Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

227e526e84...18.exe

windows7-x64

10

227e526e84...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 16:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    227e526e84bc7e118b496cfee86ce4b7_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    227e526e84bc7e118b496cfee86ce4b7

  • SHA1

    41aae57a7fc7398a88b880a14763107df6fa4131

  • SHA256

    68bdb87f19368095d755bf7a809c7c7dd8cc055815d368d142b9dbbcc9c35539

  • SHA512

    02344933b0f320a38aa3c3f8965610a18b84df172690e93a3bfb566320ca0ddda269cd07449d26d95c26680cc37f4329de53ac8e716ef8b8397024832b7ac89e

  • SSDEEP

    12288:3gqWIG2iNqqoViD1YNFXoQvTOsfOsPWWTcXWZQvJBAMDxZVZ5fYk:XG14MY5TOsGsPe3AM1b

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://files.000webhost.com/
  • Port:
    21
  • Username:
    zinco
  • Password:
    computer147

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\227e526e84bc7e118b496cfee86ce4b7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\227e526e84bc7e118b496cfee86ce4b7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JDHTKicp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AAC.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4060
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3896

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=22D92A5FC72C68BD15D33F4DC61D698A; domain=.bing.com; expires=Sun, 02-Nov-2025 20:41:28 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A610E7B4D7EA4258AE34E9D9B86E266F Ref B: LON601060102060 Ref C: 2024-10-08T20:41:28Z
    date: Tue, 08 Oct 2024 20:41:27 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=22D92A5FC72C68BD15D33F4DC61D698A
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=-DS6zfQJqpAmqahUHZQ0B8_kjYkN_UM9o-71NPNm3HE; domain=.bing.com; expires=Sun, 02-Nov-2025 20:41:28 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E0B42146BB6545B58D9EB10727D97985 Ref B: LON601060102060 Ref C: 2024-10-08T20:41:28Z
    date: Tue, 08 Oct 2024 20:41:27 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=22D92A5FC72C68BD15D33F4DC61D698A; MSPTC=-DS6zfQJqpAmqahUHZQ0B8_kjYkN_UM9o-71NPNm3HE
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3A0EE5C1072B4007A66B7B6134F4EC1F Ref B: LON601060102060 Ref C: 2024-10-08T20:41:28Z
    date: Tue, 08 Oct 2024 20:41:27 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    69.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.190.18.2.in-addr.arpa
    IN PTR
    Response
    69.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-69deploystaticakamaitechnologiescom
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    139.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    139.190.18.2.in-addr.arpa
    IN PTR
    Response
    139.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-139deploystaticakamaitechnologiescom
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    tls, http2
    2.0kB
     9.4kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    69.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    69.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    139.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    139.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6AAC.tmp
    Filesize

    1KB

    MD5

    61fbb94972dcb7b8d1bd1ff3043a4af2

    SHA1

    b763e9a76eb9ba7673128c8493fd47b4f6aef52d

    SHA256

    b52ca73c0d72e5e6c0124ec019fafdeb4c9dd611b0cabde036649c0900247980

    SHA512

    a332a91d18beb35006f84fd6628863df51770f70cafafb573f4dba2c73fbebd4f00c940d156ce2e4ad6cd04af62a08f5aef9b12e11739024165bc5f72a7fa653

    Download Submit

  • memory/3896-29-0x00000000751A0000-0x0000000075950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3896-28-0x00000000751A0000-0x0000000075950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3896-27-0x00000000010B0000-0x0000000001100000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3896-26-0x00000000751A0000-0x0000000075950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3896-25-0x00000000751A0000-0x0000000075950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3896-24-0x0000000006070000-0x00000000060D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3896-23-0x00000000052F0000-0x0000000005308000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3896-22-0x00000000751A0000-0x0000000075950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3896-20-0x00000000751A0000-0x0000000075950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3896-18-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4024-6-0x00000000053E0000-0x0000000005436000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4024-7-0x00000000751A0000-0x0000000075950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4024-11-0x0000000002AE0000-0x0000000002B7E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/4024-10-0x00000000751A0000-0x0000000075950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4024-9-0x00000000751AE000-0x00000000751AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4024-21-0x00000000751A0000-0x0000000075950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4024-8-0x0000000005740000-0x000000000575E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4024-12-0x000000000A000000-0x000000000A03C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4024-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4024-5-0x0000000005190000-0x000000000519A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4024-4-0x0000000005250000-0x00000000052E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4024-3-0x0000000005760000-0x0000000005D04000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4024-2-0x0000000005080000-0x000000000511C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4024-1-0x0000000000700000-0x0000000000866000-memory.dmp

    Filesize

    1.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.