Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 19:05

General

  • Target

    c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    c04d5d196885ede724a09302c3c24199

  • SHA1

    6f1e43fecc44e77c23f0e94bf14c0af7512c373e

  • SHA256

    9d358b5c6fac7643fda635cf31d2a627a1225c122a6e10c5df6252135168b436

  • SHA512

    f1758b93a3b8b6d38d128fcde88807c86be69808ac6e4a439fa56dc43fe2239f8012ddb231e04165292bab8b6abea9d5e64b1e7501c4f65208acd7b6871e9d38

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwO:hDXWipuE+K3/SSHgx/wO

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\DEM13FE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM13FE.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Users\Admin\AppData\Local\Temp\DEM695D.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM695D.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Users\Admin\AppData\Local\Temp\DEM13DE.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM13DE.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Users\Admin\AppData\Local\Temp\DEM692F.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM692F.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2100
              • C:\Users\Admin\AppData\Local\Temp\DEMBE7F.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMBE7F.exe"
                7⤵
                • Executes dropped EXE
                PID:2060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM13DE.exe

    Filesize

    15KB

    MD5

    f5ac97f795769a58dc16acff535a43ef

    SHA1

    f611045fad080da2c500c2179c3a186821ff708e

    SHA256

    68e4da9e7232b2ad9011f6e3415d14742a94b88742283affd67ada86627641b2

    SHA512

    d7c34e7704e782a25938b9199fcd49b23830a8bb1b1a1858121447a22e3677d3446d8eece1e8419b7f4da664649631cca6feb0ee5a3d6668957ec88fb837f4b4

  • C:\Users\Admin\AppData\Local\Temp\DEM695D.exe

    Filesize

    15KB

    MD5

    159de1c81269a50cf6f6f29caaab763c

    SHA1

    2431bb92fe2653e67b9806a96d0858371fde3b0e

    SHA256

    9af8a4ba34ec951ec4ee717aef00d1762e642584c7dea10581519a3df1a435f5

    SHA512

    df92f1d57719507d83aaf573a687bba8fed62ed39488547a0087bf3ee3c1a48f14a7b6e847487ef2322a230c3c4c954002d6239b28c4eb0f738349f29164878d

  • C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe

    Filesize

    15KB

    MD5

    8e1301379b96ad061b617111d3c0b5d2

    SHA1

    6e20b6e0abd44d0cbfe17572f7da8b9c19a98d2c

    SHA256

    d14f00167c1cd5525dfeea554f6778e0188288d1f4a858719b5c4ec777095c9c

    SHA512

    ade76baa468457c75dc7749122b89912838dc7d7c529551fb4331a7b16d4415cd6e296fab5c1d5a5f9ea3284c16780f43bcc280abcce182ffb017789fe04bfe7

  • \Users\Admin\AppData\Local\Temp\DEM13FE.exe

    Filesize

    15KB

    MD5

    a5f4f1e435aa48d2f01ccbe420481702

    SHA1

    44ed5073af737c84580256d7e8636afdd9f70da2

    SHA256

    e126ed5946568c3501b05605268110e213b484d8887c88e1d8d0b57d10a8abe9

    SHA512

    d8cd3127721a71e6d3b630c74c8bfa164170eebb72b3a4e190630875e07e763e214d000a9653eef7c3d539d12be708100aa0346293197363ee0a4167bda64c1a

  • \Users\Admin\AppData\Local\Temp\DEM692F.exe

    Filesize

    15KB

    MD5

    463cbb2b7185153e9e49da9311194c03

    SHA1

    9cf4ae5164c287776bb6192dbd2935a9c00d7292

    SHA256

    92353edf82324818b0598f01f38d7a7cba00d09f9c3cda2d5311a086b4eb2d74

    SHA512

    13d5bdafec6c16afbc9c63896f0f7ae24b69e7db9d61daf68360f9f9328c0b7ae703bad098745e7e0220d62fbc1be8da52ee8da3ba1154e2da187caefa9b21d2

  • \Users\Admin\AppData\Local\Temp\DEMBE7F.exe

    Filesize

    15KB

    MD5

    4d0794fedf073deff01f32fca87d8e53

    SHA1

    f9034780d2ee33a37dc6917d7de57fb426054150

    SHA256

    9aebc19ad2e17869fb9afc62e06e6eec1dca4e8fe2707719f84870e65cc53fc4

    SHA512

    63a2bdbe471d36330560f973044dd40d51e3e8e8419259a3e57f61754230a7d7936322f92c1000b65840691d3b0db48d76e75a4b6cf2370f0f4b1cae7cb437d8