Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 16:29

General

  • Target

    0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    0a845cefe0ae5cb677c9f1b6cce7aa17

  • SHA1

    4af06678f4e6e2614ecdb78d4b567763911dd6c2

  • SHA256

    56697b254e8af68aeb8a6940dfff89088f1e96b43e36bdb062c0fb63f938092a

  • SHA512

    96460cc081f0f6bdc08c9ff025dde992b9dff91d238ac7a4061d62a0638dc62f26c4409a46d624faf5611ff9804deacaee25c023cfa18af8800ea17e47f092a2

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhXc5:hDXWipuE+K3/SSHgxq5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\DEM4229.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4229.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\AppData\Local\Temp\DEM9858.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM9858.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3768
        • C:\Users\Admin\AppData\Local\Temp\DEMEE67.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMEE67.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:384
          • C:\Users\Admin\AppData\Local\Temp\DEM4496.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM4496.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Users\Admin\AppData\Local\Temp\DEM9AB4.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM9AB4.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2688
              • C:\Users\Admin\AppData\Local\Temp\DEMF0E3.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMF0E3.exe"
                7⤵
                • Executes dropped EXE
                PID:3716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM4229.exe

    Filesize

    14KB

    MD5

    14f941351be7bad9e0ca546b458a1dee

    SHA1

    38e2fdd9966d3fc7f4971b8fd5ca6f63cfeb8b82

    SHA256

    670cb2e7e82d3be7b457447b666b9067a9f229cae9107b446bd9f34eb8b7f068

    SHA512

    40c62189df0ef5e9ec497111f94f46cc81037b8c9415becec6b2a1edf61f5ebbc81fd34c617370d07a38d54e722b422fa4ed46c451c7daa129d0de8d8da3ae04

  • C:\Users\Admin\AppData\Local\Temp\DEM4496.exe

    Filesize

    14KB

    MD5

    f3a6fe66daaf26ca2ee54aacbe06dc42

    SHA1

    47a5562fdb9f57ca46d2033bc75f5ddc46728c9f

    SHA256

    ec2120c84f7c742d053980801d6b3350609ec90ed4f6997282dc4a2110bd1ccf

    SHA512

    81d4178f937616c8cae3f387a4dc399c848b94421d8c1c83f3d545aff1be880a9f5c1e6e38679dbcb8c2f95fa487bc39b6d746fbbee720a82e49837c042721b8

  • C:\Users\Admin\AppData\Local\Temp\DEM9858.exe

    Filesize

    14KB

    MD5

    d525f99c23ad9aa2970025135e27288f

    SHA1

    520004f929df67a59fc1f417681c77dfc45608de

    SHA256

    fb3bf9e18a85cba6ab625a66edea18eac20c7ec5a17134c3a2582e1de4b897ab

    SHA512

    e399c06716182ace3cefa5660beba1a68e94194c0a56e60a977253f272e59576a213008bdae660f9219f87419e257ae9e16b93605abba98b895c8506aae495f6

  • C:\Users\Admin\AppData\Local\Temp\DEM9AB4.exe

    Filesize

    14KB

    MD5

    b4ef73dadadbd451efd485c9c76d4a9f

    SHA1

    31ed500a4dd07cd0f7d7a20f8f502c9212685981

    SHA256

    61119e643ad3767aad6fc7d07eb1be7df1c1d33dd9f44c6895869c6b5b13607d

    SHA512

    a43a945aa1d16cd7d03250054e8d7ccf93278f5f24718c79420263a0613ace6509df1a5e3b9a02b64ca0744bedefebd476f3eb183d8406c4964039d5aded5274

  • C:\Users\Admin\AppData\Local\Temp\DEMEE67.exe

    Filesize

    14KB

    MD5

    eb0ae8d7860d26ad70e544ddeb9d1825

    SHA1

    3dbde9bb0d4d3e8079e38a45e39332272b28464c

    SHA256

    82416f18c87e4571d6f55a931d5b89ba22225c65bd0bbc329ad44bee6cb8285e

    SHA512

    023bdf9f7ae36f76dd583db99d350e3340a4bc3ea37aed3855d4e9863fabbe96213740d0f6a2380559f6e201c7858545f7473b00d6ced9f7e260d7ee6eef2349

  • C:\Users\Admin\AppData\Local\Temp\DEMF0E3.exe

    Filesize

    14KB

    MD5

    26888fb959c419777003b5bb068fecd5

    SHA1

    572664b0811b1de84622fc05e7e4f9824fb16849

    SHA256

    e41f864bc8375f4576c4b41d6f4a8280c4925f8aecaf56282e344041d8ccb1e6

    SHA512

    15866c759ee1f9231830e1c3f09f2f8993f6170672cc4dc0465b6476afccbfd5aa70a9ce1530d16995de99986bf1e63fc87d79be114abacd1b69fa8310835074