Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 07:08

General

  • Target

    1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    1bc5ac86fe53c6ef51a763c704eb36b6

  • SHA1

    6409c5d206f6851829895c0887e5e85b7433c706

  • SHA256

    fdfc903b97cdbfab6a3b152daf75bc2e0124fa1d561bb589505e2be5cc962f43

  • SHA512

    f8ee14d99f71161e38032e2dbe4e4b55e18bf38d7c1dadb00d5cc61886b0bc054bc9a74b43f5913bdcd8114f37ce6a6cf34039b00321c2ed316c5ac8d7eac377

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hEuBmSN:hDXWipuE+K3/SSHgxmMISN

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Users\Admin\AppData\Local\Temp\DEM60F4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM60F4.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Users\Admin\AppData\Local\Temp\DEMB941.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB941.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Users\Admin\AppData\Local\Temp\DEMF8B.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMF8B.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:912
          • C:\Users\Admin\AppData\Local\Temp\DEM6623.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM6623.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1260
              • C:\Users\Admin\AppData\Local\Temp\DEM12A6.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM12A6.exe"
                7⤵
                • Executes dropped EXE
                PID:628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEMB941.exe

    Filesize

    15KB

    MD5

    d25b92baa547b1282ce2a3a759c40420

    SHA1

    05333c9efe9660af2ab45dc6f3be5b77219a6be1

    SHA256

    ef26550cbcfbdcb86fb5e573f1de7c0766f210fbd93357fc2ac46426430793bd

    SHA512

    95f49c882f13b7aabe28b376eadd1e62dd79592777543b9520cf32c72db0d196856b70f80431093c875d8c17f581419fb29a96c39758ea0e618f868a9e54bd4d

  • C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe

    Filesize

    15KB

    MD5

    886eb9174bd70e7a46e4089da5476477

    SHA1

    d86042873f0cd93c47c378a84bf22002d8cd7bc1

    SHA256

    ab623e2542c51a632ea590ca33d36493f71afc43622ff9c6c0441d5c157b40cb

    SHA512

    eeeeaf23ecb493798c55cea5ab58d1555bcd26d7171a177ee09f7c25d625845bd762f22f3b3902977fc3b2282a632d6ee5d2cf77933be2983020d084ccbd9500

  • \Users\Admin\AppData\Local\Temp\DEM12A6.exe

    Filesize

    15KB

    MD5

    a2e21c044d4491250acb56959a2ef7cf

    SHA1

    3398265ca50f5d3b46f00c8e4469e167c3ba8900

    SHA256

    e0cd83e5dba09d0ac2eda17622e7d44c01228570c03835e41e34094cc03e510f

    SHA512

    4fb52c316a0c032137ba67e649a313d1c49384adbabd652f27c7336098e6b12f05bbfb68021dd55b89633b75c8b543d7046318ae826d8a25ecaddf79a847611e

  • \Users\Admin\AppData\Local\Temp\DEM60F4.exe

    Filesize

    15KB

    MD5

    2fb4f35b79b82b8f7514abef7cbffbe3

    SHA1

    e9229195b97db2935725c1b1d9b1337afb57dbfa

    SHA256

    7b2fcc66bce0c8f3c342a6f0e63d50b376edf2955fd7ec5e04011498790a1df5

    SHA512

    cdf8cf780583877f4a876974acbf929abb4cda7f9c8c4674a1e9f83947f2f79fab1357ee3952515a798e00df857a8f370d6b62698bd1744a4e79aadd292293a1

  • \Users\Admin\AppData\Local\Temp\DEM6623.exe

    Filesize

    15KB

    MD5

    1b02cb146c4a5591327e2aa4de4d818e

    SHA1

    931631b80f2de067a389f85b004afc3e64358487

    SHA256

    5738b999079bee39c9595ddd621a4f6bcaf1f5fdeb2fbd12c63e45fa22cea452

    SHA512

    4af4863ae4680e6e70210cf2aeda2ba898f80f766a6444659f2072d4c717c33cb4fe56a32528abcc8b7d891dbcca2291131d94462ec9bbd6d9894813e5841035

  • \Users\Admin\AppData\Local\Temp\DEMF8B.exe

    Filesize

    15KB

    MD5

    27a196665c15508c5975557dbf0f6a1a

    SHA1

    2489c7e9cf57dae739834063e271c4e79230b549

    SHA256

    cc4ce2a5eaa6119cc53ed715340cfcd53208ea993a214c9370c918df20626858

    SHA512

    d7bbbe8618c5afc974ecac7a1b7f1672931f30191a9a29df6ac82f493115f9a09279dda52d60aa7367a581ff698b63ef0b098d8c8d7a3c6ef20181a8caf46cc0