  • SHA256

    2fd7ba0ea36b5087c441662ba65f8c0fce99e8881df66223bddf147ed6fe2440

  • SHA512

    e024a5a1431d0c3a44c1d89910ad793dd4c2c6b048c300028bd7b997153dcf54246ad7bdac78806b0015631380d4c153486f58b7d76f7eb1370995cff6651fda

  • SSDEEP

    6144:st9sTEcg7/EpK3ee4wgv3KN+xIISYswjAel0bQz9iRSZkB3Ju/H:s6Dg7cnwgv3xxdhYoZklJuP

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\163e8df577ef8722e408912466367f50_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\163e8df577ef8722e408912466367f50_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Local\Temp\163e8df577ef8722e408912466367f50_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\163e8df577ef8722e408912466367f50_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\ProgramData\npSdTjUNfCjePP8Z\eXHN9FiJJ05Uk3kM.exe
        "C:\ProgramData\npSdTjUNfCjePP8Z\eXHN9FiJJ05Uk3kM.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4200
        • C:\ProgramData\npSdTjUNfCjePP8Z\eXHN9FiJJ05Uk3kM.exe
          "C:\ProgramData\npSdTjUNfCjePP8Z\eXHN9FiJJ05Uk3kM.exe"
          4⤵
          • Deletes itself
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1852
          • C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
            "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /i:1852
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3480

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    c.g3log.com.br
    VSTOInstaller.exe
    Remote address:
    8.8.8.8:53
    Request
    c.g3log.com.br
    IN A
    Response
  • flag-us
    DNS
    c.g3log.com.br
    VSTOInstaller.exe
    Remote address:
    8.8.8.8:53
    Request
    c.g3log.com.br
    IN A
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    132 B
     90 B
     2
    1

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    146 B
     147 B
     2
    1

    DNS Request

    217.106.137.52.in-addr.arpa

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    219 B
     144 B
     3
    1

    DNS Request

    240.221.184.93.in-addr.arpa

    DNS Request

    240.221.184.93.in-addr.arpa

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    c.g3log.com.br
    dns
    VSTOInstaller.exe
    120 B
     120 B
     2
    1

    DNS Request

    c.g3log.com.br

    DNS Request

    c.g3log.com.br

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    146 B
     144 B
     2
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    210 B
     144 B
     3
    1

    DNS Request

    18.31.95.13.in-addr.arpa

    DNS Request

    18.31.95.13.in-addr.arpa

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    154.239.44.20.in-addr.arpa

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\npSdTjUNfCjePP8Z\RCX591C.tmp
    Filesize

    514KB

    MD5

    e072f64684d74a7889a71014a2eab51d

    SHA1

    2a5b8486d385b22f4351ea68540f8838979347bc

    SHA256

    b5b199986ad28928e641186dbe1e499de9bb15fe0a792cf4d1e4e74eb37878be

    SHA512

    1b2372455e2a1b6fc2eecc86b5e4768d28d140f43e4d29df6f82d1eac273cb6a1b195579d721798d5f420ce1d8c8c85885f3e39fb9e6570dcf880c13490deace

    Download Submit

  • C:\ProgramData\npSdTjUNfCjePP8Z\eXHN9FiJJ05Uk3kM.exe
    Filesize

    514KB

    MD5

    163e8df577ef8722e408912466367f50

    SHA1

    9df6fd0508a900bbf6213b4b0529ad7b2a84bfe7

    SHA256

    2fd7ba0ea36b5087c441662ba65f8c0fce99e8881df66223bddf147ed6fe2440

    SHA512

    e024a5a1431d0c3a44c1d89910ad793dd4c2c6b048c300028bd7b997153dcf54246ad7bdac78806b0015631380d4c153486f58b7d76f7eb1370995cff6651fda

    Download Submit

  • memory/1852-42-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1852-43-0x0000000075A80000-0x0000000075B70000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1852-29-0x0000000075A80000-0x0000000075B70000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3480-40-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/4200-28-0x0000000075A80000-0x0000000075B70000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4200-26-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/4200-24-0x0000000075A80000-0x0000000075B70000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4492-2-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/4492-0-0x0000000075AA0000-0x0000000075AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4768-3-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/4768-21-0x0000000075A80000-0x0000000075B70000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4768-18-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/4768-5-0x0000000075A80000-0x0000000075B70000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4768-4-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/4768-1-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.