Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 20:24

General

  • Target

    c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    c1ec9ea6984f021046382f79f55efdb4

  • SHA1

    c4e8aeeae10b9b8e2eab05ebeb6f508033681e61

  • SHA256

    2f25286a82d3df38025c5c4d37279064c50662a04e7f2f2d860571be55ef854a

  • SHA512

    e5f36c58fc6b84df776ba812af84974b9b9bd02477891f742ace659d188693b158bf760d349d3940959f70649cc42f25cc2b0c4f755dc9543c178178cd477b15

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHuE:hDXWipuE+K3/SSHgx3NHHb

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\DEMA812.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA812.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Users\Admin\AppData\Local\Temp\DEMFF46.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMFF46.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Users\Admin\AppData\Local\Temp\DEM56A8.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM56A8.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2496
          • C:\Users\Admin\AppData\Local\Temp\DEMADDC.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMADDC.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1884
            • C:\Users\Admin\AppData\Local\Temp\DEM55E.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM55E.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1124
              • C:\Users\Admin\AppData\Local\Temp\DEM5C43.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM5C43.exe"
                7⤵
                • Executes dropped EXE
                PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEMFF46.exe

    Filesize

    14KB

    MD5

    ccedd13eaa1d6c6170f874a614dd48ed

    SHA1

    a68cf9ec3465e60d4d987f0ece302ecf93ed2113

    SHA256

    f5090e957979d444ee6a25020678876e8def3684de0454c74e1878fc72d44d6b

    SHA512

    337905c1502f095c712cfb5b80ea2497caf66ab9a7ddbadc0585a2ee817399d8fdfbe78c03a272b126927ca8edbfd3e88e3338ffa453568c44fb8af5016edc12

  • \Users\Admin\AppData\Local\Temp\DEM55E.exe

    Filesize

    14KB

    MD5

    f8723f00740d22c440fd951aa868de30

    SHA1

    a3fa066b47cd61fdf5000ff1d16721cc0af9eb70

    SHA256

    beaa29b6b0a58effacac18d89bdc66bc5873a017be90db57ef1f610f7cf68514

    SHA512

    e1a0af15e4c3509d4007a6e606ae48840ff559830df15636fda55a750323e1a9fe0a9fb50ed2f6036c7827929680343a6165cec2cc0d1ea140a53c09f862406f

  • \Users\Admin\AppData\Local\Temp\DEM56A8.exe

    Filesize

    14KB

    MD5

    0575b08abdd20497ffb35fc927f9550e

    SHA1

    e75cdc3c31c693a7ac2e8f95f9fd256b70039323

    SHA256

    479fc7010564236f4c335e743c8cb36d360d23d991d708620179af4b53fa234e

    SHA512

    e20a673fb6a35fa4556217c96022635a05f147d1bdb84ab9afe7f0d38c820efacc19c9f34ce8d40b11a703bec9122c7c17e50db595e8415940fca5a78fb4b55b

  • \Users\Admin\AppData\Local\Temp\DEM5C43.exe

    Filesize

    14KB

    MD5

    11e3b6ef312d3d69ee81841e30c69d8d

    SHA1

    ea429d89d85317271e56079a10b62c68f46fc0c2

    SHA256

    993adfcfd3b47b827fe8204969e7cb494c1341528601789916b9df769d2ef410

    SHA512

    6d7097a460a3989837ad3d022407c9bbcf7deade793538d06b33e88143ebddf7ebdd599a1492f5c5abbea7303975c538df8196497ac73b635324c4edc0f0dab6

  • \Users\Admin\AppData\Local\Temp\DEMA812.exe

    Filesize

    14KB

    MD5

    718fe4d25950da0721e3eeb73a808d4f

    SHA1

    64993305be71d2626a90bb56eba9422869cf37de

    SHA256

    337a79f5ef3fdb7663ed22f9bf2eb785870a2f8e3dd62fa313bfbb5c9554cee1

    SHA512

    30c244c3078b384a94073abee1a69d7354b8f57ae8c1ec9f281947a99ad46ef1f7c86b81b05ecf5351f00ccb6a13265aef95c7f6e487ef7c527d5113abed545c

  • \Users\Admin\AppData\Local\Temp\DEMADDC.exe

    Filesize

    14KB

    MD5

    94d2a19c30675715de0623a63a24cd6c

    SHA1

    13b2a6be529548771f8fd83ea5e919a2a150c478

    SHA256

    2b944fa81eaacfcdf6f7467e19f6a0a5f5c249f0bf0fe358c35d98dbe8bace54

    SHA512

    6e7259f1fbe323bfa54289332d927f4ea7e759b5911eea2b959ee82f2aec54598c9c07330d1ab104c9ed4ab04fc5e676a5f75ee8c1c926612c2d281512490e44