Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 21:27

General

  • Target

    10729b651c3838868f515dc723475d29_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    10729b651c3838868f515dc723475d29

  • SHA1

    b3d8855a1b9a951d6592f642e311f37c007f8dd0

  • SHA256

    de6181185003749b5e56e9b3bb855b2b121829e2ab998c41c0b06e610502363e

  • SHA512

    d03221ad55a52d5eab56d5a8f8052822f0a5a551cfe8690dd3b08d8bf85036874dda3292a132aeebe1df49017ba0a157fd71998dacb99da82460bab026e416f5

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyhg:hDXWipuE+K3/SSHgxmyhg

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10729b651c3838868f515dc723475d29_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\10729b651c3838868f515dc723475d29_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\DEM3141.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3141.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Users\Admin\AppData\Local\Temp\DEM87AE.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM87AE.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3076
        • C:\Users\Admin\AppData\Local\Temp\DEMDDBD.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMDDBD.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4556
          • C:\Users\Admin\AppData\Local\Temp\DEM341B.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM341B.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2112
            • C:\Users\Admin\AppData\Local\Temp\DEM8A0B.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM8A0B.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:212
              • C:\Users\Admin\AppData\Local\Temp\DEME039.exe
                "C:\Users\Admin\AppData\Local\Temp\DEME039.exe"
                7⤵
                • Executes dropped EXE
                PID:440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM3141.exe

    Filesize

    15KB

    MD5

    c04b272c4feeb3b684dc4d51d4c880e0

    SHA1

    57d008fb24e1894b202d11275d2325e2315e6417

    SHA256

    96c8dd57a9478e96e9f6fffba077ca10b606c85ee132ac2870e944f2a7395a99

    SHA512

    d57c308f5519f1da457bd304676245f5ede595e0378936c01cb37bcd00d3fc2ec5123c414d09824e379c91183ae20d520c1032964765eb0ac2c3cf7731e6923f

  • C:\Users\Admin\AppData\Local\Temp\DEM341B.exe

    Filesize

    15KB

    MD5

    3f7f36125238005fe44bf7362fe0b74e

    SHA1

    4caf7f0a25af929129f372f8bed88dec4e787dea

    SHA256

    ce9dbaae7c9b7c3f9ef933a485c8156d87adf9580674d601d796bc748224b7d8

    SHA512

    5d0579d7d0c3e82fc6d44bbc99e112b6ae0b0b1d352bb8fff498bbe4f4040184d0e6ffe5d339c8607aec828f22ebc8ae785f648bbea5a51a4d0b49313670e8f8

  • C:\Users\Admin\AppData\Local\Temp\DEM87AE.exe

    Filesize

    15KB

    MD5

    cb848d3cb4bf3bc16f35f200b8999cff

    SHA1

    088c820a563f6504b4205eea1b9335a324440145

    SHA256

    761e60a329a7165703ee6f7830317f5702884664c5aa4f5a0cb6e9bbe3bdc331

    SHA512

    6aa0d04db1203566bdc59dc398d34edab3c1993032d5126adb0c8434884b20756b812d7e01d2203972c8599efd9efcfe09e14eb0c43a21c22731cea4897aae7f

  • C:\Users\Admin\AppData\Local\Temp\DEM8A0B.exe

    Filesize

    15KB

    MD5

    8a05cc197e80ceee6395677a8f8a8aa7

    SHA1

    d2e13c5ae97aa4e6e219f93bb0fd7508243918c0

    SHA256

    97790f1f203b0359c6ad4456a7fdd12e4e93f6da110fb98e9ef28b853bcf6b12

    SHA512

    552e5c15a1bfd482f7b8507325d664103fa4e9d8d2a6ca9a7052ab07c65f493da9949b792871a4994f86d671212128465fcd55eaf24ab01b15aa708fe77d2d40

  • C:\Users\Admin\AppData\Local\Temp\DEMDDBD.exe

    Filesize

    15KB

    MD5

    419e35d733fe99261f85094cff19e07a

    SHA1

    bd989f7835c101675aa67af9dbcd08870cbacf60

    SHA256

    3bf119fe48b5c4975828ec47b61b1b6a3195cd87fb6bd91a52bc9dda7878d8af

    SHA512

    f17ccae229f2d66b3e3691016b7600994be719776a7e170a605779ceb151db960abff6388675bcaa51e70e9a3a60d79be4c06522b57477000bf36ef1c1de7107

  • C:\Users\Admin\AppData\Local\Temp\DEME039.exe

    Filesize

    15KB

    MD5

    03dd641c78e6227012452ed6a0296036

    SHA1

    70dc6a01f5eff088dc11cec31172754c7bc9b34e

    SHA256

    5a31300f11e8f65e880234a2bfd5608dee0101ed5dd011153f4f828d90a10c87

    SHA512

    db817e4e935d628abb9d3e6ad15e74b4f9369a2c8d717777f4372df7fd2609c59358ab114784aecd3656741b9e82a7c8b50f39fc783b3c9c43ae8c0c8b3973a3