Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2025, 07:31 UTC

General

  • Target

    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe

  • Size

    54KB

  • MD5

    638a4ce6e38d47606a529668963a64b4

  • SHA1

    c4445f5b50e493420c1d2b6a049bc4e1d5fbca0b

  • SHA256

    e01c11b733e01186681bc6d98046f6d7e56eeee1b89be4dfefe43c0acc2d746f

  • SHA512

    99a1267b6111eb36be2940e123ccd11f2da5c619129a0ac871ed7da74d50b84643c54eddc1942c6205624273a99fe49d8a07f225949ccbe6b5a0788b31ecda45

  • SSDEEP

    1536:SNqaLV8a6pFG7FFwz9Q5vBn6U/1WTD0tF:SNqMKIAzknpWTy

Malware Config

Signatures

  • Detects MyDoom family 8 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

  • Mydoom family
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:1364

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    resources.jar
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    Remote address:
    8.8.8.8:53
    Request
    resources.jar
    IN MX
    Response
  • flag-us
    DNS
    resources.jar
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    Remote address:
    8.8.8.8:53
    Request
    resources.jar
    IN MX
    Response
  • flag-us
    DNS
    cs.stanford.edu
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    Remote address:
    8.8.8.8:53
    Request
    cs.stanford.edu
    IN MX
    Response
    cs.stanford.edu
    IN MX
    cs.stanford.edu
    IN MX
    smtp1�
    cs.stanford.edu
    IN MX
    smtp2�
  • flag-us
    DNS
    cs.stanford.edu
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    Remote address:
    8.8.8.8:53
    Request
    cs.stanford.edu
    IN A
    Response
    cs.stanford.edu
    IN A
    171.64.64.64
  • flag-us
    DNS
    outlook.com
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    Remote address:
    8.8.8.8:53
    Request
    outlook.com
    IN MX
    Response
    outlook.com
    IN MX
     outlook-comolc protection�
  • flag-us
    DNS
    nocorp.me
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    Remote address:
    8.8.8.8:53
    Request
    nocorp.me
    IN MX
    Response
    nocorp.me
    IN MX
    in1-smtpmessagingenginecom
    nocorp.me
    IN MX
    in2-smtp�2
  • flag-us
    DNS
    outlook-com.olc.protection.outlook.com
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    Remote address:
    8.8.8.8:53
    Request
    outlook-com.olc.protection.outlook.com
    IN A
    Response
    outlook-com.olc.protection.outlook.com
    IN A
    52.101.11.14
    outlook-com.olc.protection.outlook.com
    IN A
    52.101.41.29
    outlook-com.olc.protection.outlook.com
    IN A
    52.101.42.7
    outlook-com.olc.protection.outlook.com
    IN A
    52.101.68.4
  • flag-us
    DNS
    in1-smtp.messagingengine.com
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    Remote address:
    8.8.8.8:53
    Request
    in1-smtp.messagingengine.com
    IN A
    Response
    in1-smtp.messagingengine.com
    IN A
    103.168.172.222
    in1-smtp.messagingengine.com
    IN A
    103.168.172.218
    in1-smtp.messagingengine.com
    IN A
    103.168.172.219
    in1-smtp.messagingengine.com
    IN A
    103.168.172.220
    in1-smtp.messagingengine.com
    IN A
    103.168.172.217
    in1-smtp.messagingengine.com
    IN A
    103.168.172.221
    in1-smtp.messagingengine.com
    IN A
    103.168.172.223
    in1-smtp.messagingengine.com
    IN A
    103.168.172.216
  • flag-us
    DNS
    94.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    94.65.42.20.in-addr.arpa
    IN PTR
    Response
  • 69.142.241.244:1042
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    260 B
    5
  • 201.9.44.29:1042
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    260 B
    5
  • 15.7.149.187:1042
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    260 B
    5
  • 158.187.69.120:1042
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    260 B
    5
  • 16.101.246.74:1042
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    260 B
    5
  • 16.126.105.7:1042
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    260 B
    5
  • 15.25.47.250:1042
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    260 B
    5
  • 192.168.59.147:1042
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    104 B
    2
  • 171.64.64.64:25
    cs.stanford.edu
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    104 B
    2
  • 52.101.11.14:25
    outlook-com.olc.protection.outlook.com
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    104 B
    2
  • 103.168.172.222:25
    in1-smtp.messagingengine.com
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    104 B
    2
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    resources.jar
    dns
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    59 B
    134 B
    1
    1

    DNS Request

    resources.jar

  • 8.8.8.8:53
    resources.jar
    dns
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    59 B
    134 B
    1
    1

    DNS Request

    resources.jar

  • 8.8.8.8:53
    cs.stanford.edu
    dns
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    61 B
    121 B
    1
    1

    DNS Request

    cs.stanford.edu

  • 8.8.8.8:53
    cs.stanford.edu
    dns
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    61 B
    77 B
    1
    1

    DNS Request

    cs.stanford.edu

    DNS Response

    171.64.64.64

  • 8.8.8.8:53
    outlook.com
    dns
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    57 B
    100 B
    1
    1

    DNS Request

    outlook.com

  • 8.8.8.8:53
    nocorp.me
    dns
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    55 B
    124 B
    1
    1

    DNS Request

    nocorp.me

  • 8.8.8.8:53
    outlook-com.olc.protection.outlook.com
    dns
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    84 B
    148 B
    1
    1

    DNS Request

    outlook-com.olc.protection.outlook.com

    DNS Response

    52.101.11.14
    52.101.41.29
    52.101.42.7
    52.101.68.4

  • 8.8.8.8:53
    in1-smtp.messagingengine.com
    dns
    JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
    74 B
    202 B
    1
    1

    DNS Request

    in1-smtp.messagingengine.com

    DNS Response

    103.168.172.222
    103.168.172.218
    103.168.172.219
    103.168.172.220
    103.168.172.217
    103.168.172.221
    103.168.172.223
    103.168.172.216

  • 8.8.8.8:53
    94.65.42.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    94.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 4 Lite.exe

    Filesize

    54KB

    MD5

    638a4ce6e38d47606a529668963a64b4

    SHA1

    c4445f5b50e493420c1d2b6a049bc4e1d5fbca0b

    SHA256

    e01c11b733e01186681bc6d98046f6d7e56eeee1b89be4dfefe43c0acc2d746f

    SHA512

    99a1267b6111eb36be2940e123ccd11f2da5c619129a0ac871ed7da74d50b84643c54eddc1942c6205624273a99fe49d8a07f225949ccbe6b5a0788b31ecda45

  • memory/1364-0-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

  • memory/1364-3-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

  • memory/1364-5-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

  • memory/1364-7-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

  • memory/1364-9-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

  • memory/1364-11-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

  • memory/1364-13-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

  • memory/1364-91-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

  • memory/1364-140-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.