Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 18:23

General

  • Target

    2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe

  • Size

    16KB

  • MD5

    2970e1c26ef472285f0888308b7f6e73

  • SHA1

    86953b3e9291f7a4585eef2e843055e2e2274744

  • SHA256

    5b5311b75f67053c6df98825205f3badb5d80984fe9aa0e4c8b919e193f0af94

  • SHA512

    87d7b25afc5c768092f5d6d0b99f9b10d56a2b696c29c9a9f3a78a1dad51901415652cc3b2edf2ab3e348af3a1b4d29f596b8c1f4e669639e2d42ed2e9f539aa

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlt:hDXWipuE+K3/SSHgxmlt

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\DEM14D8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM14D8.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Users\Admin\AppData\Local\Temp\DEMBF88.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMBF88.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Users\Admin\AppData\Local\Temp\DEM14E8.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM14E8.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1784
            • C:\Users\Admin\AppData\Local\Temp\DEM6A47.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM6A47.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2028
              • C:\Users\Admin\AppData\Local\Temp\DEMBF78.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMBF78.exe"
                7⤵
                • Executes dropped EXE
                PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe

    Filesize

    16KB

    MD5

    c9ce4894afe6f2a3e0fe4222ac0eafe7

    SHA1

    84524afe933a2ada35ca0d00eb41d9ef60b2b58b

    SHA256

    241980fac3e48b2467e05ec4e8e05593787023ca08efdf0ce8caf4d0a7b92ea1

    SHA512

    d0f8fa81cdfdacbb106122150b45d80f3aa7680080290433ebd7ee4b15ecca84f820b32186bd9a381d0fb20a7947e5821c0cfe5151719f2858aa1df805270338

  • \Users\Admin\AppData\Local\Temp\DEM14D8.exe

    Filesize

    16KB

    MD5

    5bbdc26b1335f8f083b330881dc1c21b

    SHA1

    1536c60563c9672273e2234ff8ae3ba99fba5a74

    SHA256

    280f025dc67d1d1106217970188b91cbb8fafe8853455b388d3a8ef1218dda7d

    SHA512

    ed3a88e06d590c92803c45997cc4ce1c1e8a2b11aed7c194aabb56232e7495840c7430749614260a3d35859ade66deef4d137651903c92a68bbd1bdc26e67c37

  • \Users\Admin\AppData\Local\Temp\DEM14E8.exe

    Filesize

    16KB

    MD5

    da73d44da5d930ecbb2d522da0ebb708

    SHA1

    49a5c268177a11dfbb47d73196243946b04f36cd

    SHA256

    718a7cb39f0198df0254fdfad22ac870b740c91f5a425d7163dfe8c71630bb3c

    SHA512

    5191fd448edbffd90fbe0891a14191c0512133738353db713e672784801f810fb007e32244f7f3b36380ecfe7902809db90d0510c53d89f74c92cfc2631fad95

  • \Users\Admin\AppData\Local\Temp\DEM6A47.exe

    Filesize

    16KB

    MD5

    0dd071466f9bb82f1b174afa02b0a52b

    SHA1

    26f0bc15c7b9384fbd82ef04ca8168b95d18ebf7

    SHA256

    89b6590da677bc6c22af90c0aea80ca8ececac8fe5bba0a50edd7f0ee1c0d8b0

    SHA512

    4d509132ad6df93355d4e802f7816a9b0c57ad5ad35a4c7d842c2829e0142e0ff728699dcdbb300bf98a18fc942e9d66d1d241c862367f17358e57ce53074976

  • \Users\Admin\AppData\Local\Temp\DEMBF78.exe

    Filesize

    16KB

    MD5

    88c23a75242bebb58649af5a83ac8274

    SHA1

    387f1d8c2687f7c85898638c39499a7b1e41db7f

    SHA256

    98b153a6c5d9ca370d2fb4172b818dc4d18ac806b45811bf29576a54ece12177

    SHA512

    e7c0e9714c756d031b884d83c77bd7081da11ec61fd24af990f1efe118d952e1a644d9cb61f7dd3a28679d8a2a087d248a3a29b157ff3c2fed5a09c66774979f

  • \Users\Admin\AppData\Local\Temp\DEMBF88.exe

    Filesize

    16KB

    MD5

    614f2609e6f75a6d37fd42a2483350dd

    SHA1

    d639ea3d1936f1b9c25e80456594351242a0a9ad

    SHA256

    c4c9101a8b3ffbfbab99318f35c57abdc72536d3eba27b3c1508dfecbef7cece

    SHA512

    6a6c2f9c0ac8df2785e74ddea20e9f977dc73acbac6a735c8dd91ba4b11754891da05913ddd92d592fe79753d39bf47c5c1c139f1191d00b9ff8527f32ab05c5