Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 07:18

General

  • Target

    004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe

  • Size

    16KB

  • MD5

    004df9eda4bb9a7589cdc8d4e5ed9620

  • SHA1

    35c6338c8dc3f3a89dcb6ad89722697e82ef04e6

  • SHA256

    c98ab7441e92ba4107cf63062c8b43ec8c0bc0e0b40c66e870194dea78360a09

  • SHA512

    61254800e0aa4658cb60946a999a3c8a80bca3b309fd28eb822b2b8501adf4a932190ad4aae33b809cfa925b571d37e591864717d46d1867793353a70da3194f

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJUc+2:hDXWipuE+K3/SSHgxy2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\DEM4450.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4450.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Users\Admin\AppData\Local\Temp\DEM9B94.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM9B94.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Users\Admin\AppData\Local\Temp\DEMF1AF.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMF1AF.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2488
          • C:\Users\Admin\AppData\Local\Temp\DEM4808.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM4808.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Users\Admin\AppData\Local\Temp\DEM9E90.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM9E90.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2464
              • C:\Users\Admin\AppData\Local\Temp\DEMF586.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMF586.exe"
                7⤵
                • Executes dropped EXE
                PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM4808.exe

    Filesize

    16KB

    MD5

    9bfc0fb4549473888231ea7b689ba61c

    SHA1

    4acf7612b6ab27db9e7cdfcfbc1853fbc6116402

    SHA256

    a2b0b89252679bf947949c73bfa24229a706b47cbc65f0b59ad2c34f1e0da714

    SHA512

    0d6d6eaf42d560f4101d3c65cc689ed41d72f5f2800ea554ddde2283ecbecd828990b0d10853c244989bf7e60cd3c4744f65f24ce7fff7c4758c3412ad577c0a

  • C:\Users\Admin\AppData\Local\Temp\DEM9B94.exe

    Filesize

    16KB

    MD5

    bf67aa5e38f95e6ef6af53dce044f99a

    SHA1

    a3f61545f09802e5bffc2cd803715d74357fb99b

    SHA256

    275da2ab4973c305d1d883565ce9fcb8e373af801b03ded961c20d8e5ea5b58d

    SHA512

    c361a4aa23210b61457c159f54c06d7af477facd820424d931627b2d31771767a2fae16029da8642a3508f980ee7e5f3e5a3c84595f32e61214bf58209826d40

  • C:\Users\Admin\AppData\Local\Temp\DEMF1AF.exe

    Filesize

    16KB

    MD5

    261d91d9a00ce23480f4df78b185184d

    SHA1

    5f44fc981f26ceb17757dbce4549d0426fb1cbbf

    SHA256

    92507b4da443414b01e7cf598d450475ecc69a7c085cc7b56d137a4f5b56cb0e

    SHA512

    0a797f20146aafadfd659a7060b7606010887f6c8ef1f2c7b32265fbddd763cbfbb4dc5e683517351c393275598cbeea8c035923537685246d47bdf4fd98df91

  • \Users\Admin\AppData\Local\Temp\DEM4450.exe

    Filesize

    16KB

    MD5

    da1ce5625ebe9a5e52acf77aebafd06f

    SHA1

    3821c781df745bdf923f1fe0ed16f1f0602d32fa

    SHA256

    3d58b18dfbb9cf858a41425d029e2720601a21880aedc62db70bcc406bf59337

    SHA512

    20d04b436fe9bf9cd50953c6c434a365e6ba44331cf01b758e2be790daf1098a6f465accaf893e9bc4035e0647ab17799c60b5c1160f8fc75f3868d4ae7dacf3

  • \Users\Admin\AppData\Local\Temp\DEM9E90.exe

    Filesize

    16KB

    MD5

    49be196c81fcbc259add422a383fe3ed

    SHA1

    a2363d5dc097da3580f32db73af33d6473047631

    SHA256

    0b093c9908f3e70f969e684ca8fe09e75d7296d815efad771e4b261bed6c90dc

    SHA512

    34b7bffa3511596eafc6da51a5c426fa2209f3c4eebf472babc686901a49f6417cb523ecebaa5c30c476f3bd87701984f3286557207680706b2d1d2400616cea

  • \Users\Admin\AppData\Local\Temp\DEMF586.exe

    Filesize

    16KB

    MD5

    e0d692eb028e9a9119bcf7aa4ddd1049

    SHA1

    3c2d24a468c385d6205dbdcf449405ac63f728e0

    SHA256

    3575844d6dda2115137be1aff6e7c54d9e5460a66873bb0880e6a15b5a852f4f

    SHA512

    5deb3761835d748d58fc0e225467b937aa7109c451ebd4bc80eda3651c7786c8c87344dfbc715a47b5004626d507dfdac709e503987decb1b310d4540d4b3cd5