Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...af.exe

windows7-x64

10

JaffaCakes...af.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    95s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2025, 02:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_61fdf49099469563aa4442c198855baf.exe

  • Size

    1.1MB

  • MD5

    61fdf49099469563aa4442c198855baf

  • SHA1

    6a9965e6691ed6132dd968e2a1ff08e8594eb672

  • SHA256

    1b381d766da86aa6b98f53bc3006658909538ee3314f6b713fbec64a266c1623

  • SHA512

    a33badc4a7187178dd2609456746951a6347fc26431d4e5ed36cec98d0842f7c1a998e2c4096f947f1deadc364a92702fcd6f410b0882fda55d658efa8b7a78f

  • SSDEEP

    24576:fafGiYtto6oCfd0+X7Q3CiTApWsN1X7Q7Fsx2k2Y:U0pZRHWsL7Us8

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61fdf49099469563aa4442c198855baf.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61fdf49099469563aa4442c198855baf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Users\Admin\AppData\Local\Temp\server23.exe
      "C:\Users\Admin\AppData\Local\Temp\server23.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 588
        3⤵
        • Program crash
        PID:1472
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2404 -ip 2404
    1⤵
      PID:1108

    Network

    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      85.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      85.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      69.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      69.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      107.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      107.12.20.2.in-addr.arpa
      IN PTR
      Response
      107.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-107deploystaticakamaitechnologiescom
    • flag-us
      DNS
      20.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      29.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.243.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      85.49.80.91.in-addr.arpa
      dns
      70 B
       145 B
       1
      1

      DNS Request

      85.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      69.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      69.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      107.12.20.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      107.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      20.49.80.91.in-addr.arpa
      dns
      70 B
       145 B
       1
      1

      DNS Request

      20.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      29.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      29.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\server23.exe
      Filesize

      857KB

      MD5

      f0e57400ba0ced7def4487e8ec031315

      SHA1

      6d301d92f785f5720bd768317387598da1d0b42e

      SHA256

      168ad4c18dc7a3d6e8f9f8a7b3370c4de641df217280e868c450074ad042c3ed

      SHA512

      5466c9fc3059360d346a9ea093375e88602d98a29b4a54b27ffb1d286db4d5e8da563336a26b44988740f313c87dc27e445104f9fa87ea52a2906ff0b75047ac

      Download Submit

    • memory/224-193-0x00007FFA384B0000-0x00007FFA38E51000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/224-1-0x000000001B660000-0x000000001B706000-memory.dmp

      Filesize

      664KB

      Download

    • memory/224-2-0x00007FFA384B0000-0x00007FFA38E51000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/224-4-0x00007FFA384B0000-0x00007FFA38E51000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/224-0-0x00007FFA38765000-0x00007FFA38766000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2404-61-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-49-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-220-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-219-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-204-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-79-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-188-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-184-0x00000000775B2000-0x00000000775B3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2404-154-0x00000000775B2000-0x00000000775B3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2404-153-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-152-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-74-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-69-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-67-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-65-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-63-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-77-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-59-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-57-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-53-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-51-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-75-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-47-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-45-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-43-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-41-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-39-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-37-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-35-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-33-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-31-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-29-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-27-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-25-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-23-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-21-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-19-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-17-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-16-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-71-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2404-55-0x00000000004D0000-0x000000000053C000-memory.dmp

      Filesize

      432KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.