Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 19:25 UTC

General

  • Target

    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    3baef362d7ca8f9798d3964414fef351

  • SHA1

    cb137fef7524614d72c50b2de4c6ef6152c6253a

  • SHA256

    63604b50c997ceacc7b689e8fa79d91fbe2e2b6adf76601f0f6dff6fdc8bb169

  • SHA512

    dc0961eca22bda7eaa4452d5472b7576e9548059d00fced70cc4e2cabfef0ad55f598bcd16c0439e8b2a7091faba4ba74f4bf9674b0a39814dcbad2dbb8ca5e5

  • SSDEEP

    24576:muj/VEaecgvjdcR2ARF9AjORbomMQzuYbMTSsEPwFq91B2VXvvG:mKVEae5bda28F9AORbEQ6Yb0Sscww

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:4836

Network

  • flag-us
    DNS
    zipansion.com
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
    Response
    zipansion.com
    IN A
    104.21.73.114
    zipansion.com
    IN A
    172.67.144.180
  • flag-us
    GET
    http://zipansion.com/2pRLi
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    Remote address:
    104.21.73.114:80
    Request
    GET /2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: zipansion.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Date: Sat, 12 Oct 2024 19:25:46 GMT
    Content-Type: text/html
    Content-Length: 143
    Connection: keep-alive
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Location: https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XtDykF6FyDRe4LnNDmyvOuNqZw7XVSqHJm8mS1OGoX9Y4mLY5C5dq2Chl8itglwXthVGj8gstk4vjOrmfnaKsuHXIKNw07ltmy0E%2BQtLeqIZQYvphlyOOZIc4codXCbF"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8d197a4ddf0663fd-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    publisher.linkvertise.com
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    publisher.linkvertise.com
    IN A
    Response
    publisher.linkvertise.com
    IN A
    104.22.23.72
    publisher.linkvertise.com
    IN A
    104.22.22.72
    publisher.linkvertise.com
    IN A
    172.67.31.186
  • flag-us
    GET
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    Remote address:
    104.22.23.72:443
    Request
    GET /adfly-hard-migrator/url?url=http://zipansion.com/2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Cache-Control: no-cache
    Host: publisher.linkvertise.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Date: Sat, 12 Oct 2024 19:25:49 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 4518
    Connection: keep-alive
    Referrer-Policy: same-origin
    Cache-Control: max-age=15
    Expires: Sat, 12 Oct 2024 19:26:04 GMT
    Set-Cookie: __cf_bm=yIOWznAvzQaEY_fnOsggGB6fjC1OIW66CwjyxQ7pZWk-1728761149-1.0.1.1-KXp.IUKeC63RFYL7D1RZ6tUVhManRNN2XHe04vnwJjfp9mB89yamr5Z1mDqgCF013CDoMBT6R_aV7MkyHry1kA; path=/; expires=Sat, 12-Oct-24 19:55:49 GMT; domain=.linkvertise.com; HttpOnly; Secure; SameSite=None
    X-Frame-Options: sameorigin
    Server: cloudflare
    CF-RAY: 8d197a62ce968883-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    114.73.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.73.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    114.73.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.73.21.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    114.73.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.73.21.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    72.23.22.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.23.22.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.23.22.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.23.22.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    72.23.22.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.23.22.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    c.pki.goog
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.178.3
  • flag-us
    DNS
    c.pki.goog
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    Remote address:
    142.250.178.3:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 12 Oct 2024 19:19:08 GMT
    Expires: Sat, 12 Oct 2024 20:09:08 GMT
    Cache-Control: public, max-age=3000
    Age: 401
    Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    Remote address:
    142.250.178.3:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 12 Oct 2024 18:57:45 GMT
    Expires: Sat, 12 Oct 2024 19:47:45 GMT
    Cache-Control: public, max-age=3000
    Age: 1684
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    3.178.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    3.178.250.142.in-addr.arpa
    IN PTR
    Response
    3.178.250.142.in-addr.arpa
    IN PTR
    lhr48s27-in-f31e100net
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 104.21.73.114:80
    http://zipansion.com/2pRLi
    http
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    437 B
    1.1kB
    6
    4

    HTTP Request

    GET http://zipansion.com/2pRLi

    HTTP Response

    302
  • 104.22.23.72:443
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi
    tls, http
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    1.9kB
    9.5kB
    21
    15

    HTTP Request

    GET https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://zipansion.com/2pRLi

    HTTP Response

    403
  • 142.250.178.3:80
    http://c.pki.goog/r/r4.crl
    http
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    648 B
    3.9kB
    9
    7

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 8.8.8.8:53
    zipansion.com
    dns
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    59 B
    91 B
    1
    1

    DNS Request

    zipansion.com

    DNS Response

    104.21.73.114
    172.67.144.180

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    publisher.linkvertise.com
    dns
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    71 B
    119 B
    1
    1

    DNS Request

    publisher.linkvertise.com

    DNS Response

    104.22.23.72
    104.22.22.72
    172.67.31.186

  • 8.8.8.8:53
    114.73.21.104.in-addr.arpa
    dns
    216 B
    134 B
    3
    1

    DNS Request

    114.73.21.104.in-addr.arpa

    DNS Request

    114.73.21.104.in-addr.arpa

    DNS Request

    114.73.21.104.in-addr.arpa

  • 8.8.8.8:53
    72.23.22.104.in-addr.arpa
    dns
    213 B
    133 B
    3
    1

    DNS Request

    72.23.22.104.in-addr.arpa

    DNS Request

    72.23.22.104.in-addr.arpa

    DNS Request

    72.23.22.104.in-addr.arpa

  • 8.8.8.8:53
    c.pki.goog
    dns
    3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
    112 B
    107 B
    2
    1

    DNS Request

    c.pki.goog

    DNS Request

    c.pki.goog

    DNS Response

    142.250.178.3

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    3.178.250.142.in-addr.arpa
    dns
    72 B
    110 B
    1
    1

    DNS Request

    3.178.250.142.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    146 B
    144 B
    2
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    142 B
    157 B
    2
    1

    DNS Request

    55.36.223.20.in-addr.arpa

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    222 B
    128 B
    3
    1

    DNS Request

    172.214.232.199.in-addr.arpa

    DNS Request

    172.214.232.199.in-addr.arpa

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe

    Filesize

    1.3MB

    MD5

    50fd18c44386ce23e95afa70fb50ebe7

    SHA1

    8a4fa2eb22c83462a59855b25da7cffe5b482fa5

    SHA256

    2736e90b5ad4fc75a91b3eade2348c981bcad40a3e96747d9a22001a02254597

    SHA512

    ae5ff87ea4f0f899bf6224f4db3db6e818a904f40be08fb61fcdcbabf7e0191dc0f867c8fbc31e9fab69187c8dbec7f84a46933f741d29e5eabe195640d6c5f6

  • memory/1816-0-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

  • memory/1816-1-0x0000000001B30000-0x0000000001C42000-memory.dmp

    Filesize

    1.1MB

  • memory/1816-2-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/1816-13-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/4836-14-0x0000000001B70000-0x0000000001C82000-memory.dmp

    Filesize

    1.1MB

  • memory/4836-15-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/4836-21-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

  • memory/4836-30-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.