Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 17:14

General

  • Target

    0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe

  • Size

    16KB

  • MD5

    0b6b226a6a0670501eee05d0ec8ec82f

  • SHA1

    7af2cbb1ba2933e09c6a70cd59001d9f8a968ce8

  • SHA256

    ee66bed3f91e3c44d53ff8f25acf6c4b3b7035b14fb66544624e62cc997fadc4

  • SHA512

    a5b800b4e95a3f8bdc74ca28ea1757d9220032798d931be7869bfef3aea80100bb7682ea3abd76a3740cd834db9d4f1b13eaf94c00435e1a6722f755c388f3da

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlgJ:hDXWipuE+K3/SSHgxmlgJ

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Local\Temp\DEM5B9D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5B9D.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Users\Admin\AppData\Local\Temp\DEMB508.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB508.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3864
        • C:\Users\Admin\AppData\Local\Temp\DEMCFB.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMCFB.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Users\Admin\AppData\Local\Temp\DEM6462.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM6462.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4368
            • C:\Users\Admin\AppData\Local\Temp\DEMBB5C.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMBB5C.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4700
              • C:\Users\Admin\AppData\Local\Temp\DEM1255.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM1255.exe"
                7⤵
                • Executes dropped EXE
                PID:3564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM1255.exe

    Filesize

    16KB

    MD5

    293c47bba6d1d83e7f772e1bba21a63b

    SHA1

    deae5466732efd2a2a78aeeece5c76303e160cd8

    SHA256

    3f6a7fde5ca2a4e9368012c6092bb2d2b1ecfa22ee7273f8445ef11ed720358f

    SHA512

    93e01708b82076ff992d25087c4495f077e58be80f3ce18d0fcf3495fb5d4940a9e77222bc19b012e6a7b5ac30999ab837da6e04401774295b6c8b4f83c51b27

  • C:\Users\Admin\AppData\Local\Temp\DEM5B9D.exe

    Filesize

    16KB

    MD5

    356cb84ae18727a4dfb7535b0428a67e

    SHA1

    a321d5976e8b8d81888c82141d3f695f606480f7

    SHA256

    8770ebc12d4aa6b40ba931c0a5d73cc98373a80e2bd2d8cd6881dac99c773b99

    SHA512

    4b469495ade9e642c87da3d3d47d8c07dfce64e8ed96ab5c5ee7146077cca663be1674997312443b6f86007098b67f8edb55601dd643a3a6da8c9e5f57c5c6ee

  • C:\Users\Admin\AppData\Local\Temp\DEM6462.exe

    Filesize

    16KB

    MD5

    406f0a5c4618d9e6d599fb59ab8a862e

    SHA1

    b200c8a35ddfb01e2f52311d31fc61ea835b4432

    SHA256

    e529f2aa66f3d028acccc3754b76a9493f56199aa75af99d1a122b9dc54e65d8

    SHA512

    3c2c92e02098b55403d1b587a8dca01e4ca29e520ce6924e6b69f39134a7d79335e0193c110776be0ec6346e06d2c2a2ec29f8706b3fc9573691764b516452ee

  • C:\Users\Admin\AppData\Local\Temp\DEMB508.exe

    Filesize

    16KB

    MD5

    4334ff580c6dc940e481bc9e2d8444a6

    SHA1

    f114c5d0c9416f4aa1f4cdec14bafa97a1069fc7

    SHA256

    996e3d7792b0501d3aae688a3aeda1be067f80df7c145245be57ff67fbcc7cce

    SHA512

    d9eb08426640d3ee59ea5b3f9da9e6f9d3987c18f01e9cae76d5299479313ce96b9ac7619701c3d2870e99bd9fb43875737fa58d6d22d397d9fd482e51046f57

  • C:\Users\Admin\AppData\Local\Temp\DEMBB5C.exe

    Filesize

    16KB

    MD5

    83050e6aaa8984c1e9568f9f47ea2aaf

    SHA1

    0d47a6595466bf531bf73418594a285bce617c72

    SHA256

    eea4e5f3e30b92dd6dc154209e1835a18241f0ba5f9db7da3399efd4ba9bdd39

    SHA512

    28e31c460bd05afd390ad9d8780cc4958a86a4a2cf4b7587a6bc1fd859376857dd67d70159a9528ae1a65cf0238e7754eccb98ea7354684acc7f12430f93b139

  • C:\Users\Admin\AppData\Local\Temp\DEMCFB.exe

    Filesize

    16KB

    MD5

    53f4d461ef588a7e370b8fddad48b6a4

    SHA1

    37cea6cd818d67bd886d4b7de9694836675f7866

    SHA256

    1f5566aa4d40015b54c846b26d9fba27542d8b3f8e4c67f212ebdc36095254d7

    SHA512

    7464a218f25a976b043cfe33d3b131962abc90929bc0376cdeffdfa456dc2d2236cc4255970df6740c9956d8e1d4be708dd462b4222feb34e57f08dba4a1c1a9