Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2025, 00:48 UTC

General

  • Target

    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe

  • Size

    415KB

  • MD5

    d693f58558538c9e8daf36fbd374db55

  • SHA1

    25f77f246f27956647f2d4ddab85da100431d129

  • SHA256

    01cccbd3a723331004dbf8de510380d5c328b8f3d8ae936fb4b9dd4f6259e532

  • SHA512

    dc6cc23407f4a25645704202e6b81dd092a972bd7c5123612fed9d3bfc57823534ad443c036f70f1e843891b3dc7f977f002561de2292f2ea7fd1dda8f1e68cb

  • SSDEEP

    6144:YtgFVwrhUEz+16Uqd2GhN+qQcIkG5we2oXitAQ1CZu6GxOeUQuKrDxl16Fw:Ytgw7z+sUi2iNtfdMityZ79dQuktlIF

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendMessage?chat_id=1063661839

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 5 IoCs
  • Snakekeylogger family
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1584
        3⤵
        • Program crash
        PID:2744

Network

  • flag-us
    DNS
    checkip.dyndns.org
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    193.122.6.168
  • flag-br
    GET
    http://checkip.dyndns.org/
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 Jan 2025 00:49:22 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 Jan 2025 00:49:25 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-us
    DNS
    freegeoip.app
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    Remote address:
    8.8.8.8:53
    Request
    freegeoip.app
    IN A
    Response
    freegeoip.app
    IN A
    104.21.80.1
    freegeoip.app
    IN A
    104.21.32.1
    freegeoip.app
    IN A
    104.21.112.1
    freegeoip.app
    IN A
    104.21.48.1
    freegeoip.app
    IN A
    104.21.96.1
    freegeoip.app
    IN A
    104.21.16.1
    freegeoip.app
    IN A
    104.21.64.1
  • flag-us
    GET
    https://freegeoip.app/xml/181.215.176.83
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    Remote address:
    104.21.80.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: freegeoip.app
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 10 Jan 2025 00:49:28 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 10 Jan 2025 01:49:28 GMT
    Location: https://ipbase.com/xml/181.215.176.83
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qwl6fdKzYGHN1KYovqxXFX0D5JxNBgyKUHrsvUeQZlSk2E6iRsHVHD4suR2kXSkaOdi9xbsUfUw5OLtOgqmaOWRzfd%2BMaELZ8weDET9W%2Fa4C%2BbvxewdgNPbeyn6icWAD"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ff8aad6df0c3865-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=53911&min_rtt=47976&rtt_var=21441&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=368&delivery_rate=71868&cwnd=253&unsent_bytes=0&cid=3b30251128efc970&ts=154&x=0"
  • flag-us
    DNS
    ipbase.com
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    Remote address:
    8.8.8.8:53
    Request
    ipbase.com
    IN A
    Response
    ipbase.com
    IN A
    172.67.209.71
    ipbase.com
    IN A
    104.21.85.189
  • flag-us
    GET
    https://ipbase.com/xml/181.215.176.83
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    Remote address:
    172.67.209.71:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: ipbase.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Fri, 10 Jan 2025 00:49:28 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Age: 0
    Cache-Control: public,max-age=0,must-revalidate
    Cache-Status: "Netlify Edge"; fwd=miss
    Vary: Accept-Encoding
    X-Nf-Request-Id: 01JH6V00VTXR8KA24RYKM27SJ9
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Sdghbx3zTZbPAwTGA%2BmCSVV5TRuViuMe%2FRflCQD0duRdrS49DiFFsDYWB6RBcRqWxgjk%2B75xsOMfkZ3EywfFIPBJvyPFJmArWjsfruPnc2KAH0DQzForbKFaEf0"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ff8aad88adf93e2-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=49910&min_rtt=47491&rtt_var=12289&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=365&delivery_rate=75011&cwnd=252&unsent_bytes=0&cid=4b972b3327eb3261&ts=272&x=0"
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    594 B
    722 B
    7
    4

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 104.21.80.1:443
    https://freegeoip.app/xml/181.215.176.83
    tls, http
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    724 B
    4.2kB
    8
    7

    HTTP Request

    GET https://freegeoip.app/xml/181.215.176.83

    HTTP Response

    301
  • 172.67.209.71:443
    https://ipbase.com/xml/181.215.176.83
    tls, http
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    813 B
    7.9kB
    10
    13

    HTTP Request

    GET https://ipbase.com/xml/181.215.176.83

    HTTP Response

    404
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    158.101.44.242
    193.122.130.0
    132.226.8.169
    193.122.6.168

  • 8.8.8.8:53
    freegeoip.app
    dns
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    59 B
    171 B
    1
    1

    DNS Request

    freegeoip.app

    DNS Response

    104.21.80.1
    104.21.32.1
    104.21.112.1
    104.21.48.1
    104.21.96.1
    104.21.16.1
    104.21.64.1

  • 8.8.8.8:53
    ipbase.com
    dns
    JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
    56 B
    88 B
    1
    1

    DNS Request

    ipbase.com

    DNS Response

    172.67.209.71
    104.21.85.189

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/784-22-0x0000000073F30000-0x000000007461E000-memory.dmp

    Filesize

    6.9MB

  • memory/784-1-0x00000000013E0000-0x000000000144E000-memory.dmp

    Filesize

    440KB

  • memory/784-2-0x0000000073F30000-0x000000007461E000-memory.dmp

    Filesize

    6.9MB

  • memory/784-3-0x0000000000440000-0x000000000044E000-memory.dmp

    Filesize

    56KB

  • memory/784-4-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

    Filesize

    4KB

  • memory/784-5-0x0000000073F30000-0x000000007461E000-memory.dmp

    Filesize

    6.9MB

  • memory/784-6-0x0000000001370000-0x00000000013B8000-memory.dmp

    Filesize

    288KB

  • memory/784-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

    Filesize

    4KB

  • memory/2784-16-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2784-10-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2784-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2784-18-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2784-20-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2784-12-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2784-9-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2784-8-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2784-21-0x0000000073F30000-0x000000007461E000-memory.dmp

    Filesize

    6.9MB

  • memory/2784-23-0x0000000073F30000-0x000000007461E000-memory.dmp

    Filesize

    6.9MB

  • memory/2784-24-0x0000000073F30000-0x000000007461E000-memory.dmp

    Filesize

    6.9MB

  • memory/2784-25-0x0000000073F30000-0x000000007461E000-memory.dmp

    Filesize

    6.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.