Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/12/2024, 04:10 UTC

General

  • Target

    e9d2d06c74be1e86ff16d0c920ef8068_JaffaCakes118.html

  • Size

    155KB

  • MD5

    e9d2d06c74be1e86ff16d0c920ef8068

  • SHA1

    b43408d2067a8f7af818345d6805f95ddb85a3e7

  • SHA256

    56c4fe26056b599f23a9fdd344f9b55129bf54d5ce3fb6281b72aacbcc0cb46d

  • SHA512

    1f972b08e56edcca38edc49699fc3ef22ff2e6b3a7b80e5a581460162a5bd982d85059981bedb47889135245ce20dbf76ffb66d0777455747c38be84e224357c

  • SSDEEP

    1536:i0RTwUSHFTVyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBw:imoFTVyfkMY+BES09JXAnyrZalI+YQ

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\e9d2d06c74be1e86ff16d0c920ef8068_JaffaCakes118.html
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff866c646f8,0x7ff866c64708,0x7ff866c64718
      2⤵
        PID:2788
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        2⤵
          PID:1100
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3728
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
          2⤵
            PID:3684
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
            2⤵
              PID:208
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
              2⤵
                PID:1936
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 /prefetch:2
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1748
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
                2⤵
                  PID:4320
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
                  2⤵
                    PID:768
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
                    2⤵
                      PID:3664
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4988
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                      2⤵
                        PID:2332
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14304550405962078398,1088766325489618016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
                        2⤵
                          PID:628
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:3564
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4836

                          Network

                          • flag-us
                            DNS
                            133.211.185.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            133.211.185.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            www.oh0ib2.top
                            msedge.exe
                            Remote address:
                            8.8.8.8:53
                            Request
                            www.oh0ib2.top
                            IN A
                            Response
                          • flag-us
                            DNS
                            95.221.229.192.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            95.221.229.192.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            68.159.190.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            68.159.190.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            news.share.baidu.com
                            msedge.exe
                            Remote address:
                            8.8.8.8:53
                            Request
                            news.share.baidu.com
                            IN A
                            Response
                            news.share.baidu.com
                            IN CNAME
                            news.share.n.shifen.com
                            news.share.n.shifen.com
                            IN A
                            39.156.68.163
                            news.share.n.shifen.com
                            IN A
                            112.34.113.148
                            news.share.n.shifen.com
                            IN A
                            180.101.212.103
                            news.share.n.shifen.com
                            IN A
                            182.61.201.93
                            news.share.n.shifen.com
                            IN A
                            182.61.244.229
                            news.share.n.shifen.com
                            IN A
                            182.61.201.94
                          • flag-us
                            DNS
                            228.249.119.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            228.249.119.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            56.163.245.4.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            56.163.245.4.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            18.31.95.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            18.31.95.13.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            22.49.80.91.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            22.49.80.91.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            172.214.232.199.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            172.214.232.199.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            21.236.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            21.236.111.52.in-addr.arpa
                            IN PTR
                            Response
                          • 39.156.68.163:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 39.156.68.163:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 112.34.113.148:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 112.34.113.148:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 180.101.212.103:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 180.101.212.103:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 182.61.201.93:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 182.61.201.93:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 182.61.244.229:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 182.61.244.229:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 182.61.201.94:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 182.61.201.94:80
                            news.share.baidu.com
                            msedge.exe
                            260 B
                            5
                          • 8.8.8.8:53
                            133.211.185.52.in-addr.arpa
                            dns
                            73 B
                            147 B
                            1
                            1

                            DNS Request

                            133.211.185.52.in-addr.arpa

                          • 8.8.8.8:53
                            www.oh0ib2.top
                            dns
                            msedge.exe
                            60 B
                            130 B
                            1
                            1

                            DNS Request

                            www.oh0ib2.top

                          • 8.8.8.8:53
                            95.221.229.192.in-addr.arpa
                            dns
                            73 B
                            144 B
                            1
                            1

                            DNS Request

                            95.221.229.192.in-addr.arpa

                          • 8.8.8.8:53
                            68.159.190.20.in-addr.arpa
                            dns
                            72 B
                            158 B
                            1
                            1

                            DNS Request

                            68.159.190.20.in-addr.arpa

                          • 8.8.8.8:53
                            news.share.baidu.com
                            dns
                            msedge.exe
                            66 B
                            196 B
                            1
                            1

                            DNS Request

                            news.share.baidu.com

                            DNS Response

                            39.156.68.163
                            112.34.113.148
                            180.101.212.103
                            182.61.201.93
                            182.61.244.229
                            182.61.201.94

                          • 8.8.8.8:53
                            228.249.119.40.in-addr.arpa
                            dns
                            73 B
                            159 B
                            1
                            1

                            DNS Request

                            228.249.119.40.in-addr.arpa

                          • 224.0.0.251:5353
                            msedge.exe
                            523 B
                            8
                          • 8.8.8.8:53
                            56.163.245.4.in-addr.arpa
                            dns
                            71 B
                            157 B
                            1
                            1

                            DNS Request

                            56.163.245.4.in-addr.arpa

                          • 8.8.8.8:53
                            18.31.95.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            18.31.95.13.in-addr.arpa

                          • 8.8.8.8:53
                            22.49.80.91.in-addr.arpa
                            dns
                            70 B
                            145 B
                            1
                            1

                            DNS Request

                            22.49.80.91.in-addr.arpa

                          • 8.8.8.8:53
                            172.214.232.199.in-addr.arpa
                            dns
                            74 B
                            128 B
                            1
                            1

                            DNS Request

                            172.214.232.199.in-addr.arpa

                          • 8.8.8.8:53
                            21.236.111.52.in-addr.arpa
                            dns
                            72 B
                            158 B
                            1
                            1

                            DNS Request

                            21.236.111.52.in-addr.arpa

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            fab8d8d865e33fe195732aa7dcb91c30

                            SHA1

                            2637e832f38acc70af3e511f5eba80fbd7461f2c

                            SHA256

                            1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

                            SHA512

                            39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            36988ca14952e1848e81a959880ea217

                            SHA1

                            a0482ef725657760502c2d1a5abe0bb37aebaadb

                            SHA256

                            d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

                            SHA512

                            d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            fde100b7878583d84debc60467aa8edc

                            SHA1

                            ca389b697e822ae1b73898ec66dcb4bcf96af9b3

                            SHA256

                            54382688d09348cc7f7fe47c99d6ec92f694bc2ef924d0cc98cc32c496b0ed17

                            SHA512

                            702e72a428169eb9546922c2220d141c55fdc817729e6ab031b270324ff2da06465346305fa59349611035450a76126926c059b87d3aea5ec36de7835f27c796

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            8a6ee3412cbbbd26b99a0375cf2acca1

                            SHA1

                            8f3ec0ca96253487ab3bc32cf39298fc95063da6

                            SHA256

                            a88e6bd21d581bcd060f2183902b682318e7d7beb96d482cd224da0ed36a9e0f

                            SHA512

                            c8b76814dc41c7ba71ef5397726d3596ef022e3f0a8d9124f73f16ed5c6d54e28d1c31b808c2efe627d45e2cd714a2c41c247b2a0c42f580c5674123aedbc2bb

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            f552714150fdd4609b9d61b118555b8d

                            SHA1

                            91b4772063f6c7b44bbb4d3ad504086c4824c6fb

                            SHA256

                            8c82f61f0db0086d665f398141b53c07169b80bfdc1164b2df947c24304925bd

                            SHA512

                            4ecb8c349c2b25ca47ed84879ea311fae010af97ef2d4eb23dd1af85cac63c1bbc9332a315071d64a276f26dcd8919a83e43c89867a9f52cfe37f5d67d49657d

                          We care about your privacy.

                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.