Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 15:39 UTC

General

  • Target

    JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe

  • Size

    95KB

  • MD5

    7ad116ac37e2f0968dd423edcdb5dc52

  • SHA1

    c336a92233ef1338cd46cd88c62238f7b3a45d27

  • SHA256

    21e80677ddeb030c34cacddf936bc5791e09e73f467012c22a8ecc2a21ee13a9

  • SHA512

    43b25586c7bc82c71543b20a3c275981dd07ad36eb817155298ab78ee8886a11eaf6c824150a639975704e2988ef527ad04587c1f43cbc4e6336492b5fb08317

  • SSDEEP

    768:U06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:KR0vxn3Pc0LCH9MtbvabUDzJYWu3B

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:628
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 204
            4⤵
            • Program crash
            PID:3944
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:928
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4488
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4188
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4188 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 628 -ip 628
      1⤵
        PID:3424

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        241.150.49.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.150.49.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        20.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        20.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        138.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        138.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        7.98.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        7.98.22.2.in-addr.arpa
        IN PTR
        Response
        7.98.22.2.in-addr.arpa
        IN PTR
        a2-22-98-7deploystaticakamaitechnologiescom
      • flag-us
        DNS
        api.bing.com
        iexplore.exe
        Remote address:
        8.8.8.8:53
        Request
        api.bing.com
        IN A
        Response
        api.bing.com
        IN CNAME
        api-bing-com.e-0001.e-msedge.net
        api-bing-com.e-0001.e-msedge.net
        IN CNAME
        e-0001.e-msedge.net
        e-0001.e-msedge.net
        IN A
        13.107.5.80
      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        56.163.245.4.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        56.163.245.4.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        161.19.199.152.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        161.19.199.152.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        132.249.72.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        132.249.72.23.in-addr.arpa
        IN PTR
        Response
        132.249.72.23.in-addr.arpa
        IN PTR
        a23-72-249-132deploystaticakamaitechnologiescom
      • flag-us
        DNS
        200.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.197.79.204.in-addr.arpa
        IN PTR
        Response
        200.197.79.204.in-addr.arpa
        IN PTR
        a-0001a-msedgenet
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      • 204.79.197.200:443
        ieonline.microsoft.com
        tls, http2
        iexplore.exe
        1.2kB
        8.3kB
        15
        14
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
        90 B
        1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        241.150.49.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        241.150.49.20.in-addr.arpa

      • 8.8.8.8:53
        20.49.80.91.in-addr.arpa
        dns
        70 B
        145 B
        1
        1

        DNS Request

        20.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        138.32.126.40.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        138.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        7.98.22.2.in-addr.arpa
        dns
        68 B
        129 B
        1
        1

        DNS Request

        7.98.22.2.in-addr.arpa

      • 8.8.8.8:53
        api.bing.com
        dns
        iexplore.exe
        58 B
        134 B
        1
        1

        DNS Request

        api.bing.com

        DNS Response

        13.107.5.80

      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        56.163.245.4.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        56.163.245.4.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        161.19.199.152.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        161.19.199.152.in-addr.arpa

      • 8.8.8.8:53
        132.249.72.23.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        132.249.72.23.in-addr.arpa

      • 8.8.8.8:53
        200.197.79.204.in-addr.arpa
        dns
        73 B
        106 B
        1
        1

        DNS Request

        200.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        48.229.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        48.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        95KB

        MD5

        7ad116ac37e2f0968dd423edcdb5dc52

        SHA1

        c336a92233ef1338cd46cd88c62238f7b3a45d27

        SHA256

        21e80677ddeb030c34cacddf936bc5791e09e73f467012c22a8ecc2a21ee13a9

        SHA512

        43b25586c7bc82c71543b20a3c275981dd07ad36eb817155298ab78ee8886a11eaf6c824150a639975704e2988ef527ad04587c1f43cbc4e6336492b5fb08317

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        37827a5b375c40c1d7c482099e06c5bb

        SHA1

        48a43de39625e410113ec4d2d3e355535c7163a9

        SHA256

        ffbd974e64098b8a4b5abe5633fe019780fb5eb4fb52418810fbbdc50084ef51

        SHA512

        e14bdded02c844462222ce326d91cfc2403f2fb164911a7b1401cb5dcb29c804383cf554304a5ea8465d743ef2f0fa78e6cba3f064dad02cd00076c1ac5f843e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        d91e88e8d1334460a77c58fcbc3f77f1

        SHA1

        650f68ecffd86fd92ff07d814a83982bc29fc7bc

        SHA256

        c478824bf07eb65c4613cb7be9c1ed9a97797f85486453d7ebd403979d55f25f

        SHA512

        9086c5cfb6b39f633369a000f6e18d4bf9f4a3c4acc3b112ade5377ecdcc1fc507059fd9a487648cd1468b631f6e125e8c368acb5ac7cb379e89577bc778a793

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        77a20db8ab2cce5eb02c9ff5334bc8d6

        SHA1

        e4ea91b78f2b506497688586fa5510d963b64090

        SHA256

        73f358affb85d516fe66e27b98d841906fec357948f7ec4b02633aef72ddeb96

        SHA512

        f5ed0807f13e2ac17cfb7be1d3178e0973a9339c3d5fc92ea844e92888593e0b825a3d2b4978a42f33ace9a4eb9d02992f91bd26e5d6708bc94a415c892ecd0f

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A3D4C5F-D559-11EF-A4B7-D6A59BC41F9D}.dat

        Filesize

        3KB

        MD5

        a107862510b21e1d27700b5497aa7c14

        SHA1

        05701901029056885b54bb3d45a6ceff225dc581

        SHA256

        fa55ea19532438122add52146a56fefca9ce93d6e2a728d5d66c3b61b2d93206

        SHA512

        fb1c3c79e7e63cecd4a56e4725ec3edaf2c141cc7ccfdaf668f8a8627429b631049d531cbb689fe42e701715db7766f0c2b337ebf24b333e65665f44f6c3d021

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A3FAE7B-D559-11EF-A4B7-D6A59BC41F9D}.dat

        Filesize

        5KB

        MD5

        358f1e51dc553336763229184ecae304

        SHA1

        f82211e5aebde726bb80dad84832d62e496ca8fe

        SHA256

        0e080bc1338b20083fe8c1355bca812dd0b5937b59d2299e04817c8735a2ba98

        SHA512

        3386d4b2369563e68ca1a227a00bba7450bc4ab720b406ef87dc47b052ddb0175d18bab327ab2bb52f8b3a02b70e3567c5d6c42b25ef0ef3d9b879753a15519d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • memory/628-31-0x00000000001B0000-0x00000000001B1000-memory.dmp

        Filesize

        4KB

      • memory/628-30-0x00000000001D0000-0x00000000001D1000-memory.dmp

        Filesize

        4KB

      • memory/4484-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4484-0-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

      • memory/4484-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4484-7-0x0000000000900000-0x0000000000901000-memory.dmp

        Filesize

        4KB

      • memory/4484-2-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

      • memory/4484-3-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

      • memory/4484-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4484-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4484-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4484-5-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4484-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4484-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

      • memory/4876-22-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

      • memory/4876-32-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

      • memory/4876-33-0x0000000077552000-0x0000000077553000-memory.dmp

        Filesize

        4KB

      • memory/4876-36-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4876-37-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4876-25-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4876-27-0x0000000077552000-0x0000000077553000-memory.dmp

        Filesize

        4KB

      • memory/4876-28-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4876-26-0x0000000000430000-0x0000000000431000-memory.dmp

        Filesize

        4KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.