Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...d5.exe

windows7-x64

10

JaffaCakes...d5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    104s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/03/2025, 01:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_72c1ea6b26e9e8aeef68f2721a3557d5.exe

  • Size

    131KB

  • MD5

    72c1ea6b26e9e8aeef68f2721a3557d5

  • SHA1

    448752b4af4b39552c21f855087cc51c6ef28fcc

  • SHA256

    88df1b9a0095b38b55b3fdf66719deccad1ef2f8efeaa503cc8d34b69aeae338

  • SHA512

    7a19153f96cc16143be5cb08f05795c17cb1f7a35fe886aa87bdb68257f090938fb8d20edae409fb7141ca7fb080e36b7a0e7a4585bc9b7d0214e8ec8fee0bdc

  • SSDEEP

    3072:yGu9BlfzWIbXWm+w0Jp5iwZarcFxO/ImmDChxReco/OU643pEb:y/0uoYQ4bxcWR42

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72c1ea6b26e9e8aeef68f2721a3557d5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72c1ea6b26e9e8aeef68f2721a3557d5.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KEYLOG~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KEYLOG~1.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2376

Network

  • flag-us
    DNS
    www.crazy-hack.com
    KEYLOG~1.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.crazy-hack.com
    IN A
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=3A06F8198C21649D167EEDB68D8D6588; domain=.bing.com; expires=Wed, 08-Apr-2026 15:05:52 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E89FFE76B4B943E8A670D1B37B8C5FEE Ref B: FRA31EDGE0116 Ref C: 2025-03-14T15:05:52Z
    date: Fri, 14 Mar 2025 15:05:52 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3A06F8198C21649D167EEDB68D8D6588
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=38gfuSIQAx_h67lvx2Vqm1WUUmZHaujipjAYftl-XW4; domain=.bing.com; expires=Wed, 08-Apr-2026 15:05:52 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 437A94B180054E92A7319DB29B3F068C Ref B: FRA31EDGE0116 Ref C: 2025-03-14T15:05:52Z
    date: Fri, 14 Mar 2025 15:05:52 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3A06F8198C21649D167EEDB68D8D6588; MSPTC=38gfuSIQAx_h67lvx2Vqm1WUUmZHaujipjAYftl-XW4
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8F0EC6472E484BB892B5C42A9F3A32A2 Ref B: FRA31EDGE0116 Ref C: 2025-03-14T15:05:52Z
    date: Fri, 14 Mar 2025 15:05:52 GMT
  • flag-us
    DNS
    c.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.195
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Remote address:
    142.250.187.195:80
    Request
    GET /r/r1.crl HTTP/1.1
    Cache-Control: max-age = 3000
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 304 Not Modified
    Date: Fri, 14 Mar 2025 15:00:00 GMT
    Expires: Fri, 14 Mar 2025 15:50:00 GMT
    Age: 413
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Cache-Control: public, max-age=3000
    Vary: Accept-Encoding
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
    tls, http2
    2.0kB
     9.3kB
     21
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=669f0d6eb16b4aca94dd505ef763ebff&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

    HTTP Response

    204
  • 142.250.187.195:80
    http://c.pki.goog/r/r1.crl
    http
    476 B
     394 B
     6
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    304
  • 8.8.8.8:53
    www.crazy-hack.com
    dns
    KEYLOG~1.EXE
    64 B
     137 B
     1
    1

    DNS Request

    www.crazy-hack.com

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    c.pki.goog
    dns
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.195

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KEYLOG~1.EXE
    Filesize

    116KB

    MD5

    53107de8dff0e7b79364cd7706f86790

    SHA1

    026219c02af310ec9a5bf809c12cf612935e2d86

    SHA256

    53eea8080920c71b4f2992f28087ccb88e3eb32abfda6ebd390327d4500a0614

    SHA512

    6035305c63cff9ad14d4d4e2bd14a0eec21af3769b48fe6ab844cfee6073db54666295d72f3144d5703561504bce195a64252936cb696227c022b7cc667b7613

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.