Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...ac.exe

windows7-x64

10

JaffaCakes...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2025, 19:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_16b23aef3ac4cff120269deb5da405ac.exe

  • Size

    147KB

  • MD5

    16b23aef3ac4cff120269deb5da405ac

  • SHA1

    510d2fc6569adde0e5b6d8f8394e505afbc64269

  • SHA256

    166d2c129ac315154e2221306ae85292a63370370d793ccba4315ebb2ba2b71e

  • SHA512

    c7a93a4a29554e4ba9593836fd651d9f18c7e30a02e97ea1507a6281dc1c28e03cc8bb7bb041ecdf09c0714d657e821442921317c2646317643554c659aaf109

  • SSDEEP

    1536:FR0+n3Pc0LCH9MtbvabUDzJYWu3BmiIuw22Jn1fbO4V:FR1n3k0CdM1vabyzJYWqQa2

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_16b23aef3ac4cff120269deb5da405ac.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_16b23aef3ac4cff120269deb5da405ac.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:3884
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 204
            4⤵
            • Program crash
            PID:4488
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1384 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3552
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3884 -ip 3884
      1⤵
        PID:3460

      Network

      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        api.bing.com
        iexplore.exe
        Remote address:
        8.8.8.8:53
        Request
        api.bing.com
        IN A
        Response
        api.bing.com
        IN CNAME
        api-bing-com.e-0001.e-msedge.net
        api-bing-com.e-0001.e-msedge.net
        IN CNAME
        e-0001.e-msedge.net
        e-0001.e-msedge.net
        IN A
        13.107.5.80
      • flag-us
        DNS
        api.bing.com
        iexplore.exe
        Remote address:
        8.8.8.8:53
        Request
        api.bing.com
        IN A
      • flag-us
        DNS
        api.bing.com
        iexplore.exe
        Remote address:
        8.8.8.8:53
        Request
        api.bing.com
        IN A
      • flag-us
        DNS
        api.bing.com
        iexplore.exe
        Remote address:
        8.8.8.8:53
        Request
        api.bing.com
        IN A
      • flag-us
        DNS
        74.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        74.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        212.20.149.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        212.20.149.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        212.20.149.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        212.20.149.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        161.19.199.152.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        161.19.199.152.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        98.117.19.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        98.117.19.2.in-addr.arpa
        IN PTR
        Response
        98.117.19.2.in-addr.arpa
        IN PTR
        a2-19-117-98deploystaticakamaitechnologiescom
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        88.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.210.23.2.in-addr.arpa
        IN PTR
        Response
        88.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-88deploystaticakamaitechnologiescom
      • flag-us
        DNS
        88.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.210.23.2.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        200.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.197.79.204.in-addr.arpa
        IN PTR
        Response
        200.197.79.204.in-addr.arpa
        IN PTR
        a-0001a-msedgenet
      • flag-us
        DNS
        200.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.197.79.204.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      • 204.79.197.200:443
        ieonline.microsoft.com
        iexplore.exe
        156 B
         3
      • 204.79.197.200:443
        ieonline.microsoft.com
        iexplore.exe
        156 B
         3
      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        142 B
         145 B
         2
        1

        DNS Request

        97.17.167.52.in-addr.arpa

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        api.bing.com
        dns
        iexplore.exe
        232 B
         134 B
         4
        1

        DNS Request

        api.bing.com

        DNS Request

        api.bing.com

        DNS Request

        api.bing.com

        DNS Request

        api.bing.com

        DNS Response

        13.107.5.80

      • 8.8.8.8:53
        74.32.126.40.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        74.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        212.20.149.52.in-addr.arpa
        dns
        144 B
         146 B
         2
        1

        DNS Request

        212.20.149.52.in-addr.arpa

        DNS Request

        212.20.149.52.in-addr.arpa

      • 8.8.8.8:53
        161.19.199.152.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        161.19.199.152.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        98.117.19.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        98.117.19.2.in-addr.arpa

      • 8.8.8.8:53
        196.249.167.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        196.249.167.52.in-addr.arpa

      • 8.8.8.8:53
        88.210.23.2.in-addr.arpa
        dns
        140 B
         133 B
         2
        1

        DNS Request

        88.210.23.2.in-addr.arpa

        DNS Request

        88.210.23.2.in-addr.arpa

      • 8.8.8.8:53
        200.197.79.204.in-addr.arpa
        dns
        146 B
         106 B
         2
        1

        DNS Request

        200.197.79.204.in-addr.arpa

        DNS Request

        200.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        48.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        48.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        147KB

        MD5

        16b23aef3ac4cff120269deb5da405ac

        SHA1

        510d2fc6569adde0e5b6d8f8394e505afbc64269

        SHA256

        166d2c129ac315154e2221306ae85292a63370370d793ccba4315ebb2ba2b71e

        SHA512

        c7a93a4a29554e4ba9593836fd651d9f18c7e30a02e97ea1507a6281dc1c28e03cc8bb7bb041ecdf09c0714d657e821442921317c2646317643554c659aaf109

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        975df3dbca02c4223ad98b4405ec0cd8

        SHA1

        62c3b5b2d32df9cedede3d746956a999d34beff1

        SHA256

        87d1e303201f45a5b0080b4580575bb564446751cafe9da1e8ce11a9c6a842fd

        SHA512

        1277f93b24c89c39cee767c05e3e450da71aa5bade2fcc2559ef39c3b747c3db491488e63e8d21911e668885308d717fb7d47e2b3a70ff24b0a7250b5f671417

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        ff6bd3b59ebf321d8dfa8c70efdcf9b9

        SHA1

        a9666797889740f92ef7f21f40464d468e7f7b59

        SHA256

        b77a8fce2008394335504c6447615498864f87614d894458b80261c15fecb927

        SHA512

        e9f6d2d040196f3828ab186819f7a498ae8d78f25d951ee38f2e1450f85f189699b0201e447a0a7d7ff1e1df4501fe2111e2d7f14726e637fe6fb56c1be66b08

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D6C3B6C4-D11C-11EF-ADF2-5227CD58F2D9}.dat
        Filesize

        3KB

        MD5

        26760e1fc07a8977cbca0555767d5a24

        SHA1

        9bd8ab5fe1895338ac2399a7f226cede996768b7

        SHA256

        9eb7e25990d1adf4dd7e5af918c3266560a4c8d112dd0f972022cd992c419a48

        SHA512

        504e2e38eac695d4a6504a82de0a3d4cdbfe81c53aa19563a2f42b5b93b027c2f53ad956c306791cac4e902785999184aa56d05a10c139e6c3b47a4bb3eb6512

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D6C617E2-D11C-11EF-ADF2-5227CD58F2D9}.dat
        Filesize

        5KB

        MD5

        4824ec2b49e34ce690bb1e39bbf6d154

        SHA1

        99f2c772474d6237b4f670a884e048e7a251b42a

        SHA256

        a410357f00158cfa847ecfc94436b205f956f824783eb1717b7d0e726f71b4d0

        SHA512

        328316791d6fac5c596895a585f8e6a99d7302d2ebd393a47b6c8132e67263f25ace2fab28fff49373b70bdc5add077266096449f54267351d77139a52d7f33d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2ECB.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/2072-27-0x0000000077052000-0x0000000077053000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2072-28-0x0000000020010000-0x0000000020022000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2072-26-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2072-25-0x0000000000060000-0x0000000000061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2072-24-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2072-36-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2072-32-0x0000000077052000-0x0000000077053000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2072-33-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2072-31-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3884-30-0x00000000004B0000-0x00000000004B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3884-29-0x00000000004D0000-0x00000000004D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4028-3-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4028-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4028-2-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4028-6-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4028-7-0x0000000000900000-0x0000000000901000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4028-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4028-0-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4028-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4028-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4028-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4028-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.