Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 05:29

General

  • Target

    19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    19b4c2c33fe685ae8d5f5d3be7d4b2a5

  • SHA1

    a578431f8271239a44b588320ddd572bf7900899

  • SHA256

    f42b4f419e10cb6eb5fcac6dbeb718fc578e097840e1dcec7870c8c40c3dbeca

  • SHA512

    3f71789414eb8cfc00ac1b42710162d826128a6d9c5a4867f7078771269e0638713febf0084ab4cc9bd95cce502fc9d32bfbf5f9dea0fc342b3291e948940e63

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8unV:hDXWipuE+K3/SSHgxm8y

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Local\Temp\DEM7501.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7501.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Users\Admin\AppData\Local\Temp\DEMCE0E.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMCE0E.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Users\Admin\AppData\Local\Temp\DEM2611.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM2611.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1348
          • C:\Users\Admin\AppData\Local\Temp\DEM7D97.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM7D97.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4836
            • C:\Users\Admin\AppData\Local\Temp\DEMD55C.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMD55C.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4292
              • C:\Users\Admin\AppData\Local\Temp\DEM2F53.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM2F53.exe"
                7⤵
                • Executes dropped EXE
                PID:3664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM2611.exe

    Filesize

    15KB

    MD5

    3759cbdd0da6792866eca002e557b9d3

    SHA1

    94ce82e4cbd5e909b38f83710df996c1201cb312

    SHA256

    ef8ef52eb6935020ff1e912914ef9a5ad5f27d3f969c17e055ee777b697dae92

    SHA512

    1bf2e435864cf2e8d71a8698d8f64c0f1ca536d97b60490c4fa5151c3aa94274cc63e7988e8536120fd0afbcffffce6a0f9c72b822450ddc766d0bccad53ba8a

  • C:\Users\Admin\AppData\Local\Temp\DEM2F53.exe

    Filesize

    15KB

    MD5

    f610acb9f031530a9ff85c085a93098b

    SHA1

    eea35a525cb3d7fac2c13d08fe3f9b544c1ae1d1

    SHA256

    f44608fe63e5552f3fcf467a3b3083782934640d05da05a803cd2bb4d164883c

    SHA512

    3a86c43c53d0c4c841774248caf9bf15ee8b1fece8c71b1c880eb5fd90fe76d473144c06e49e9fd9b61b1322f43be97b7ead8c0a72a46e64195da3fa550bba1a

  • C:\Users\Admin\AppData\Local\Temp\DEM7501.exe

    Filesize

    15KB

    MD5

    ada4f2b543f8173742496075dcfea1ca

    SHA1

    38b737c12105588982624ab0ad8474db88e54f63

    SHA256

    ed75675da565c40b59e4e036b4a10bee0a573fd11ce599378e445f598c30a9d4

    SHA512

    ee81d301aab5f1a4394d158f87e8dd5f40a97357626102f3b7f6e04a372c2dab5cc5c59f001a58508104d5e501cd0495bf42d096bdb1331d770ad9fa87deeae2

  • C:\Users\Admin\AppData\Local\Temp\DEM7D97.exe

    Filesize

    15KB

    MD5

    39e31a1a57eaa191f656f15ea66b1d64

    SHA1

    13d6930a68de7d2c68f17e519846fda1b677f47d

    SHA256

    de5fa97ba79b9aaf1df3f7fcb1996b25531ef4ae8f8f07859f83449d568341be

    SHA512

    d0b3d0b7563408f19b40753c1978b200bc572eb28acfd52f8771b2d5aaaf46865f9754d7573a1aa4125a5ad0756c262ffcdd9e103e4baa1b65a8b37d08ad7fd2

  • C:\Users\Admin\AppData\Local\Temp\DEMCE0E.exe

    Filesize

    15KB

    MD5

    ab5fc3e6679ddf5a099d4673688ef647

    SHA1

    588d39faa8a500d4870868634ab98436d86ac228

    SHA256

    cd56c54ee76c36d76e41bbda9b7e6083ba74f1fbe4b9ef952c9a633fa9b20fa8

    SHA512

    6d83014b9793d40e9967d6cbc6862f1e0474e7b9b526503e395b9e522eb9310bb9b5ed0d04db52b69d0023694bad6d7b3f891993da946d828be74e1bcb35a004

  • C:\Users\Admin\AppData\Local\Temp\DEMD55C.exe

    Filesize

    15KB

    MD5

    2d22ab12f09860838bd92330ee814ede

    SHA1

    f741bf0e11a33865ac00ee9762b493a1dc4c36f5

    SHA256

    6e6c6f7d93205c579daf1e86f9d60680f67b1edcbfd6388a8ef6d15901cdc4f8

    SHA512

    3bc41c7e80ee0def369070f28fed62b1789e88f2a105db893d82c07c84a170510abe5463f00ed4fd061e1cda04b1155d4bc2aee5e61529aa4ba8b29d468dc184