Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 20:15

General

  • Target

    0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    0f1804021eb96820702f0ffcb3c72015

  • SHA1

    d8ef69dc7c0a89fe11a29e3c2c77fcf60ea0e473

  • SHA256

    6ed630061d546991665f8961d29275bd9b69f91214cf4a6a0415e9cc092049f8

  • SHA512

    297e22ed028301c4afd23cad60e852bd9d05e6c696f32260ab712bd7e7c130284d25b9a573840eb4a8a7a0129c64def3a0c2e22990677012ede1b14f7670dd18

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyhb:hDXWipuE+K3/SSHgxmyhb

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\DEM142C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM142C.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Users\Admin\AppData\Local\Temp\DEMBF2A.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMBF2A.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Users\Admin\AppData\Local\Temp\DEM14A9.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM14A9.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1552
            • C:\Users\Admin\AppData\Local\Temp\DEM6A95.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM6A95.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:840
              • C:\Users\Admin\AppData\Local\Temp\DEMBFD6.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMBFD6.exe"
                7⤵
                • Executes dropped EXE
                PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM142C.exe

    Filesize

    15KB

    MD5

    68cb81b02b949c7f27c4b4f1fe2bc932

    SHA1

    2bf000dca68fcb0dc4823013bcdb43091dde9adf

    SHA256

    ac2a44bc2f10ee169665edba56d382ddf59220c4bcf814c1a78f8517afa4aff1

    SHA512

    f55a3060a083b79414d0b9d4fbd82caef98ce86bb67d5b6573d5f3e29a5ea226294f68bd4e42d47f34210ad583f0eb64744c2b2fe3466fbeafb03dc3897a0a92

  • C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe

    Filesize

    15KB

    MD5

    0db4d8273f4d057b8dca20a1a02a8473

    SHA1

    5cf65951391bd0c286fd9a08401ab716e3a66764

    SHA256

    c71d4385176dd7e4fe3d3724a5b387053fb1a58671e22a8b3fbc6c92ea8d80f3

    SHA512

    46e7e7ab9f266c8be1676eef81ae40e311df7d68c5c96e1df99c00b607256adcab06608a9e86160ce0364cf4a03d22c82a0220eb2c3b82178e39df686ae19577

  • C:\Users\Admin\AppData\Local\Temp\DEM6A95.exe

    Filesize

    15KB

    MD5

    60e624183aabc16e766beb422f1cf8e3

    SHA1

    083afe74b02d1f70064173bb1f4a1279f5b8f2c3

    SHA256

    105205969186cab1b2fb7c6658cd5778981f720c209cb1cb64808cf0dc124a24

    SHA512

    26668430f5cd9c416168abcab695408a64a1c7f88c2949f03a9e2b88d25cb5c39cf7ced230bf1b22237bc39cd3824186db248cf326eb22fe1eaba6a454bd795d

  • C:\Users\Admin\AppData\Local\Temp\DEMBF2A.exe

    Filesize

    15KB

    MD5

    8910082f036cd5aa2e91b3da99df2e2b

    SHA1

    154cc54e3f40f23800ab6e31e7904ea543112aef

    SHA256

    77b20385fca20e10ea589c8c062f17934b9041e328b8461d34526a125c2fdcf0

    SHA512

    fa76927a1a9717aa3b257a5c16cedde47c51544742f880b142aadca64f4e5e807bbfc15bac54e64207e2c1222c849067aea5306d45f3e5367a0e72a5c0839178

  • \Users\Admin\AppData\Local\Temp\DEM14A9.exe

    Filesize

    15KB

    MD5

    b6592954bbe295bcead7812ff4649e70

    SHA1

    42d4268d970043624ace09a95a674823cab4d881

    SHA256

    cb0793ba265cdeff687b980de4e280c3cf54c2400f3de997ccdcf648f764f1f9

    SHA512

    83be0ce0275e3c2fad74a2916ba3cc89447326d6159c31bdf8747912c8f4eb507fa659d3cbc59f9623929e10b93012b1f107ce4bf751f35cb9e236b1d7439508

  • \Users\Admin\AppData\Local\Temp\DEMBFD6.exe

    Filesize

    15KB

    MD5

    357ed96bcf4da04cf29784bf7b3a859f

    SHA1

    914441fa10ca14469740d17ba1348517b068ec6d

    SHA256

    73b2339104914598b7de60e209df045f5dfa321781369ae4bd23838aa901efc7

    SHA512

    1aa6ba241f5bdc6400b2a5beb67094635a4c9e2f83c9170ed8ea119a716f0e1e3503f177719bc3a6b544157d99c19ba6502840fd05ab59c63a8279281f02ff2a