Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 02:51

General

  • Target

    1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    1691b284f4f743299f55fb45a1430800

  • SHA1

    4ff517a23e180ee9f7e3bd4052258f956ca7e2ca

  • SHA256

    1193547d3340b7ceef433b720dd96d2ea4b493030a9494626472f3a8958dfee6

  • SHA512

    75e0879d77e09cdcd086a0b9a0af2e6f692f402074eeb0893d428f3a6a2bbeccc0df16dac0ca533b8eda3b27ad6172f1665b2c4adaa8d3ede5d70a77893f2c37

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcPay8K:hDXWipuE+K3/SSHgxmkClK

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Users\Admin\AppData\Local\Temp\DEM371D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM371D.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Users\Admin\AppData\Local\Temp\DEM8D8A.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM8D8A.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Users\Admin\AppData\Local\Temp\DEME36B.exe
          "C:\Users\Admin\AppData\Local\Temp\DEME36B.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1536
          • C:\Users\Admin\AppData\Local\Temp\DEM3989.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM3989.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3784
            • C:\Users\Admin\AppData\Local\Temp\DEM8F89.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM8F89.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4320
              • C:\Users\Admin\AppData\Local\Temp\DEME5A8.exe
                "C:\Users\Admin\AppData\Local\Temp\DEME5A8.exe"
                7⤵
                • Executes dropped EXE
                PID:1964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM371D.exe

    Filesize

    15KB

    MD5

    73f2a45c73c9d3b473719856cc2d5731

    SHA1

    b3008d8ee91c3b0e23e317bdf1905c3682e772ca

    SHA256

    535ea657232cbdb7082619c847401e7feb0d7b861a198c81cdb5bbf81cc961ed

    SHA512

    7cccebebce59d0bc60ef80051135d9b6b8819d2b1fb673cd068726dfe626c31c87391b02c17c99bab2887dc6390e665279298086cff795bb80ae56cd49e07bca

  • C:\Users\Admin\AppData\Local\Temp\DEM3989.exe

    Filesize

    15KB

    MD5

    4bb75be2f8f2c3633d573fd9314facf3

    SHA1

    0a8487943dd01727fdc938b93aeb4cad6db32992

    SHA256

    7dd6388bca08a3ba26d8c599d940e7358b19fbbad53f5bf6cd3ea2fd4f9f5ec8

    SHA512

    55c653d012e489f933094759907c994182bcc62c73be5d5f20c6be62fa844e598f5ea19534da209be544282a088c73d44d94e2d983bb75ee0179971d946af887

  • C:\Users\Admin\AppData\Local\Temp\DEM8D8A.exe

    Filesize

    15KB

    MD5

    8c4c89157cf524fc3b65a182a6716829

    SHA1

    f66692365f70dda8f0ddedc681750bac84300934

    SHA256

    3e0a6769b0b7e090f2412e75ef655c977749175b58c0d55efa1e886e316954d8

    SHA512

    bc6fabe334061de5694246252caac7a00d95ee7666c6f85f2fa3642f2602a0a65d12dbaab9b9a4d9967e58ca31b42c1dc416a84e56818b064af1a1bddc25b0bc

  • C:\Users\Admin\AppData\Local\Temp\DEM8F89.exe

    Filesize

    15KB

    MD5

    7dae0426a4fbc0cf9528b1f875f03650

    SHA1

    a82ae500d90acf44ab521cf1ed7191b3ec2f2b08

    SHA256

    aa6eb74abcc0a5a8ac5876c448e8206f33e93f906c88bd576e3d73283664fe28

    SHA512

    2ec7860b91ea35976835ad72cf1eca0cbe9cb30b1a3dc2a689f9f83a0c802a4ec0b425973d23009eca04415b2f05f25ce62944aebe5a9509f7b80ce7160264c2

  • C:\Users\Admin\AppData\Local\Temp\DEME36B.exe

    Filesize

    15KB

    MD5

    bcb5b3937331b1a7e1c249e28d65737e

    SHA1

    bbee3138ec243bca584767cf496ff2484e6e3c51

    SHA256

    4b321816ba5bfc5b139cbe334067c38bb4fb7665f84ed524ca963c5d9e272a57

    SHA512

    c82a5ce2e004c59269e8d5c20517881c165e564f187bec82a77df3a4ff362e1cb5eed40ddfe4b14ab6e103c637c10c2e15d4c6b9c0823d380ce6a845332f8f7a

  • C:\Users\Admin\AppData\Local\Temp\DEME5A8.exe

    Filesize

    15KB

    MD5

    a7ffbdd3dcb0dafb5b6893bc9da45e4f

    SHA1

    2f315379c8e103da6b73210bdd836d825ae097eb

    SHA256

    936af202c73f6e73e0e82540796b3a528f5a000e08aca3ad3fff4843e81558b5

    SHA512

    6a2c6f1bb70ca42d826f36107c733f82ff54a6c701e516e2565c8af8ee6ab14ea649bd0de62986df4cf66bfb635dcb75180f3c5966767762df951e10cfa32564