Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 19:25 UTC
Behavioral task
behavioral1
Sample
3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
3baef362d7ca8f9798d3964414fef351
-
SHA1
cb137fef7524614d72c50b2de4c6ef6152c6253a
-
SHA256
63604b50c997ceacc7b689e8fa79d91fbe2e2b6adf76601f0f6dff6fdc8bb169
-
SHA512
dc0961eca22bda7eaa4452d5472b7576e9548059d00fced70cc4e2cabfef0ad55f598bcd16c0439e8b2a7091faba4ba74f4bf9674b0a39814dcbad2dbb8ca5e5
-
SSDEEP
24576:muj/VEaecgvjdcR2ARF9AjORbomMQzuYbMTSsEPwFq91B2VXvvG:mKVEae5bda28F9AORbEQ6Yb0Sscww
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4836 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4836 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1816-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral2/files/0x000c000000023b23-12.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe 4836 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1816 wrote to memory of 4836 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe 83 PID 1816 wrote to memory of 4836 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe 83 PID 1816 wrote to memory of 4836 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:4836
-
Network
-
Remote address:8.8.8.8:53Requestzipansion.comIN AResponsezipansion.comIN A104.21.73.114zipansion.comIN A172.67.144.180
-
Remote address:104.21.73.114:80RequestGET /2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: zipansion.com
Cache-Control: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 143
Connection: keep-alive
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Location: https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XtDykF6FyDRe4LnNDmyvOuNqZw7XVSqHJm8mS1OGoX9Y4mLY5C5dq2Chl8itglwXthVGj8gstk4vjOrmfnaKsuHXIKNw07ltmy0E%2BQtLeqIZQYvphlyOOZIc4codXCbF"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Speculation-Rules: "/cdn-cgi/speculation"
Server: cloudflare
CF-RAY: 8d197a4ddf0663fd-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestpublisher.linkvertise.comIN AResponsepublisher.linkvertise.comIN A104.22.23.72publisher.linkvertise.comIN A104.22.22.72publisher.linkvertise.comIN A172.67.31.186
-
GEThttps://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exeRemote address:104.22.23.72:443RequestGET /adfly-hard-migrator/url?url=http://zipansion.com/2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Cache-Control: no-cache
Host: publisher.linkvertise.com
Connection: Keep-Alive
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Content-Length: 4518
Connection: keep-alive
Referrer-Policy: same-origin
Cache-Control: max-age=15
Expires: Sat, 12 Oct 2024 19:26:04 GMT
Set-Cookie: __cf_bm=yIOWznAvzQaEY_fnOsggGB6fjC1OIW66CwjyxQ7pZWk-1728761149-1.0.1.1-KXp.IUKeC63RFYL7D1RZ6tUVhManRNN2XHe04vnwJjfp9mB89yamr5Z1mDqgCF013CDoMBT6R_aV7MkyHry1kA; path=/; expires=Sat, 12-Oct-24 19:55:49 GMT; domain=.linkvertise.com; HttpOnly; Secure; SameSite=None
X-Frame-Options: sameorigin
Server: cloudflare
CF-RAY: 8d197a62ce968883-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request114.73.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request114.73.21.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request114.73.21.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request72.23.22.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request72.23.22.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request72.23.22.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.178.3
-
Remote address:8.8.8.8:53Requestc.pki.googIN A
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:142.250.178.3:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 12 Oct 2024 19:19:08 GMT
Expires: Sat, 12 Oct 2024 20:09:08 GMT
Cache-Control: public, max-age=3000
Age: 401
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:142.250.178.3:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 12 Oct 2024 18:57:45 GMT
Expires: Sat, 12 Oct 2024 19:47:45 GMT
Cache-Control: public, max-age=3000
Age: 1684
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Request3.178.250.142.in-addr.arpaIN PTRResponse3.178.250.142.in-addr.arpaIN PTRlhr48s27-in-f31e100net
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
437 B 1.1kB 6 4
HTTP Request
GET http://zipansion.com/2pRLiHTTP Response
302 -
104.22.23.72:443https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLitls, http3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe1.9kB 9.5kB 21 15
HTTP Request
GET https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLiHTTP Response
403 -
648 B 3.9kB 9 7
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200
-
59 B 91 B 1 1
DNS Request
zipansion.com
DNS Response
104.21.73.114172.67.144.180
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 119 B 1 1
DNS Request
publisher.linkvertise.com
DNS Response
104.22.23.72104.22.22.72172.67.31.186
-
216 B 134 B 3 1
DNS Request
114.73.21.104.in-addr.arpa
DNS Request
114.73.21.104.in-addr.arpa
DNS Request
114.73.21.104.in-addr.arpa
-
213 B 133 B 3 1
DNS Request
72.23.22.104.in-addr.arpa
DNS Request
72.23.22.104.in-addr.arpa
DNS Request
72.23.22.104.in-addr.arpa
-
112 B 107 B 2 1
DNS Request
c.pki.goog
DNS Request
c.pki.goog
DNS Response
142.250.178.3
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 110 B 1 1
DNS Request
3.178.250.142.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
76.32.126.40.in-addr.arpa
-
146 B 144 B 2 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
55.36.223.20.in-addr.arpa
DNS Request
55.36.223.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
222 B 128 B 3 1
DNS Request
172.214.232.199.in-addr.arpa
DNS Request
172.214.232.199.in-addr.arpa
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD550fd18c44386ce23e95afa70fb50ebe7
SHA18a4fa2eb22c83462a59855b25da7cffe5b482fa5
SHA2562736e90b5ad4fc75a91b3eade2348c981bcad40a3e96747d9a22001a02254597
SHA512ae5ff87ea4f0f899bf6224f4db3db6e818a904f40be08fb61fcdcbabf7e0191dc0f867c8fbc31e9fab69187c8dbec7f84a46933f741d29e5eabe195640d6c5f6