Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 17:39

General

  • Target

    0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    0bed5566318e9c699bfef7d0a1ff0de9

  • SHA1

    c33becbe980b8822c26e21311a217673fd25f420

  • SHA256

    5433923231b71ac9066ca601bbf2737e52f335b3d0fe7866afd37b90d5da398f

  • SHA512

    5b4fa781ba238d63fe04b678b1d4b748cf3dba03ac858fdf84bf63c56f7d04b74d07ce07f2daf53bb09e0e31aa8e8e81ab776b2b06e021e7b19beed5c4b24654

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4lCKn97:hDXWipuE+K3/SSHgxmqN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\DEM30F3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM30F3.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Users\Admin\AppData\Local\Temp\DEM8770.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM8770.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4504
          • C:\Users\Admin\AppData\Local\Temp\DEM3321.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM3321.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Users\Admin\AppData\Local\Temp\DEM88F2.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM88F2.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4004
              • C:\Users\Admin\AppData\Local\Temp\DEMDEF1.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMDEF1.exe"
                7⤵
                • Executes dropped EXE
                PID:4008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM30F3.exe

    Filesize

    15KB

    MD5

    b31611d780440572f018472db2ed90c1

    SHA1

    9e5a22fed1404cb64519c1aee173b17bc87e9373

    SHA256

    e51185c0df8e11f43286c94f01b7ddb2fd280385f31918533d163a550acd4119

    SHA512

    0214748cbe118a88c249165f1fe4a440e0ba30680abfcd287a8da0e88416a8a520ea80a849f48182180bf430d7a8ef1f8a6eb65cc862ba528d7d237192509f9e

  • C:\Users\Admin\AppData\Local\Temp\DEM3321.exe

    Filesize

    15KB

    MD5

    e25111b23e35bb8676e45703aacc9a5e

    SHA1

    f77f7b3f21c5b5db156987571ed303665c872989

    SHA256

    ebfebbc99b7c984ced16268faba87aaab24b00d073a477c4a4be856286bae0ea

    SHA512

    95e652f08c0a05d30952a8a8ab16c04a3dd7ae8cb4c0881c3826952a3d8adc3962636479229620881210b00fc155b10681c3f0f3ba6253f563c785835dd6a3e8

  • C:\Users\Admin\AppData\Local\Temp\DEM8770.exe

    Filesize

    15KB

    MD5

    51c85df738df02be8c14e36ff4990cb8

    SHA1

    d4446aed7b984696843821d30ec971d5353fd7e9

    SHA256

    28afe9d661cd21358afdba16fc28e61be2bd2388e175e35f89a9e70157761ef0

    SHA512

    a3fcb075728ac3f9976e2b30325625cce8f739782e51fefd94bd5254b1bae3f19befb100f4a705c519a1529ea8365b610ed544242e90da395461d0a257040af3

  • C:\Users\Admin\AppData\Local\Temp\DEM88F2.exe

    Filesize

    15KB

    MD5

    1a58b3e7481f0e18bb9cde2ccaf63334

    SHA1

    80a8ff0d527c24c9459fa3d767f713128944e712

    SHA256

    d7b27042d94645dedbf5285a11774e271f3b9a104f1345d115e6bfb9e355cb61

    SHA512

    d5cba86d73d43af0a77f57d55e039ede21eae151f75fcbaf14a39b88baa7cb675e7f5d921fb8820d941f4800fef7954a23f45a6dd78f939e243dbb910daa556d

  • C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe

    Filesize

    15KB

    MD5

    79f685a87b9c8ca5db3f95c4d1bc793a

    SHA1

    4745cd3ed28d2bd010301ffb19b27884b9a2d942

    SHA256

    9cb6d3b2d836ba72b0743735efe6f12df292266529677222d59ee9420352eafe

    SHA512

    526ebd6b72bc7dfb0b7d7ca88d8f721ab9e8beb7679ac15fb1797492b3a350887a7bdc9c8f6787a5e8e0f16a862c5da8acd26cdf28b63f432000dd0e508397ad

  • C:\Users\Admin\AppData\Local\Temp\DEMDEF1.exe

    Filesize

    15KB

    MD5

    1966a4a28f1620ca57e52c6361e08c2f

    SHA1

    6c89c37d8bd3ea53e719c44ed7c8832c4a6ecf7f

    SHA256

    40df16ba30fe533030777b49ecf9f1b7e8faeaab20e7f005fefff1c88ab591e2

    SHA512

    2d06cee7e3d4ccf4cd0630ecc73c809c1e73c874e341e532b2ecd0a276d6d62d988c3ffccad801f0377b00ecf1d925d9366f93128cdede3d0d3b65d3285099da