Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1f70ce5c67...18.exe

windows7-x64

10

1f70ce5c67...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    58s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 03:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe

  • Size

    770KB

  • MD5

    1f70ce5c67b3381a16c9edcd2ef16a04

  • SHA1

    1f3746b68606f3ea96735c4af90df0e96d6b1ea2

  • SHA256

    474f66d3344f0a29d6484ab7de9e11e6a293a5d5c719508c91b9bc7d673ce545

  • SHA512

    e537fc2f58f9cb314a8da3319c33a31c151bf47283f4822cc5204192f2b51d11a4a02c3c12579ec14b955d9c1a0846e3cb568b86bf416640ea4b800e8cb7aa68

  • SSDEEP

    12288:qi8ztcfLUVq0OwHK7zz9NzyT0wlWSMZmbhpmXSzf2FteyC6qn6m5U85O:qi8JKuOnnvWfnhPisyg5

Score
10/10
snakekeyloggerdiscoverykeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.rainspor.com
  • Port:
    587
  • Username:
    assad@rainspor.com
  • Password:
    assad123assad
  • Email To:
    assad@rainspor.com

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Users\Admin\AppData\Local\Temp\1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1624
        3⤵
        • Program crash
        PID:2620

Network

  • flag-us
    DNS
    checkip.dyndns.org
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    158.101.44.242
  • flag-us
    GET
    http://checkip.dyndns.org/
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 08 Oct 2024 14:46:32 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 568797638d6af67ac55622628e1ef878
  • flag-us
    GET
    http://checkip.dyndns.org/
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Tue, 08 Oct 2024 14:46:35 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: b64bd8bb3a8ff3caf7d44a142ae5e329
  • flag-us
    DNS
    freegeoip.app
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    freegeoip.app
    IN A
    Response
    freegeoip.app
    IN A
    172.67.160.84
    freegeoip.app
    IN A
    104.21.73.97
  • flag-us
    GET
    https://freegeoip.app/xml/138.199.29.44
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    Remote address:
    172.67.160.84:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: freegeoip.app
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 08 Oct 2024 14:46:38 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Tue, 08 Oct 2024 15:46:38 GMT
    Location: https://ipbase.com/xml/138.199.29.44
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fo8%2BYkLl%2BfqMadCUlK9ZGC6JOHcHimebtlcg%2Bz%2Ba5eM9O5vFwN5Rw9GREzb%2FXUvnysxA1nbPbaYnv6b8XugOaeu4kZCz19Hax%2Fh%2BxjF2Lfg3XMjn%2BgxJ3zhKSn22qv60"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8cf6ebe9ee5648c8-LHR
  • flag-us
    DNS
    ipbase.com
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ipbase.com
    IN A
    Response
    ipbase.com
    IN A
    172.67.209.71
    ipbase.com
    IN A
    104.21.85.189
  • flag-us
    GET
    https://ipbase.com/xml/138.199.29.44
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    Remote address:
    172.67.209.71:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: ipbase.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 08 Oct 2024 14:46:38 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Age: 4916
    Cache-Control: public,max-age=0,must-revalidate
    Cache-Status: "Netlify Edge"; hit
    Vary: Accept-Encoding
    X-Nf-Request-Id: 01J9P9HBTMX4YWGAJZ5H1YB0X6
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YuV5vIi%2BFFv6tC%2BknZIqTvmpnDO8hY1dds9hQb4dvexGUDK9xF7vsOVa6WqjDP71jHrlv5ZZ3fYa7lFfl%2Bhc%2F3o6WSKXGhed%2FmSP1JYH0Assw5HcGFvpTad832xw"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8cf6ebeb7916070a-LHR
  • 193.122.130.0:80
    http://checkip.dyndns.org/
    http
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    594 B
     816 B
     7
    4

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 172.67.160.84:443
    https://freegeoip.app/xml/138.199.29.44
    tls, http
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    776 B
     4.1kB
     9
    8

    HTTP Request

    GET https://freegeoip.app/xml/138.199.29.44

    HTTP Response

    301
  • 172.67.209.71:443
    https://ipbase.com/xml/138.199.29.44
    tls, http
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    813 B
     7.3kB
     10
    12

    HTTP Request

    GET https://ipbase.com/xml/138.199.29.44

    HTTP Response

    404
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    64 B
     176 B
     1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    193.122.130.0
    132.226.247.73
    193.122.6.168
    132.226.8.169
    158.101.44.242

  • 8.8.8.8:53
    freegeoip.app
    dns
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    59 B
     91 B
     1
    1

    DNS Request

    freegeoip.app

    DNS Response

    172.67.160.84
    104.21.73.97

  • 8.8.8.8:53
    ipbase.com
    dns
    1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
    56 B
     88 B
     1
    1

    DNS Request

    ipbase.com

    DNS Response

    172.67.209.71
    104.21.85.189

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1452-0-0x000000007443E000-0x000000007443F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1452-1-0x0000000000FE0000-0x00000000010A6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/1452-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1452-3-0x00000000008E0000-0x00000000008F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1452-4-0x000000007443E000-0x000000007443F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1452-5-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1452-6-0x0000000005380000-0x000000000540C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1452-7-0x0000000005240000-0x0000000005264000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1452-23-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-18-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-10-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-20-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-22-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-14-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-12-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-9-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-24-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-25-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-26-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-27-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-28-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.