Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 20:15

General

  • Target

    0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    0f1804021eb96820702f0ffcb3c72015

  • SHA1

    d8ef69dc7c0a89fe11a29e3c2c77fcf60ea0e473

  • SHA256

    6ed630061d546991665f8961d29275bd9b69f91214cf4a6a0415e9cc092049f8

  • SHA512

    297e22ed028301c4afd23cad60e852bd9d05e6c696f32260ab712bd7e7c130284d25b9a573840eb4a8a7a0129c64def3a0c2e22990677012ede1b14f7670dd18

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyhb:hDXWipuE+K3/SSHgxmyhb

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Users\Admin\AppData\Local\Temp\DEM5B01.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5B01.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Users\Admin\AppData\Local\Temp\DEMB3DF.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB3DF.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Users\Admin\AppData\Local\Temp\DEMBC3.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMBC3.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Users\Admin\AppData\Local\Temp\DEM63D6.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM63D6.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1772
            • C:\Users\Admin\AppData\Local\Temp\DEMBC27.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMBC27.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3644
              • C:\Users\Admin\AppData\Local\Temp\DEM12C3.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM12C3.exe"
                7⤵
                • Executes dropped EXE
                PID:4400
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DEM12C3.exe

      Filesize

      15KB

      MD5

      bf22fa3d78bc0dc5d5e11cf2e82ea2b0

      SHA1

      873ee5ba1178a13995c4de6e3e635cc763dfae4e

      SHA256

      1458ca63a744f189bbbee3e9293fb4fa2c5e78bfee91bcb212bc70fb0b5ded88

      SHA512

      77138627171de4a57233c6a5474fcc474d6f0842343c9c16e0019a9a20576fc3950f028b0dc258126733a7a216c558fdbda87d34c4ea5a8c5c07469119eef5df

    • C:\Users\Admin\AppData\Local\Temp\DEM5B01.exe

      Filesize

      15KB

      MD5

      83c9c1b97243cb1e3afce5ae2105b117

      SHA1

      5fbddf26f30894e00996fe45ea1dc240d554ce6c

      SHA256

      fa235d8dfa3e1107c7cce48dd7d7a80d20b1f60df744cbf7e78bd59bfae2d997

      SHA512

      57a3d5ac610e3cb7c64382801aa37e071f0557d8c57d7c438ba8a666a4a759c35ee95610fb523ec581f51b9a36ed2e960f78e6a78225a5c447a83a0aa4eba25e

    • C:\Users\Admin\AppData\Local\Temp\DEM63D6.exe

      Filesize

      15KB

      MD5

      0950bbc41f99160a8b62536dbd1d93c8

      SHA1

      ccbd693a5d9889c73adc86ad8118a2c8db12f52f

      SHA256

      9ce7e2d520fd2633c383e0da04796d62fcf5254d64700522232e75e5842249e8

      SHA512

      674213586bee21a9d0f1cb5a2a7480a7c9d3ca832591b28af7d227833d5b0d4a162a60e6a1ecf24364ddd0bb7f7ceae4f7f87599abfebb4a7e69a5a1e16045c1

    • C:\Users\Admin\AppData\Local\Temp\DEMB3DF.exe

      Filesize

      15KB

      MD5

      1afffb005e82830e786a0d557dc1c039

      SHA1

      585cc124ca510ecdc12e68be51accaf0c78e9304

      SHA256

      e92a52bfa06ef58df5407ba73f1907fd9fef0b3ccebfaa51b859f1e226fbc416

      SHA512

      f3bfa2f1009493714dd71787b75763f887ab9c68ef693d6dbe7174be903d60d9803b0c219d76522dc6234836eed451f2125c76afa6093d8f7b50c006b7b0d447

    • C:\Users\Admin\AppData\Local\Temp\DEMBC27.exe

      Filesize

      15KB

      MD5

      3275e5ec2b25271e4ed47573b362d01a

      SHA1

      a05ec8b01a4791e0db2a397eab33469106502cc4

      SHA256

      959e9f09d71e3ca26b5c2b46d484cd54ffa1f61adfd03eea61998197dccb9d30

      SHA512

      26e0d1c76a7cdadd40b5ab5f1149f6939a88d5a9c1845aed19d094c9b0799b1d1a5d387ddb92cc037fc8981071621ad9d8e8b4e2d0fac3e8cba8d62953df7f8e

    • C:\Users\Admin\AppData\Local\Temp\DEMBC3.exe

      Filesize

      15KB

      MD5

      aea8625b39a2352bbdc8c41e8e9db302

      SHA1

      bfca055e6f6aaa2c0f65b85576cbb436295d52b6

      SHA256

      b68fee8afaa1524ae575d653a982195aeb918ea8cf4b83e8514e07e496a05d04

      SHA512

      97b5a86dd6bc398ca2883e2818a320f3f27deeb5b472a7f0cd4b793bd9510b2ef07036e833ba0d5b9fdc6553b0be4f440fcd479557b7209a238c5a48c30dcd5a