Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 22:04

General

  • Target

    114923912de5c2f125812a476724ce51_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    114923912de5c2f125812a476724ce51

  • SHA1

    1bc16556b93ec6118d47a761098ebde9de4db657

  • SHA256

    a3af1cb9e96111f1b22cf571faee8b8b8853649375f3c3866605178c03054e1a

  • SHA512

    361afadb639d7f8c6115e5a815992dfb00188d07f36a750e7b8e72ea33699bbf4686f50cb41ddace6eb7abda46740dc0f5dfaadf5f94ea17adf79b9db2c454c6

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0xEp:hDXWipuE+K3/SSHgxm0Cp

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Users\Admin\AppData\Local\Temp\DEM7511.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM7511.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Users\Admin\AppData\Local\Temp\DEM1FEF.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM1FEF.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Users\Admin\AppData\Local\Temp\DEM7512.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM7512.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1168
              • C:\Users\Admin\AppData\Local\Temp\DEMCA61.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMCA61.exe"
                7⤵
                • Executes dropped EXE
                PID:1852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe

    Filesize

    15KB

    MD5

    69d31ea0b3058293684e0a56061b5440

    SHA1

    edcfbb4125b05660eb67193fbd6382fd028c965b

    SHA256

    7dc9c3e5dab48bde8d84d61c4c15ca5d64839a513465e1d76f807a16d723abd5

    SHA512

    271f2a24ca0119d6a5d268aad1151d100e347958f84ed1c7eb7286471dfcb70adc8f9e72aa07e8340994ad3c5f09492b32a923b0252574f435faefba45d61d3f

  • C:\Users\Admin\AppData\Local\Temp\DEM7511.exe

    Filesize

    15KB

    MD5

    40283715d8861b599926545ebd867698

    SHA1

    fd35ffb4cf494a6a3f0391d2a7f96202aa3a298d

    SHA256

    382c06dfb6f3dc74ebf7b7a982fdd4e4c4f343f1a315a13590abd9e22a868c53

    SHA512

    d793fec024a8580225a16f034f0e33310edef76efd748896ff65cff823d18d7e12bdec39a1752a46033f6415d50a3bb6e72007cece3374b7f14c37685a43c66d

  • C:\Users\Admin\AppData\Local\Temp\DEM7512.exe

    Filesize

    15KB

    MD5

    79cd48f52f2f8099f1698e3356aaf2fb

    SHA1

    d7cce50a8e4c55d325b1890812f81c618883b61f

    SHA256

    a646370db15f46fb618441c7f8bdcde2baf6cbbbfa11f030b2d748ed3a712735

    SHA512

    7c6a0c0973347a21a9ed9ae4f09b5da12c05d12da892a586fc8ee4bb68154055f5997acb250168a0903cefc75f8fd314b9eaaa25077553fce44dfb0acae780d7

  • \Users\Admin\AppData\Local\Temp\DEM1FEF.exe

    Filesize

    15KB

    MD5

    c8b22ed7db968ef065707e01f0f914f8

    SHA1

    acdd8b2b2eaef6a94322d1c718e7045f716f8840

    SHA256

    4ecfbec6b31e6adcc37b015937289c63e25d13ff9f656f84cad206ca5171eecd

    SHA512

    563a2baf379b1eea2fa0e4adca4dfa7da2bf867b2b46db23ddb0887bcbca67769ac08368af4a4915dea0b422917a322b944d1f272481d9790cfb36460f028c6f

  • \Users\Admin\AppData\Local\Temp\DEMCA61.exe

    Filesize

    15KB

    MD5

    ca25913bfd33b90f8e46173de5e8d069

    SHA1

    8f9689027c67714e702a3aa1235acdb4db36af84

    SHA256

    70b4468296dcdd460df01f71939d09a0fe0d7c5141ae7deb47ac6fdc75690518

    SHA512

    679c9356a7baf51a5f76d97608b6907aff7b6867f26d8077046827095af3bbe6b738ffd6c29de58c6e396d9b0719fbdbf867a768d07f0a7d9733bd8a38416c54

  • \Users\Admin\AppData\Local\Temp\DEMCA8F.exe

    Filesize

    15KB

    MD5

    bac52f2afba2d4f0c97ad0d5b554fe70

    SHA1

    4cbf45a6ac3c74ec34e889c5147899cb5d977a93

    SHA256

    c914148faf560ac86e820ecfd1f88cf60e7d32247ef5557fa5dba64688b2bc5f

    SHA512

    c9b4c027044dfb2669e83cd76563c3ee52234090f42c45641a1590b5e37b30c244fee0a04af6ab21abc9041ae89529c7107f302046a87edbf64ea30271678a9e