Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 10:42

General

  • Target

    1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe

  • Size

    20KB

  • MD5

    1fea9b86854ca0ad9659fb949161780a

  • SHA1

    deea484161c46539ff0fab83957bcb70827a19ae

  • SHA256

    1938427566a51a0bae87831b42282ae67a166a2c6ae81c1795a2d789bead4ef0

  • SHA512

    8b0b273f37be02df018a8956ba2e3d4e6079c5a8c755386fa8636b558828df69673e948726d7d45c00a2c56e1562ad863800cfd9a5ea55ab31466d6424a0f8c1

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41gS:hDXWipuE+K3/SSHgxmHZ1H

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\DEMF6C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF6C.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Users\Admin\AppData\Local\Temp\DEM64BC.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM64BC.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Users\Admin\AppData\Local\Temp\DEMBA0C.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMBA0C.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Users\Admin\AppData\Local\Temp\DEMF9A.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMF9A.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2316
            • C:\Users\Admin\AppData\Local\Temp\DEM650A.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM650A.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1564
              • C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe"
                7⤵
                • Executes dropped EXE
                PID:2880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM64BC.exe

    Filesize

    20KB

    MD5

    7ac1c796be88871f188ceb2a4032ca41

    SHA1

    734ff6968914528c97559c2d1055e519b4357045

    SHA256

    b3247520aca1c739384c2f561d73c8fbe77ce4ae8caa750167f4b252dfc538a7

    SHA512

    a79a3859e3a021d4b1fc9bcc2413368ccd5583fefaf48f426bb65490b88cedf9a53d7e50a43bfe08e4ea560da4c97078418381bf2cd2a09f7f3b4040b1e88450

  • C:\Users\Admin\AppData\Local\Temp\DEM650A.exe

    Filesize

    20KB

    MD5

    7b0623ecdf7ef9718323ab65caee7690

    SHA1

    24ecac29e37dd07b824a1a76e1595d258c48a1d9

    SHA256

    cc72c8855879d2efbaf8d19bd86fa45dc5fc45be7d514cb9319e4654204244b3

    SHA512

    a54cd58060d201e8afdcb8122a567808faea99ac4c569311699a1079871d7a598dbd062b56049203c9e55872dec1e218456f3747eaf1fa46d4674b25e3be818e

  • C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe

    Filesize

    20KB

    MD5

    c46efcc5be6312e875b27ddf6ac0d5a2

    SHA1

    436b5dd6f740ab4cdfa67b1d85f7e82fa9a5d54b

    SHA256

    f4c3fea9ed01c214c1674c38ced5ca49196f8ad17645f63dc149f108e117b597

    SHA512

    23d249cfaa083e92b4372a7b7ce7094d40cf5e378ba469c14bdac5dcdee17b31e526738a443fb6ca407f0eca614fde9b77923b51a67a3b7a1e417c470797cfb7

  • \Users\Admin\AppData\Local\Temp\DEMBA0C.exe

    Filesize

    20KB

    MD5

    81babbd61216099c6805f3ad26dce1fa

    SHA1

    923fed5efcfbe632a2af7d6661c2144bb65bd8dc

    SHA256

    15df6d01d5a7fcdceafdb10392e73ff985e97a561e9fc1ce19496f3ce408a289

    SHA512

    28b06e48a1b5546118fb485d89fbe020f54e2e81e432be5f3ba6036c18b887b511c65eb2c2d30b5b599ac1212fbec898e9560f60bf4b04dcef21167f236d2c30

  • \Users\Admin\AppData\Local\Temp\DEMF6C.exe

    Filesize

    20KB

    MD5

    ed26a4c18494b4733e5b167e2740380b

    SHA1

    17aa0ac75d646ededfc4f25857d9eac9eca76cbf

    SHA256

    8361e7ea48ba3535a29b29902e4bda8f28b1e305b732cb1113db93551f27afb0

    SHA512

    000cd4edf662e226820600c7dea7d1442994a5be5d884ab4781ec729ca647a2154d3fab8d9e03ccdf67a2cc63d03b1ca879f05e6d5f994fc1ecf7e10d76e3d5d

  • \Users\Admin\AppData\Local\Temp\DEMF9A.exe

    Filesize

    20KB

    MD5

    846211c10a6e7294e2b7bea85a4bdb34

    SHA1

    c5d8215cb004585aba39c504d38573df8dca426e

    SHA256

    a58c41f1c51bbea0b027e17c7fda1ba86578ecbdde917337a83e5048d7163bb5

    SHA512

    26dce07e97d860ac5ad5157542d84b075acd64f7a930878ac910cf50fa38520bb045c437456bdf9e1a611d3cabd2454ac45fbbf6520b0f5e88701f102be821ea