Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...48.exe

windows7-x64

10

JaffaCakes...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2025, 15:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_76f99f639fa89fbd10386d446fcd3f48.exe

  • Size

    28KB

  • MD5

    76f99f639fa89fbd10386d446fcd3f48

  • SHA1

    0938fe6269c232d553c0d4f16156c8cd4e7eee68

  • SHA256

    88e0cae8c695fb7498042da0326664e23222ae6c6d23d1f752bd147dfd4b93aa

  • SHA512

    36f88a01fa72a2e01e4fe42b23f5f4fce385ef7c7e9a7a7d18342065372cd83673ec3fb5698f84ffed1deea218dada01f3edd26702fc83fe089e341771b1b9c0

  • SSDEEP

    768:QQ0FtbM5c3PXJiLAI1z1n48ViHYL+pppppp:oLkcqAG1n48Vsb/

Score
10/10
qqpassdiscoverypersistencetrojan

Malware Config

Extracted

Family

qqpass

C2

http://www.rongshuxia.com/rss/viewart.rs?aid=1828

Attributes
  • url

    http://www.mxm9191.com/myrunner_up.exe

  • user_agent

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Signatures

  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Executes dropped EXE 2 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76f99f639fa89fbd10386d446fcd3f48.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76f99f639fa89fbd10386d446fcd3f48.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2476
    • C:\Windows\SysWOW64\DMe.exe
      "C:\Windows\system32\DMe.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76f99f639fa89fbd10386d446fcd3f48.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3784

Network

  • flag-us
    DNS
    www.rongshuxia.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    www.rongshuxia.com
    IN A
    Response
    www.rongshuxia.com
    IN CNAME
    ins-syt91vu8.ias.tencent-cloud.net
    ins-syt91vu8.ias.tencent-cloud.net
    IN A
    43.129.139.168
    ins-syt91vu8.ias.tencent-cloud.net
    IN A
    43.129.153.38
  • flag-hk
    GET
    http://www.rongshuxia.com/rss/viewart.rs?aid=1828
    rundll32.exe
    Remote address:
    43.129.139.168:80
    Request
    GET /rss/viewart.rs?aid=1828 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: www.rongshuxia.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Moved Temporarily
    Server: stgw
    Date: Sat, 15 Mar 2025 15:32:13 GMT
    Content-Type: text/html
    Content-Length: 137
    Connection: keep-alive
    Location: https://www.rongshuxia.com/rss/viewart.rs?aid=1828
  • flag-hk
    GET
    https://www.rongshuxia.com/rss/viewart.rs?aid=1828
    rundll32.exe
    Remote address:
    43.129.139.168:443
    Request
    GET /rss/viewart.rs?aid=1828 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Connection: Keep-Alive
    Host: www.rongshuxia.com
    Response
    HTTP/1.1 404 Not Found
    Date: Sat, 15 Mar 2025 15:32:47 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Security-Policy: frame-ancestors 'self' *.qidian.com *.hongxiu.com *.yuewen.com *.qq.com *.qdmm.com *.readnovel.com *.xs8.cn *.xxsy.net *.tingbook.com *.lrts.me *.ywurl.cn *.qdwenxue.com *.if.qidian.com www.gameloop.com *.xs.cn *.rongshuxia.com
    Content-Encoding: gzip
  • flag-us
    DNS
    ocsp.crlocsp.cn
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.crlocsp.cn
    IN A
    Response
    ocsp.crlocsp.cn
    IN A
    101.198.2.196
    ocsp.crlocsp.cn
    IN A
    106.63.24.37
    ocsp.crlocsp.cn
    IN A
    171.8.167.65
  • flag-us
    DNS
    ocsp.crlocsp.cn
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.crlocsp.cn
    IN A
  • flag-us
    DNS
    crl.crlocsp.cn
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.crlocsp.cn
    IN A
    Response
    crl.crlocsp.cn
    IN A
    101.198.193.5
  • flag-us
    GET
    http://crl.crlocsp.cn/WoTrusDVServerCA_2.crl
    rundll32.exe
    Remote address:
    101.198.193.5:80
    Request
    GET /WoTrusDVServerCA_2.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: crl.crlocsp.cn
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.9.14
    Date: Sat, 15 Mar 2025 15:32:39 GMT
    Content-Type: application/pkix-crl
    Content-Length: 66760
    Last-Modified: Sat, 15 Mar 2025 11:15:15 GMT
    Connection: keep-alive
    ETag: "67d56143-104c8"
    Accept-Ranges: bytes
  • flag-us
    DNS
    c.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.35
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Remote address:
    142.250.200.35:80
    Request
    GET /r/r1.crl HTTP/1.1
    Cache-Control: max-age = 3000
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 304 Not Modified
    Date: Sat, 15 Mar 2025 14:53:20 GMT
    Expires: Sat, 15 Mar 2025 15:43:20 GMT
    Age: 2391
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Cache-Control: public, max-age=3000
    Vary: Accept-Encoding
  • 43.129.139.168:80
    http://www.rongshuxia.com/rss/viewart.rs?aid=1828
    http
    rundll32.exe
    772 B
     960 B
     10
    6

    HTTP Request

    GET http://www.rongshuxia.com/rss/viewart.rs?aid=1828

    HTTP Response

    302
  • 43.129.139.168:443
    https://www.rongshuxia.com/rss/viewart.rs?aid=1828
    tls, http
    rundll32.exe
    2.0kB
     10.1kB
     24
    17

    HTTP Request

    GET https://www.rongshuxia.com/rss/viewart.rs?aid=1828

    HTTP Response

    404
  • 101.198.2.196:80
    ocsp.crlocsp.cn
    rundll32.exe
    260 B
     5
  • 101.198.193.5:80
    http://crl.crlocsp.cn/WoTrusDVServerCA_2.crl
    http
    rundll32.exe
    1.8kB
     73.7kB
     35
    59

    HTTP Request

    GET http://crl.crlocsp.cn/WoTrusDVServerCA_2.crl

    HTTP Response

    200
  • 106.63.24.37:80
    ocsp.crlocsp.cn
    rundll32.exe
    260 B
     5
  • 171.8.167.65:80
    ocsp.crlocsp.cn
    rundll32.exe
    260 B
     5
  • 142.250.200.35:80
    http://c.pki.goog/r/r1.crl
    http
    384 B
     355 B
     4
    3

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    304
  • 8.8.8.8:53
    www.rongshuxia.com
    dns
    rundll32.exe
    64 B
     144 B
     1
    1

    DNS Request

    www.rongshuxia.com

    DNS Response

    43.129.139.168
    43.129.153.38

  • 8.8.8.8:53
    ocsp.crlocsp.cn
    dns
    rundll32.exe
    122 B
     109 B
     2
    1

    DNS Request

    ocsp.crlocsp.cn

    DNS Request

    ocsp.crlocsp.cn

    DNS Response

    101.198.2.196
    106.63.24.37
    171.8.167.65

  • 8.8.8.8:53
    crl.crlocsp.cn
    dns
    rundll32.exe
    60 B
     76 B
     1
    1

    DNS Request

    crl.crlocsp.cn

    DNS Response

    101.198.193.5

  • 8.8.8.8:53
    c.pki.goog
    dns
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.200.35

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\DMe.exe
    Filesize

    28KB

    MD5

    76f99f639fa89fbd10386d446fcd3f48

    SHA1

    0938fe6269c232d553c0d4f16156c8cd4e7eee68

    SHA256

    88e0cae8c695fb7498042da0326664e23222ae6c6d23d1f752bd147dfd4b93aa

    SHA512

    36f88a01fa72a2e01e4fe42b23f5f4fce385ef7c7e9a7a7d18342065372cd83673ec3fb5698f84ffed1deea218dada01f3edd26702fc83fe089e341771b1b9c0

    Download Submit

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    27KB

    MD5

    a98d1bb37006920f593c75c3ae51992a

    SHA1

    0fc9cf1bcf7b609261267fd5638044c63fbc6f20

    SHA256

    df111ee84e10ceb7a77d54e42b747acc799fb08799e4b634b5b4759053fb15cb

    SHA512

    fac58e569877f9e1a8b0e9d0d87724fe0a6354124e99f0930881a6669f8f91165fb2b0c03fbc1b6bc9276a376f9e4470457ddd66a69af7b553c2312f8ec9692e

    Download Submit

  • memory/804-18-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/804-0-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-36-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-21-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-34-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-35-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-37-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-38-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-39-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-40-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-41-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-42-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-43-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-44-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3784-17-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.