Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...98.exe

windows7-x64

10

JaffaCakes...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 22:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3030454a00cccacd680b2b2c0a116a98.exe

  • Size

    95KB

  • MD5

    3030454a00cccacd680b2b2c0a116a98

  • SHA1

    6f36134952e7e9f1be5eb45a980129b1281f21d4

  • SHA256

    1d1034e2e1bae27918807ffd8eddf8085dc28ed45278d54c0094faf2ab58f40d

  • SHA512

    bcbb2ac237ac4c171938149524ef6eb1803aa3402ae559b1808ed32ba72f0adb7c4f80c29d0ad0966392e19408ba1c755bbfee326419e253031c50efebb8d3f0

  • SSDEEP

    768:o06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:mR0vxn3Pc0LCH9MtbvabUDzJYWu3B

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3030454a00cccacd680b2b2c0a116a98.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3030454a00cccacd680b2b2c0a116a98.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:1412
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 204
            4⤵
            • Program crash
            PID:1548
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3124
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1060
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2648
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1412 -ip 1412
      1⤵
        PID:2876

      Network

      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        29.153.16.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        29.153.16.2.in-addr.arpa
        IN PTR
        Response
        29.153.16.2.in-addr.arpa
        IN PTR
        a2-16-153-29deploystaticakamaitechnologiescom
      • flag-us
        DNS
        136.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        136.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        api.bing.com
        iexplore.exe
        Remote address:
        8.8.8.8:53
        Request
        api.bing.com
        IN A
        Response
        api.bing.com
        IN CNAME
        api-bing-com.e-0001.e-msedge.net
        api-bing-com.e-0001.e-msedge.net
        IN CNAME
        e-0001.e-msedge.net
        e-0001.e-msedge.net
        IN A
        13.107.5.80
      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        212.20.149.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        212.20.149.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        161.19.199.152.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        161.19.199.152.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        200.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.197.79.204.in-addr.arpa
        IN PTR
        Response
        200.197.79.204.in-addr.arpa
        IN PTR
        a-0001a-msedgenet
      • flag-us
        DNS
        31.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        31.243.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        195.98.74.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        195.98.74.40.in-addr.arpa
        IN PTR
        Response
      • 204.79.197.200:443
        ieonline.microsoft.com
        tls, http2
        iexplore.exe
        1.2kB
         8.3kB
         15
        14
      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        29.153.16.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        29.153.16.2.in-addr.arpa

      • 8.8.8.8:53
        136.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        136.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        api.bing.com
        dns
        iexplore.exe
        58 B
         134 B
         1
        1

        DNS Request

        api.bing.com

        DNS Response

        13.107.5.80

      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        212.20.149.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        212.20.149.52.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        161.19.199.152.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        161.19.199.152.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        200.197.79.204.in-addr.arpa
        dns
        73 B
         106 B
         1
        1

        DNS Request

        200.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        31.243.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        31.243.111.52.in-addr.arpa

      • 8.8.8.8:53
        195.98.74.40.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        195.98.74.40.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        95KB

        MD5

        3030454a00cccacd680b2b2c0a116a98

        SHA1

        6f36134952e7e9f1be5eb45a980129b1281f21d4

        SHA256

        1d1034e2e1bae27918807ffd8eddf8085dc28ed45278d54c0094faf2ab58f40d

        SHA512

        bcbb2ac237ac4c171938149524ef6eb1803aa3402ae559b1808ed32ba72f0adb7c4f80c29d0ad0966392e19408ba1c755bbfee326419e253031c50efebb8d3f0

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        4678c6b9e04d71f22ad272e0502cdb5e

        SHA1

        3f4cda0c3979c8f87b48914dd58b7eec0d480738

        SHA256

        8a2e74caaacdb17295780859af0882ff7e55a14ba77b04ab4656462c44adb673

        SHA512

        b347198672efdfb51dfdc266aa96b463fc8ee2bb260f9b493055849be7805c38b0c176d25bece406106d9d2e526c5948579f53d38737517496c1c81a7f9a2bbf

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        32d98756dd757a0c32a04824b75ee9f7

        SHA1

        c71d69794b2c19a26bfe6d3dfe67b9a42174c402

        SHA256

        b0958bfdd822d62a4dcd7a0518a8a338b3daac460cffdf7485a24f5e5f48047c

        SHA512

        eaf4bcfe3c860b02251a04c103e1745e5d8c12328a8282ae4123f611bd81206fd2fb378fcca2cd0fb7450b522383349c079d4104a065ce8bd9bbd89286865209

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        a8543c30aeb5d4ff330afe52072e8c2a

        SHA1

        8aa0d70fe61f237cffec6b910e61c7f37e459776

        SHA256

        a8ae8c08531435f4972bb98c210c4809a45b5ca2883e01f83a0bee94aed61ff6

        SHA512

        4b3e19075f8f7b7e90f8c4982fc597f97b411903c2a7868cd48140d1647f70ebcf3ac7fecca003ead12729da24dc54dfb9ce7f1f7922d478422204aa18406e0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A7DE03A1-D1FB-11EF-BEF1-FA9F886F8D04}.dat
        Filesize

        3KB

        MD5

        eadf14807871bc0b93354e5fd8e98a18

        SHA1

        27cc032efad19197d84f542c8a287fa8fd6dfb84

        SHA256

        608eec8f4f8d4f4f9ae353e69100ef0f31ff67445d1cd9dca44327a1c76f11ec

        SHA512

        8e41140bcd5fea0fc8a61b52f85c1ee4770839bde1740442dd8fa2bd4fa99a78e114859dd33faa607a1d21e38fc605d5e9fcca0bfee43c5e638de3d84f5c0af3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A7E2C87C-D1FB-11EF-BEF1-FA9F886F8D04}.dat
        Filesize

        5KB

        MD5

        51b3ec6df9459a0f4c90ea19de3ad057

        SHA1

        2072b2aae6f55de1c4c8f7ed8558b55ed4bf534c

        SHA256

        049825c5347e95aff5e5c6288a17a2d527fba2e470957cec2469818081796ef6

        SHA512

        5169bd1cca14b684925fbab4f5befa3b2c55f3eae5d6dfad443dd4bcb427f183b1c56ff5dc3bbd34b498f3b3f6dc091911dd71f7786539c4de865e23f702cf21

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver5C7.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/1412-31-0x0000000000580000-0x0000000000581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1412-32-0x0000000000560000-0x0000000000561000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1840-34-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1840-33-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/1840-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1840-18-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/1840-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1840-26-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1840-28-0x0000000000060000-0x0000000000061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1840-29-0x0000000077DD2000-0x0000000077DD3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1840-30-0x0000000020010000-0x0000000020022000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1840-35-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1840-36-0x0000000077DD2000-0x0000000077DD3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5072-5-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5072-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5072-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5072-0-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/5072-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5072-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5072-2-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/5072-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5072-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5072-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5072-3-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/5072-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.